office 2003 soon to lose support too
TRANSCRIPT
-
7/30/2019 Office 2003 Soon to Lose Support Too
1/2
Office 2003 soon to lose supporttooSummary: It's not just Windows XP that reaches support end of life next April on Patch Tuesday, but
Office 2003 as well. This was an extremely popular version of Office, and running it without
security patches will be dangerous.
ByLarry SeltzerforZero Day| August 28, 2013 -- 12:45 GMT (05:45 PDT)
Many are outraged thatWindows XP will soon reach end-of-life for support and no longer receive security updates, but it gets
worse. On the same day,Patch Tuesday, April 8, 2014, Office 2003 and all its constituent applications,will also receive their last
updates.
Office 2003 was a wildly popular version of the suite, for reasons which mirror, to a point, the reasons why Windows XP was s o
popular and remains so entrenched: It was a good version, functionally. The Office suite was mature at this point, and offeredpretty much anything that nearly all users needed.
Then cameBill Gates's January 2002 security memo. Whatever their merits, Microsoft products had been developed without
sufficient concern for security, and that had to stop. This had a substantial effect on Office, most prominently leading to new
Office file formats, but also some changes in program behavior.
The file format changes were necessary. The old formats (.DOC, XLS, .PPT, etc.) were based on a formatting method called
OLE Structured Storage. OSS is an absurdly complicated scheme and, as a result, there had been a steady plague of Office
vulnerabilities involving malformed data files. It was decided that they would never really be able to secure the old formats, and a
move was made to new ones built on a ZIP file containing XML. This was a hassle for many users, but at least the old formats
were supported, and Microsoft developed a sandbox method for opening them with diminished risk.
If you look at vulnerability histories in the years since, vulnerabilities in the old formats have continued unabated, and the new
formats have been pretty clean. They also released theMicrosoft Office Compatibility Packin order to allow Office 2003 users to
access the new formats.
But that wasn't the only problem, and maybe not the biggest one. Office 2007, the next major version, included the then-infamous
Office ribbon, the new UI element that replaced the familiar Office UI, without a compatibility mode for the old UI. Push -back
was extensive.
I'm sure the ribbon tested well in Microsoft focus groups, but in the real world users asked themselves what upgrading to Office
2007 bought them, other than the burden of learning a new UI and deal with new file formats. It was reasonable for a lot of
people to skip a version, much as many people skipped Windows Vista. In fairness to Office 2007, it was a quality release and
recognized as such; Vista developed a poor reputation because changes in the driver model caused many devices and service-
level programs which worked in XP to fail in Vista.
(As is often the case with Microsoft product "failures", they undoubtedly sold many tens of millions of licenses for Office 2007,
making it a failure that any other company would be thrilled with.)
http://www.zdnet.com/meet-the-team/us/larry-seltzer/http://www.zdnet.com/meet-the-team/us/larry-seltzer/http://www.zdnet.com/meet-the-team/us/larry-seltzer/http://www.zdnet.com/blog/security/http://www.zdnet.com/blog/security/http://www.zdnet.com/blog/security/http://www.zdnet.com/your-perilous-future-on-windows-xp-7000019721/http://www.zdnet.com/your-perilous-future-on-windows-xp-7000019721/http://www.zdnet.com/your-perilous-future-on-windows-xp-7000019721/http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/http://support.microsoft.com/lifecycle/?p1=2488http://support.microsoft.com/lifecycle/?p1=2488http://support.microsoft.com/lifecycle/?p1=2488http://support.microsoft.com/lifecycle/?p1=2488http://news.cnet.com/2009-1001-817210.htmlhttp://news.cnet.com/2009-1001-817210.htmlhttp://news.cnet.com/2009-1001-817210.htmlhttp://office.microsoft.com/en-us/support/microsoft-office-compatibility-pack-for-word-excel-and-powerpoint-HA010168676.aspxhttp://office.microsoft.com/en-us/support/microsoft-office-compatibility-pack-for-word-excel-and-powerpoint-HA010168676.aspxhttp://office.microsoft.com/en-us/support/microsoft-office-compatibility-pack-for-word-excel-and-powerpoint-HA010168676.aspxhttp://www.zdnet.com/office-2003-soon-to-lose-support-too-7000019917/?s_cid=rSINGLE&ttag=rSINGLEhttp://office.microsoft.com/en-us/support/microsoft-office-compatibility-pack-for-word-excel-and-powerpoint-HA010168676.aspxhttp://news.cnet.com/2009-1001-817210.htmlhttp://support.microsoft.com/lifecycle/?p1=2488http://support.microsoft.com/lifecycle/?p1=2488http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/http://www.zdnet.com/your-perilous-future-on-windows-xp-7000019721/http://www.zdnet.com/blog/security/http://www.zdnet.com/meet-the-team/us/larry-seltzer/ -
7/30/2019 Office 2003 Soon to Lose Support Too
2/2
But Office 2003 was good enough for a lot of people, and it's still good enough for a lot of people. Except for the security
problems.
In about the last 12 months there have been 10 security bulletins affecting Office 2003 SP3 (the current Service Pack). 5 of them
are rated critical:
DateBulletinNumber Title
BulletinRating
7/9/2013 MS13-054
Vulnerability in GDI+ Could Allow Remote Code
Execution
Critical
6/11/2013 MS13-051
Vulnerability in Microsoft Office Could Allow Remote
Code Execution Important
5/14/2013 MS13-043
Vulnerability in Microsoft Word Could Allow Remote
Code Execution Important
5/14/2013 MS13-042
Vulnerabilities in Microsoft Publisher Could Allow
Remote Code Execution Important
1/8/2013 MS13-002
Vulnerabilities in Microsoft XML Core Services Could
Allow Remote Code Execution Critical
12/11/2012MS12-079
Vulnerability in Microsoft Word Could Allow Remote
Code Execution Critical
11/13/2012MS12-076Vulnerabilities in Microsoft Excel Could Allow RemoteCode Execution Important
10/9/2012 MS12-064
Vulnerabilities in Microsoft Word Could Allow Remote
Code Execution Critical
10/9/2012 MS12-043
Vulnerability in Microsoft XML Core Services Could
Allow Remote Code Execution Critical
8/14/2012 MS12-060
Vulnerability in Windows Common Controls Could Allow
Remote Code Execution Critical
(Source:Microsoft TechNet)
Note that even the non-critical vulnerabilities are remote code execution vulnerabilities. These are the classic malformed data file
vulnerabilities that were the bane of Office security, but Microsoft has added other mitigating program behavior to warn users
before opening potentially dangerous files, so their level of severity is lower.
The bottom line is that there's still plenty of action on the Office 2003 vulnerability front. Just as with Windows XP, don't be
surprised if many new vulnerabilities for Office 2003 show up on April 9, 2014 when their value in the malware marketplace will
be much greater.
So what are you to do next April when Office 2003 goes out to pasture? I'm not sure what to recommend to you, other than that
Office 2003 will not be a safe product to use. Personally, I'm using Office 365 and I'm happy with it. The latest versions of Office
really are markedly better than those of 10 years ago, and designed to work with the devices and Internet services that people
want to use. Whatever arguments you may have 5 years ago had for sticking with Office 2003 just don't hold up to scrutiny
anymore.
http://technet.microsoft.com/en-us/security/bulletin/MS13-054http://technet.microsoft.com/en-us/security/bulletin/MS13-054http://technet.microsoft.com/en-us/security/bulletin/MS13-054http://technet.microsoft.com/en-us/security/bulletin/MS13-051http://technet.microsoft.com/en-us/security/bulletin/MS13-051http://technet.microsoft.com/en-us/security/bulletin/MS13-051http://technet.microsoft.com/en-us/security/bulletin/MS13-043http://technet.microsoft.com/en-us/security/bulletin/MS13-043http://technet.microsoft.com/en-us/security/bulletin/MS13-043http://technet.microsoft.com/en-us/security/bulletin/MS13-042http://technet.microsoft.com/en-us/security/bulletin/MS13-042http://technet.microsoft.com/en-us/security/bulletin/MS13-042http://technet.microsoft.com/en-us/security/bulletin/MS13-002http://technet.microsoft.com/en-us/security/bulletin/MS13-002http://technet.microsoft.com/en-us/security/bulletin/MS13-002http://technet.microsoft.com/en-us/security/bulletin/MS12-079http://technet.microsoft.com/en-us/security/bulletin/MS12-079http://technet.microsoft.com/en-us/security/bulletin/MS12-079http://technet.microsoft.com/en-us/security/bulletin/MS12-076http://technet.microsoft.com/en-us/security/bulletin/MS12-076http://technet.microsoft.com/en-us/security/bulletin/MS12-076http://technet.microsoft.com/en-us/security/bulletin/MS12-064http://technet.microsoft.com/en-us/security/bulletin/MS12-064http://technet.microsoft.com/en-us/security/bulletin/MS12-064http://technet.microsoft.com/en-us/security/bulletin/MS12-043http://technet.microsoft.com/en-us/security/bulletin/MS12-043http://technet.microsoft.com/en-us/security/bulletin/MS12-043http://technet.microsoft.com/en-us/security/bulletin/MS12-060http://technet.microsoft.com/en-us/security/bulletin/MS12-060http://technet.microsoft.com/en-us/security/bulletin/MS12-060http://technet.microsoft.com/en-us/security/bulletinhttp://technet.microsoft.com/en-us/security/bulletinhttp://technet.microsoft.com/en-us/security/bulletinhttp://technet.microsoft.com/en-us/security/bulletinhttp://technet.microsoft.com/en-us/security/bulletin/MS12-060http://technet.microsoft.com/en-us/security/bulletin/MS12-060http://technet.microsoft.com/en-us/security/bulletin/MS12-043http://technet.microsoft.com/en-us/security/bulletin/MS12-043http://technet.microsoft.com/en-us/security/bulletin/MS12-064http://technet.microsoft.com/en-us/security/bulletin/MS12-064http://technet.microsoft.com/en-us/security/bulletin/MS12-076http://technet.microsoft.com/en-us/security/bulletin/MS12-076http://technet.microsoft.com/en-us/security/bulletin/MS12-079http://technet.microsoft.com/en-us/security/bulletin/MS12-079http://technet.microsoft.com/en-us/security/bulletin/MS13-002http://technet.microsoft.com/en-us/security/bulletin/MS13-002http://technet.microsoft.com/en-us/security/bulletin/MS13-042http://technet.microsoft.com/en-us/security/bulletin/MS13-042http://technet.microsoft.com/en-us/security/bulletin/MS13-043http://technet.microsoft.com/en-us/security/bulletin/MS13-043http://technet.microsoft.com/en-us/security/bulletin/MS13-051http://technet.microsoft.com/en-us/security/bulletin/MS13-051http://technet.microsoft.com/en-us/security/bulletin/MS13-054http://technet.microsoft.com/en-us/security/bulletin/MS13-054