Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • PC Hardware

    What Are Microsoft’s Intentions Vis-a-Vis the Old Office File Formats?

    By
    Larry Seltzer
    -
    April 14, 2009
    Share
    Facebook
    Twitter
    Linkedin

      When Microsoft moved to new file formats for Office documents in Office 2007 it was, for the most part, an admission of the failure of the old formats. If you remember a couple years ago, there was a seemingly endless stream of zero-day attacks on Office apps based on vulnerabilities in the old file formats. Is Microsoft trying to kill off these formats quicker than it lets on?

      The old formats, based on OLE2 structured storage, have a FAT-like structure for storage allocation, and records in the file can become fragmented. This sort of complexity just begs for errors that lead to vulnerabilities. Creating a whole new file format was a major undertaking, but as a security matter it was much easier to do than to “fix” the old formats. Indeed, a fix may have been impossible.

      The vulnerability reports and zero-day attacks have slowed down, but they still happen. In February, we had a zero-day attack on Excel based on an XLS vulnerability, and just last week a similar vulnerability in the old PowerPoint PPT files, exploited in “limited and targeted attacks” in the wild, showed up.

      Few, if any, of the reported vulnerabilities in Office 2007 had to do with support for the new file formats, and almost uniformly you can mitigate the effects of these vulnerabilities by using MOICE (Microsoft Office Isolated Conversion Environment), which translates the files into the new Office Open

      Several sources, including the ESET Threat Blog and The Register, noted that the Excel vulnerability was unpatched, although Microsoft did patch it Tuesday as part of a large Patch Tuesday set of updates. But notice that no non-security updates were released in that set (other than the usual Junk Mail Filter and Malicious Software Removal Tool), and that’s the sort of update that ends as Office 2003 and Windows XP enter Extended Support.

      Obviously, Microsoft would like to have us all move to the new formats, mostly by virtue of moving to Office 2007, but that’s not happening soon and Microsoft’s not making us do it. In fact, Office 2003 will be getting security updates for five more years, through April 8, 2014, the same date security fixes for Windows XP end. See my last column for more on Microsoft’s long, perhaps too long, support life cycles.

      Five more years of security updates add up to an absurdly long period of time, That’s why the theory about the Office formats doesn’t wash. It’s not the way Microsoft does things, although perhaps it and the rest of us would be better off if Microsoft did.

      But the ESET blog is right that the damage from targeted attacks can be immense, and many users may be exposed. If Microsoft is going to claim to support the old formats for five more years, it needs to make security updates for them a high priority for five more years.

      Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.

      For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×