[ISN] Microsoft admits Office 2003 'mistake'

From: InfoSec News (alerts@private)
Date: Tue Jan 08 2008 - 00:04:40 PST


http://www.news.com/Microsoft-admits-Office-2003-mistake/2100-1012_3-6224917.html

By Richard Thurston
Special to CNET News.com
January 7, 2008

Microsoft has acknowledged it made a mistake over a security advisory it 
released concerning Office 2003.

The advisory, posted in December, told users that dozens of file formats 
had been blocked in the latest service pack for Office 2003--Service 
Pack 3 (SP3)--because they were insecure.

It provided a workaround for users who wanted to unblock the formats, 
but made the process complicated, requiring changes to the registry 
which could have made users' PCs inoperable if they were applied 
incorrectly.

On Friday, Microsoft admitted that the information it had provided was 
wrong, and that it had underestimated how many users had been affected. 
It now says that, instead of the file formats themselves being insecure, 
it is the parsing code that Office 2003 uses to open and save the file 
types that is less secure.

Speaking to ZDNet.co.uk on Friday, Reed Shaffner, worldwide product 
manager for Microsoft Office, confirmed that the advisory provided by 
Microsoft was incorrect, and that manual registry fix which Microsoft 
had provided had been difficult to implement by end users.

Asked why Microsoft had not made the fix easier to implement, Shaffner 
said: "We thought it would not impact many users. And the messages we 
have been receiving are that it hasn't affected many users. But it was a 
mistake on our part."

Microsoft updated the advisory on Friday evening and included links to 
four downloadable updates that would unblock the file formats. One 
update was provided for each of Word, Excel, PowerPoint, and CorelDraw 
file types.

The downloadable updates should prove to be much easier to implement 
than a manual registry fix, details of which were retained in the 
updated advisory.

The software giant also provided four downloadable updates to reblock 
the file formats.

Shaffner said: "For IT administrators, we recommend that they use the 
(registry) fix that was there before. For end users, if they frequently 
use the older formats, this (the downloadable update) is the way." He 
suggested that if users did not frequently use the older formats, they 
should apply the update.

David LeBlanc, a senior software development engineer in the Microsoft 
Office group, added further details to Microsoft's change of direction.

He wrote on Friday in his blog: "We noticed that attackers seemed to be 
preferentially hitting the parsers for the older formats, and if the 
great majority of you don't need the older format, it's risk without 
reward. This was the thinking behind disabling the older formats by 
default in Office 2007 and eventually Office 2003 SP3. We'll try harder 
to make enabling older formats much more user-friendly in the future."

Richard Thurston of ZDNet UK reported from London.

Copyright 1995-2008 CNET Networks, Inc. All rights reserved.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Tue Jan 08 2008 - 00:17:11 PST