Microsoft Backs Down over Office 2003 SP3 File Blocking
The software maker also confirmed to eWEEK Jan. 4 that all the same files are blocked by Office 2007, which was released a year ago, and that the company had erred when it stated that the file formats themselves were less secure, which is not the case.
Rather, it is the parsing code that Office 2003 uses to open and save the file types which is less secure, Reed Shaffner, a product manager for Microsoft Office, told eWEEK on Jan. 4.
Microsoft released SP3 in September 2007, along with a white paper listing the files that it blocked for being "less secure," which included many of its own legacy files for Word, Excel and PowerPoint, as well as CorelDraw's .cdr files.
Microsoft also released a Knowledge Base article that detailed how customers could unblock these files by changing the registry, a complex and time-consuming process.
But Microsoft is now giving customers an easier way to unblock and reblock these files.
"The way this will work is that there will be a separate unblocker for each application, so there will be one for Word, another for Excel and one for PowerPoint. It's also an all-or-nothing scenario, so if you use the one for Word it will unblock every file type that was blocked before," Shaffner said.
Microsoft is taking heat for its Office 2003 SP3 file format blocking move. Click here to read more.
As Microsoft had mistakenly said it was the file formats themselves that were less secure, rather than the parsing code, the company has updated the Knowledge Base article with more accurate information that corrected the error, he said.
The new article also includes links to code customers can download to easily block and reblock these files. But Microsoft is warning customers that doing so may increase their security risk and make their computers or networks more vulnerable to attack by malicious users or software such as viruses.
"We made a mistake, as it is the parsing code and not Corel's file format that is less secure, and we are doing everything we can to let people know that and to give them easy access to those files if they want or need it," Shaffner said.
"When you look at the code that was written to parse these files some 20 years ago, the types of exploits and attacks that we see today did not exist. So the code that does the parsing is susceptible to attack and is the part that is actually vulnerable," he said.
But Microsoft stands by its earlier guidance to customers that Office 2003 SP3 offers a lot of security enhancements and includes a lot of the benefits of Office 2007 for customers, Shaffner said.
Click here to read more about Office 2003 SP3.
Rob Helm, an analyst with Directions on Microsoft, agreed, saying the blocking move shows more fear than malice on Microsoft's part, especially given that it has been "getting hammered by attacks on Office. Shutting down import/export filters by default is a cheap way to close off further potential avenues of attack," Helm told eWEEK.
Corel, whose .cdr files were the only non-Microsoft file format blocked by SP3, was forced to issue a statement saying that customers could still use the CorelDraw Graphics Suite normally on systems on which Microsoft Office 2003 SP3 had been installed, and that. CDR files could still be opened from within CorelDraw or from Windows Explorer.
Gerard Metrailler, Corel's director of graphics product management, said in a blog post Jan. 3 that the blocking only seemed to appear with embedded CorelDraw documents inside a Microsoft Office 2003 document through OLE (Object Linking and Embedding, a technology developed by Microsoft that allows embedding and linking to documents and other objects).
While Shaffner said he did not know if Microsoft had specifically contacted Corel about the blocking move, he admitted the company did not handle the matter well. "To be perfectly candid, we could have done a better job giving Corel a heads-up, and we talked to its head of product management today," Shaffner said.