Office 2003 Service Pack Disables Older File Formats

time961 writes "In Service Pack 3 for Office 2003, Microsoft disabled support for many older file formats. If you have old Word, Excel, 1-2-3, Quattro, or Corel Draw documents, watch out! They did this because the old formats are 'less secure', which actually makes some sense, but only if you got the files from some untrustworthy source. Naturally, they did this by default, and then documented a mind-bogglingly complex workaround (KB 938810) rather than providing a user interface for adjusting it, or even a set of awkward 'Do you really want to do this?' dialog boxes to click through. And of course because these are, after all, old file formats ... many users will encounter the problem only months or years after the software change, while groping around in dusty and now-inaccessible archives."

Default value goes back pretty far

[compumike]

If you read the knowledge base article, you'll see that the default allowed old-version goes back to before even Word 95. PowerPoint 95, but not 97, is blocked. It's very likely that few documents exist in such old formats at this point.

However, I really have to question whether the enhanced security is worth it, since those old versions didn't allow too much of embedded scripting anyway. Are we just worried about buffer overflows, because those are still a symptom of their parser, not the format itself.

The software nanny continues to keep us from hurting ourselves... gee, thanks. (Hmm, anyone smell a similar trend in government lately?)

--
Educational microcontroller kits for the digital generation.

Re:Default value goes back pretty far

[LuckyLuke58]

Doubt it's really about security at all; I'm guessing it's probably more about 'nudging' the few people still using old versions of the software to upgrade: Those who currently exchange documents with users on newer versions will find suddenly they won't be able to send documents to anyone anymore without getting complaints that people can't open them. Deliberately making it too cumbersome and complex for most people to ever work around this, i.e. leaving it technically (but not really practically for almost everyone) an option, for now at least gives MS an excuse, while still taking a big step towards getting rid of support for those old formats entirely, which is not all that unreasonable I suppose for formats greater than 10 years old.

Re:Default value goes back pretty far

[RickRussellTX]

It's very likely that few documents exist in such old formats at this point.

I can only speculate that you've not worked in any institutions that have persisted for more than 10 years?

I used to run a university help desk; by the time I left in late 2006 we were still getting requests to convert 5.25" floppies and DOS Wordperfect 4 documents.

The situation is complicated by many other issues:

• There is no easy way to identify the files that need conversion. Microsoft gives you no tool or flag to quickly identify old files, which share the same filename conventions as current files. Except of course to open them in Office 2K3SP3 and watch them fail :-(
• Although bulk conversion tools exist, they cost money and they won't reach files that are secured in such a way that IT support staff can't get at them (e.g., on a CD-ROM in a locked filing cabinet).
• Because a ridiculously complicated registry hack is required to enable the converters for the old documents, there's no easy way to apply it, for example as an Active Directory group policy. We're left with error-prone methods like push tools & login scripts.

Ultimately, there is nothing wrong with the "file formats". A file format is not insecure. The issue is that Microsoft is shipping insecure code in Office 2007 and 2003 which may break when these files are opened and allow malicious executable code to run in the user's security context. Rather than fix this insecure code in a shipping product, their policy is to turn off the code and tell the user, "if you want to take the risk, turn it back on, but we won't make it easy."

I work at an organization that has been grappling with this problem since SP3 came out in September 2007. We routinely work on projects that span 15 years, so it's not at all unusual to open project documentation that is 10+ years old. Companies were loyal to MS Office precisely because it promised reasonably complete forward compatibility with archived documents. Microsoft needs to provide a more robust solution to this problem, preferably by fixing the broken code (gasp!) or (less preferably) giving system administrators the tools necessary to enable and disable the functionality in a more global way.

Re:Default value goes back pretty far

[dokebi]

It's very likely that few documents exist in such old formats at this point.

Really? How about the US government? NASA anyone?

Why should anyone stop supporting old document formats? Are the files created a long ago no longer important? How about 100 year old books? Should we burn them all?

We should stop this file format insanity now, and adopt some open format. Like ODF. Good riddance.

Re:Default value goes back pretty far

[Helldesk+Hound]

> Deliberately making it too cumbersome and complex for most people to ever
> work around this, i.e. leaving it technically (but not really practically
> for almost everyone) an option, for now at least gives MS an excuse, while
> still taking a big step towards getting rid of support for those old formats
> entirely, which is not all that unreasonable I suppose for formats greater
> than 10 years old.

Let's not forget - what is being supported is *software*, ie M$ Office, not a file format.

The current iteration of Micro$oft Office should be capable of opening any and all files created by any prior release of M$ Office, and should be capable of doing so in a safe and secure manner.

If the current iteration of Micro$oft Office is incapable of safely and securely parsing any file created by any prior iteration of M$ Office then surely something is very wrong with Microsoft, and with M$ Office!!

Re:Default value goes back pretty far

[syousef]

It is unreasonable, and stupid to boot.

Unreasonable:
Most students, business and personal users don't wish to be unable to open their 10 year old document because it's no longer supported. Students want to be able to access old study notes, businesses want to get at statistics, company history and old documentation of systems or business practices, and the end user wants to be able to open that wedding speech they wrote 10 years ago, or that collection of jokes in an MS word doc.

Stupid:
Why do people buy Office instead of using something free? For the 3000 features? No, at least most don't. They buy Office for universal compatibility s that they can exchange documents with everyone. The moment users start complaining that they can't open the MS Office document with Office, but it's okay you can use a free alternative, people will start installing the free alternative. They're not forcing anyone to move up to a later maintained version, they're forcing people away to software that actually does the job they want it to.

Only fools and company sock puppets (sales and marketing) actually believe obsolescence is reasonable, particularly when it comes to data.

Re:Default value goes back pretty far

[dbIII]

Word 95. PowerPoint 95, but not 97, is blocked. It's very likely that few documents exist in such old formats at this point.

I occasionally load in data tapes from as far back as 1982. Reports related to the data will be in whatever file format is popular at the time, which will be MS Word and MS Excel from the early 1990s on. Since computing power is so cheap now a lot of stuff in a lot of feilds gets reprocessed, old data is a lot more useful than repeating 10 years worth of experiments again or sending 50 guys out to survey an area for two months or even trying to examine something that doesn't exist anymore. Old file formats like TIFF, SEGD, tar and so on are deliberately backwards compatible so that archiving is more than just an expensive hobby. Since Microsoft have moved out of the hobby software space and into the office they should realise that they have to take a professional approach throughout the company to avoid mistakes like this.

Re:Default value goes back pretty far

[mysticgoat]

It's very likely that few documents exist in such old formats at this point.

Tee-hee! That got laughs from all kinds of government employees, university administrative assistants, paralegals, and so on.

And this undoubtedly will put a smile on the faces of all the good old boys at Exxon, who have been fighting the good fight to keep from actually having to pay for the damage that their Valdez supertanker did about 20 years ago. If all the prosecutor briefs from before 1995 were suddenly much more difficult to access, then maybe Exxon will succeed in avoiding payment of the $2.5 billion they owe.

Proprietary file formats are definitely good for some businesses.

Re:Default value goes back pretty far

[arivanov]

This is not really applicable here:

1. I bet that some of the code is not Microsoft's. They have bought it and I would not be so sure about the right to modify it in the first place. In any case we are back to rewriting code which noone understands any more.
2. You can sandbox in a sandbox-friendly language (not the case here it is all C++ or C at that age) or if your code is written in a manner where sandboxing works. Classic example - using exemptions on out-of-memory or invalid pointers to allocate memory. I know a chap who writes everything like this and he used to work for MSFT at just about that time. Wanna sandbox that? Especially in a multithreaded environment? I doubt it. On top of that I can bet that the internals of the code in question reinvent the wheel left right and center and reimplement functions that are nowdays part of the foundation classes. As a result the size of the piece of code which you have to sandbox suddenly grows on an order of magnitude. And so on.
As I said, I for once can sympathise with a MSFT decision. I have no sympathy to the fact that they do not admit to the underlying reason which is using formats that are not open, well defined and standardised (nothing to do with security), but that is a different story.

Re:Default value goes back pretty far

[MMC+Monster]

Agree, but there is another point:

A lot of individuals have pointed to MSOffice as a standard, stating that future versions will always be able to read the older formats. Now there is absolute proof that it isn't true.

Another reason for an open format that is actively supported by multiple vendors.

Re:Default value goes back pretty far

[swillden]

Classic example - using exemptions on out-of-memory or invalid pointers to allocate memory. I know a chap who writes everything like this and he used to work for MSFT at just about that time. Wanna sandbox that?

Nope. Don't sandbox, virtualize. Create a tiny VM that has only the minimal OS needed to run the core of the code, and run the unsafe code in there. The tiny OS doesn't need to have any device support, just a bit of memory management plus a set of APIs that pass through to the real OS outside, with parameter validation.

MS has all of the technology needed to do this. If they don't want to make a truly minimal OS, they could always just use Windows Mobile, with all of the optional components removed. It wouldn't be trivial, but neither would it be a huge chunk of work.

It would probably cost them fewer dollars to implement a virtualized "sandbox" for that old code than it will to handle the support calls their move is going to create. OTOH, the virtualization approach would only help with security, it wouldn't encourage people to upgrade.

Conflicting Strategies?

[TaoPhoenix]

Wasn't "bakward compatibility" the whole crusade they were on last year? "We must preserve support for old formats, which is why we won't make IE standards compliant, and our spec has to back-support IndentsLikeWord95" and the rest?

Their sneaky brand of evil is saying two conflicting things and making us believe they work together.

Re:hmmm

[statemachine]

with MS your files are accessible for however long they decide they should be, with FOSS, they're accessible as long as anyone is alive capable of re-compiling the source.

This is the point that people miss. All of the documents that were archived in the older formats will no longer be openable -- in this case, there is an arcane incantation as a workaround, but what if MSFT removes support entirely so that an authoritative document conversion is no longer possible? With open source, the method is obtainable. With closed source, it may be deleted when the company no longer supports it or closes its doors.

There are many cities/states/countries that rely on MSFT formats for document archival. Should a city keep spending money every 5-10 years to also update the formats on all of these records in case the necessary closed-source software ceases to exist or work on modern computers?

long careers exclude using proprietary formats

[spasm]

Funnily enough, the thing that finally, permanently, won me over to open document formats (I first used things like openoffice simply because they were free) was discovering I couldn't open my dissertation (written in word 5.1a for mac) on a standard install of office for windows. Yes, I know there's converters, and yes, I know current versions of word for mac can still open 5.1a documents, but I didn't have a mac at the time, and laboriously 'converting' the large numbers of transcripts, notes, papers, and all the other ephemera of writing a dissertation was a huge, timewasting PITA..

After that, the penny dropped. Using open document formats wasn't simply a way to save money, it was an actual necessity for anyone planning to have a career lasting more than 5 years where writing is a core part of your work.

File format is less secure?

[filbranden]

They did this because the old formats are 'less secure', which actually makes some sense,

This doesn't make sense to me. A file format doesn't have buffer overflow vulnerabilities, the program that opens it has them. A file format cannot execute a virus or a trojan, the program that opens it is the one that does it. I cannot believe that a file format can have inherent vulnerabilities that cannot be circumvented by the program that reads the file.

On the other hand, considering the ODF vs. OOXML format wars, it seems to me that Microsoft's objective with this is actually to press for the standardization of OOXML. How exactly I don't understand, since the whole point of standard document formats is to avoid this same problem that they've just created.

This is exactly why proprietary formats are bad

[Skapare]

This is exactly why proprietary formats are bad, at least for documents that need to be kept for a long time for some reason, such as archival or historical documents. Even if open source office applications do similar things and depricate support for old formats, the older application versions might at least be available. Or third party developers could more easily create conversion programs. While open source programs do also exist to read these old proprietary documents today, we don't know if future proprietary document formats will be able to be supported. The open formats will be supportable.

Time for you for ODF

[aepervius]

In 25 years you will still able to use an open ISO standard or convert from one standard to another. Microsoft jsut proved to you they are unreliable for the goal you had (forward compatibility).

Thank you Microsoft...

[mwvdlee]

...for demonstrating why we need ODF.

Re:Thank you Microsoft...

[g2devi]

> What if someone discovers a vulnerability in ODF and they need to release a newer version of the format?

Two point:
1) There are no vulnerable file formats, only vulnerable implementations. If the old MS format were vulnerable, then they could at minimum sandbox the thing or take the easy way out and disable specific vulnerable implementation functions (which likely aren't used by anyone) unless the user verifies them and manually enables them.
2) No matter what ISO does, the spec is out and you are free to use any program that implements the current version. Since libraries and government institutions must have the original unconverted documents of all their archives (note, a single space or comma can change the meaning of many documents including the constitution), you can be sure that some viewer will always exist for "Older" versions.

Re:Thank you Microsoft...

[cp.tar]

Ultimately this is another nail in the coffin for MS for it proves that you can't use ANY MS Office file format for reliable long term storage - unless you are prepared to walk the MS Upgrade Treadmill.

Nope.

It's even worse.

This problem only occurs if you do walk the MS Upgrade Treadmill; should you choose to remain true to the good old Office 97, all will be fine.
OK, so the problem of opening new documents someone sends you occurs in that case, but you can't have it all.

It's a damned if you do, damned if you don't type of game: either you lose old documents or you lose new ones.
The bottom line, therefore, is: you lose anyway.

Whatever you do, if you go with Microsoft, you will lose.
Best case scenario: all you lose is lots of time. However much is necessary for converting all the old documents.
Do add that to the price of Office itself.

Oh, yes it is...

[TiggertheMad]

I don't know if I'd characterize it as "mind-bogglingly complex". It's a series of registry edits.

I would. The average slob (who could very well be someone who doesn't update their old files for long periods of time) using windows does not know what the registry is, let alone how to modify it. Also consider this: What is more dangerous and likely to cause serious damage, an old file format or a average user trying to fix their registry to read old files?

Mod parent up!

[foreverdisillusioned]

He's right... their excuse is a joke. It can't be that hard--especially considering the huge profit margin on Office--to figure out a way of opening these file formats securely. It's not even executable data, for pete's sake! And if they *are* talking about macros or something, well then just disable the macro part until you figure out a way to sandbox it.

The richest tech company in the world is throwing its hands up in the air and saying that can't figure out how to make its most profitable (and presumably most actively developed) products render a human readable, non-executable data format safely--PLEASE. This is nothing more than a very clumsy (but brazen) attempt to make people upgrade. I'm surprised they have the balls to do it, what with their current OOXML circus.

Re:Mod parent up!

[Helldesk+Hound]

> This is nothing more than a very clumsy (but brazen) attempt to
> make people upgrade. I'm surprised they have the balls to do
> it, what with their current OOXML circus.

I'm not surprised at all. :o)

It is what one expects from a company that does not respect the people who have used its software (and re-purchased it several times) over many years.

Would Adobe even consider doing this with Photoshop? No.

What we are seeing is nothing more than a "vendor lock-in" ploy.

I'm almost certain that M$ will not fully support OOXML if it gets approved by the ISO. Lets be realistic - M$ Doesn't actually support it now!

Re:Mod parent up!

[totally+bogus+dude]

It is what one expects from a company that does not respect the people who have used its software (and re-purchased it several times) over many years.

Sounds reasonable to me. I mean, do you respect stupid people, even if they give you their money?

Re:Not really that bad

[howlingmadhowie]

don't use rtf. there are hundreds of different rtf extensions and no one knows which ones will be supported by microsoft in the future. if you want to store information for the foreseeable future you can use a standard ascii-text or utf8-text, tex, html or odt and that's about it.

Re:More cheese with that whine?

[smittyoneeach]

No, the basis for complaint is valid.
You paid real cash money for something to work a certain way, and it did, until your proprietary-vendor overlord makes up some crappy reason for removing the functionality.
While the specific instance of removing support for ancient formats isn't likely to have too much catestrophic effect, the precedent is well worth bitching about.
The least Redmond could do is turn the converter code over to the public domain, so that, when the unforseen requirement to, say, compare ancient versions of Uncle Hezekiah's will suddenly crops up, people don't have to spend a ton of money to open a simple file.
Of course, there is the business model of having a stable of ancient computers with creaky Windows versions and applications, just for these moments, but that business is so boring as to be hideously expensive.

it's not like it's YOUR data or anything

[toby]

Data obsolescence is a huge problem. MS doesn't give a damn, their business model is to sit between you and your data. (OOXML versus ODF.)

Apple also did something like this (or worse) when they EOL'd Classic in Leopard. Millions of files become inaccessible overnight because the applications to read them simply cannot be run. It's thoughtless and cynical and extremely destructive.

The summary is not alarmist. Data obsolescence happens every day. It's a fatal flaw in the proprietary software model that RMS correctly identified decades ago.