It's not often I find myself at a loss for words when I read something, but this is one of those times.
Or perhaps it would be more accurate to say that it isn't really necessary for me to add any words to the following news, other than to characterize them with a Latin phrase lawyers use: Res ipse loquitor, which translates as "the thing speaks for itself." I'll give one clue, though: I've added this blog post to the "ODF and OOXML" folder. That's "OOXML" as in "the world must have this standard so that our customers can open the billions of documents that have already been created in older versions of" a certain office productivity suite.
So without further ado, here's the news, along with what a few other people have had to say about it [Update: see also the comments that readers have added below interpreting the original Microsoft information]:
Office 2003 update blocks older file formats
Special to CNET News.com
Office 2003 Service Pack 3, which was made available in September, blocks a lengthy list of word-processing file formats, including Word 6.0 and Word 97 for Windows, and Word 2004 for Macintosh. It also blocks older versions of Excel, PowerPoint, Lotus Notes, Corel Quattro spreadsheet, and Corel Draw graphics package.
On releasing the service pack, Microsoft said one of its main benefits was that it would make it easier to interoperate with Microsoft’s latest operating system, Vista, and its latest productivity suite, Office 2007. The older file formats that are now blocked are in decreasing day-to-day use, but the blocking of them will make retrieval of archived material more difficult…. In the support document, Microsoft said SP3 blocked access to those formats because they were less secure than newer versions.
[read more of the CNETNews.com article here]
[read more – and 541 comments (and counting) at SlashDot here]
Office 2003 SP3 blocks old file formats
January 03, 2008 (Computerworld) — Microsoft Corp. deliberately broke access to older files, including many generated by its own products, to step up security with the newest Office 2003 service pack, a company evangelist said yesterday…."The decision to block the formats is strictly to protect your machine from being compromised."…
Word 2003 with SP3, in fact, blocks a staggering 24 former formats, according to Microsoft, including the default word processing file format for Office 2004 for Mac, the currently available edition of Microsoft’s application suite for Mac OS X….
IT administrators can download a group policies template from the Microsoft site to return formats from the dead, but individual users or smaller shops must instead edit the Windows registry, a daunting task that even Microsoft warns against. "Serious problems might occur if you modify the registry incorrectly," the company said in the support document. "Modify the registry at your own risk."…
[Microsoft instead recommends that]rather than monkey with the registry, users convert documents in bulk to the OpenXML format — Office 2007’s default format — using the tools in the Office Migration Planning Manager (OMPM) kit, which can be downloaded from Microsoft’s site….
[read more of the ComputerWorld article here]
…To add insult to injury, Microsoft’s explanation for the changes doesn’t wash — file formats are not insecure and cannot by themselves allow something like a buffer overflow exploit. The security vulnerability is in the program that opens the files and allows the exploits to execute. The issue then is not the older documents but that Microsoft has decided that, rather than address the insecure code in Office, it will simply disable support for the formats which could exploit those insecurities….
Naturally, there’s an alternative which is somewhat easier (and free): just grab a copy of OpenOffice which can handle the older file formats. Once you’ve got them open, now might be a good time to convert them to ODF documents lest Office 2017 decide to again disable support for older file formats.
[Read more at Wired here]
I could, of course, post more. But what can I say…
For further blog entries on here , click
sign up for a free subscription to Standards Today today!
Done for security?!
That’s a laugher!
If that were the motivation they easily could have added an extra dialog stating that the older format was less secure and did the user really want to open the file.
I think this is a misreading by the reporter. When looking at MS’s KB (http://support.microsoft.com/kb/938810/en-us) article, the default setting does not seems to block newer file formats post 97. I think this is a misreading of "Word 4.0 for Mackintosh" which is blocked.
Either you linked to the wrong article or you misread the article yourself. The section below is from the article linked and clearly states Word, Excel & PowerPoint.
After you install Office 2003 SP3, some Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, Microsoft Office Word 2003, and Corel Draw (.cdr) file formats are blocked. By default, these file formats are blocked because they are less secure. They may pose a risk to you.
I just got through reading the whole thing. If you do read the *entire* Microsoft KB article, it is very clear that this file format disabling applies to anything created in apps preceding the following versions, by default:
Excel 97 (Excel 95 and below are blocked)
Word 95 (Word 6.0 and below are blocked)
PowerPoint 97 (PowerPoint 95 and below are blocked)
Yes, you can change that, and the KB article shows you how. So, the top poster actually is correct in his assessment. Andy, you might want to include an update explicitly reflecting this.
Now, that said….
How unfortunate that Microsoft is so scared of freedom that it wants to try to force-feed upgrades on us. I use OpenOffice.org and haven’t touched MS Office in several years. This kind of crap on Microsoft’s part is why. And I was a die-hard Windows NT fan back in the day….
"After you install Office 2003 SP3, some Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, Microsoft Office Word 2003, and Corel Draw (.cdr) file formats are blocked. By default, these file formats are blocked because they are less secure. They may pose a risk to you."
The keyword here is "some". It appears to be referring to the fact that Office 2003 can open and edit pre-97 formats, and after installing SP3, you lose this ability.
Another reason why people got confused.
I went back to read the text again, guess what! It changed. "Some" is no longer their. Here is what I found.
File types that are blocked
After you install Office 2003 SP3, the following Microsoft Office Excel 2003 file types, Microsoft Office PowerPoint 2003 file types, and Microsoft Office Word 2003 file types are blocked. By default, these file types are blocked because the parsing code that Office 2003 uses to open and save the file types is less secure. Therefore, opening and saving these file types may pose a risk to you.
Microsoft has just shot itself in the foot. They’ve basically declared to all the world that:
This hurts both their OOXML case and their anti-trust case and increases the case for moving legacy documents to competitors like OpenOffice which will allow you to keep your legacy as is (without ramming ODF down your throat, even though it is good for you). Since it’s tied to their service packs, they’re also hurting the trustworthiness of their OS support, which may push some companies (especially the Vista weary ones) to their competitors (Apple, Sun, Linux).
Microsoft is playing chicken with the standards community and anti-trust authorities and ultimately their users.
Time will tell who flinches.
Microsoft are reducing the attack surface of Office by gradually withdrawing legacy functionality. All else being equal this is desirable, but of course it harms support for older documents.
The sad thing IMO is the lack of support from Microsoft for users who will now need to bulk-migrate their old documents. Unfortunately this is typical: MS regularly introduce "improved" APIs for developers, with migration documentation at the "proof of concept" level only. I am currently working with a team spending 10+ person-years migrating a large Web application to dotNet after MS decided to end-of-life ASP+VB6 in their prime.
Standards help end-users, by limiting arbitrary changes, but they are not a panacea. We also had to do a lot of work when IE7 was launched, although it claims to follow public standards – giafly
Perhaps your company should be looking at a vendor neutral solution instead of continuing with MS "solutions". You are already having to change, but are changing from the vendor who shafted you to the vendor who shafted you! Give a couple of years and you will be in the same position again, bending over and saying "here’s plenty of cash, please do me again."
We’re following your advice client-side and using vendor-neutral Ajax. It would be nice to do the same server-side but (1) We can’t force our clients to replace their infrastructure merely to avoid Microsoft and (2) For our needs there’s no cost-effective alternative to SQL Server. Yes really.
"We did a poor job of describing the default format changes … The .reg files you can use to change the security settings can be downloaded here" – giafly:
Microsoft is apparently also dropping Visual Basic for Applications (VBA) from Office. This will be less controversial than the reduced support for file formats, but is additional evidence that you can’t be sure that e.g. MS Office 2020 will read the Office documents that you archive today. If this is important to you, better mothball a couple of current Windows computers – giafly.
"Microsoft is throwing developers working with mixed PC and Mac environments a curveball with the long-awaited release of Office for Macintosh 2008. Microsoft has pressed ahead with delivering a suite that drops support for Visual Basic for Applications (VBA), overcoming long-running concerns among the grassroots."
A stray thought just occurred to me.
Clearly, MS is capable of pushing a policy change to effectively all Office 2003 installations out there that drops support for several legacy formats. Ostensibly, the reasoning is that the code used to parse those formats is insecure and poses a security risk.
Well, it probably is true that the code is insecure. Still, wouldn’t it be as easy to push correct code to those same installations? Like, say, the code that is used in the OOXML extensions to parse those formats? Unless, of course, it is the same code…