Office 2003 Bug Locks Owners Out

I Don't Believe in Imaginary Property writes "A Microsoft Office 2003 bug is locking people out of their own files, specifically those protected with Microsoft's Rights Management Service. Microsoft has a TechNet bulletin on the issue with a fix. It looks like they screwed up and let a certificate expire. There's no information on when the replacement certificate will expire, though, or what will happen when it does."

Tag: Not a bug, defective by design.

[ozmanjusri]

Actually, it's not really a bug, just the usual friendly reminder from Microsoft that there's a new version out and it's time to ante up again.

Re:Tag: Not a bug, defective by design.

[rtfa-troll]

I guess in some way you're right. When Office 2003 goes unsupported, the certificate will expire and people will be forced to upgrade and that probably is something Microsoft has documented and understands (and thus a "feature"). However, I still think we could call this an operational screw up. I really don't think they want to remind people of their power to do an Amazon on all and any of your files until they have people nice and solidly locked in.

Screw Up Or Forced Upgrade?

[Afforess]

I know a LOT of people still using MS Office 2003. Some people dislike the Ribbon System with '07's version. Some people are too cheap to upgrade when the old copy still "works". Now, Microsoft isn't making any money from all those old copies of 2003, so what's stop them from "Programming Obsolescence" into their software?

It sounds a bit sinister, yes; but it's not technically illegal. It might even be in the oft-skimmed EULA. Or maybe it's just similar to the way HP printers always fail a week after the warranty expires.

Re:Screw Up Or Forced Upgrade?

[darkpixel2k]

I know a LOT of people still using MS Office 2003. Some people dislike the Ribbon System with '07's version. Some people are too cheap to upgrade when the old copy still "works".

That's why there's OpenOffice. An experience that brings you back to the good 'ol days of Office 2003 for free. Actually, it may even bring you back to the days of Office '97.

At least until the next version comes out. Then you have the ribbon too. God, I hope it can be disabled.

Re:Screw Up Or Forced Upgrade?

[shrimppesto]

Why did you put "works" in quotes? Office 2003 still does, in fact, work. It works just fine.

A lot of people are still using Office 2003 because the number of new features that impact daily usage seems to shrink with every new release. Why upgrade when the version you have does everything you need it to, and the new version doesn't do anything you wish it did?

There's always someone who will benefit from [insert new feature here]. But for the rest of us, Office has suffered from a paucity of innovation since 1995. If anything, things have gotten worse -- e.g. they keep trying to make Microsoft Word "smart," but the result is a program that's too smart to be obedient and too stupid to do what you actually want it to do.

The writing's on the wall for Office. If the folks in Redmond don't figure out something reeeal soon, Office is toast.

Re:Screw Up Or Forced Upgrade?

[broken_chaos]

It's still vendor lock in if there's no competing product that reads their open formats.

Umm... There are a huge number of programs that read/write ODF (OpenOffice's default format). Wikpedia has a fairly extensive list of software that handles the various ODF files.

Re:Screw Up Or Forced Upgrade?

[Maxo-Texas]

I get your point but this is a little different.

Not having perfect page layout might take you 30 minutes to fix. Worst case, the text is in a zip file and can be pulled out.

Not being able to read encrypted data would be a little bit more serious.

Re:Screw Up Or Forced Upgrade?

[gandhi_2]

This has nothing to do with open formats.

If you encrypt and digitally sign (aka DRM) your OO.org files, and loose the ability to decrypt them, you are in the same boat.

This is a story about DRM, not formats. A story about the forgotten idea of key escrow idea and of DRM cert servers, not file formats.

Re:Screw Up Or Forced Upgrade?

[ozmanjusri]

What did I do today? Well, I didn't like the ribbon bar in the new OpenOffice, so I forked the project.

Wow, that's crazy. Why did you bother going to all that trouble when IBM's already done it for you?

If you don't like Symphony, there's plenty more choices. That's the great thing about being open and having competition, right?

Re:Screw Up Or Forced Upgrade?

[Nefarious+Wheel]

At least until the next version comes out. Then you have the ribbon too. God, I hope it can be disabled.

Agree. The Ribbon was a tremendous step backwards in user friendliness, all in the name of eye candy. It sucks. Way too long a familiarisation curve. In contrast, I'm having zero trouble -- almost zero thought -- in using the plain vanilla Gnome / Open Office interface to do the stuff I need to do on the home laptop, i.e. load documents, edit them, and store them.

Re:Screw Up Or Forced Upgrade?

[mikael_j]

...to handle writing scientific reports on Linux, and AbiWord wasn't up to the job (Note to trolls: please don't bother with shill posts for TeX/LaTex. I'm sure it's very good, but I've got work to do.)

Excuse me but would you also consider someone who tells a carpenter that a hammer is a much better tool for driving nails than a stapler a troll because you can't be bothered taking three seconds to figure out what end of the hammer to hold?

/Mikael

Re:Screw Up Or Forced Upgrade?

[the_womble]

I like Gnumeric too.

Abiword is a good lightweight word-processor, but not as feature rich as OpenOffice.

What exactly is your problem with Latex? If the learning curve is too much, you use Lyx.

Re:Screw Up Or Forced Upgrade?

[mikael_j]

Actually, my experience with LaTeX is that if you look at it as HTML with different keywords and keep some decent documentation nearby (there are several good PDF books available for free online) it is easier to use LaTeX if you want sane printable results than it is to use MS Word or another word processor (hell, the reason I started using LaTeX to begin with was because I got fed up with trying to force word processors to give me decent output).

/Mikael

Re:Screw Up Or Forced Upgrade?

[marcansoft]

LyX is your friend. It's a wonderful WYSIWYM(ean) editor for LaTeX.

amazing...

[wizardforce]

Putting that amount of trust in a third party that has the power to lock you out of your own files... It boggles the mind as to why that is acceptable in anything of importance.

Re:amazing...

[Sparx139]

Technically, yes. I could not be bothered trawling through the source code of OOo to look for malicious code (and frankly, I doubt I'd understand most of the code anyway), so I am placing my trust in the dev team. But I know that it's less likely to happen, because it wasn't developed by a single company, but by many people. That, and if this happened, a fix would appear quickly (a lot more quickly than if it was a M$ product)

Re:amazing...

[selven]

If I had my way, documents would be done using plain text and markup languages. Everything is simple and separate, so you don't have many security issues that way.

Re:Locks OUT!?

[msclrhd]

What's worse is when Microsoft does not exist anymore at some point in the future. Eventually, the certificates will expire again; then -- without Microsoft to renew them anymore -- you're screwed.

Want to access your important, digitally protected documents? Sorry.

Re:So if you had no web, you'd be hosed?

[El+Capitaine]

The cases where the user would be "hosed" are few to none.

This bug only applies to documents protected with Rights Management Services, which is part of Active Directory and the Windows Server operating system.

Therefore, the only way you would have an issue is if you were on a network that used RMS but had no internet connection, in which case you'd have your IT guy download a fix from some other internet-connected machine and deploy it to the systems with the bug.

This will not affect people who are simply running their own copies of Office 2003 without RMS or Active Directory or any other fancy add-ons.

Unexpected error?

[SpacePunk]

From the article...
"Office 2003 users receive the error, "Unexpected error occurred. Please try again later or contact your system administrator,""

WTF? Is there anyone out there that can point me to an expected error? Can these wannabe programmer motherfuckers ever pass on real information on an error to the end user? Their error messages might as well say, "Our program fucked up, we're dipshits, we don't know what the fuck is going on. In fact, we couldn't have put together a crappier piece of software if we were drunk, or high."

Re:Unexpected error?

[jpmorgan]

You would prefer 'Expected error occurred. We could have handled with this transparently, but we'd rather pop up an annoying dialog box?'

Re:Unexpected error?

[Thanshin]

Their error messages might as well say, "Our program fucked up, we're dipshits, we don't know what the fuck is going on. In fact, we couldn't have put together a crappier piece of software if we were drunk, or high."

It would be funnier to get messages like: "Our program fucked up. -- Error code: ss324. Help me. I've been in a cage for the last two years. They feed me the corpses of the programmers who didn't make it through the big flood. I don't want to die. Please help! ... HH/991.DDF. For more information, contact your system administrator."

Re:Unexpected error?

[BrokenHalo]

Is there anyone out there that can point me to an expected error?

What's worse is that insulting little click-box that sits there jeering at you saying [OK]

...when as we all know, the correct response is "No, it's NOT fucking OK, you dipshit."

Re:Unexpected error?

[L4t3r4lu5]

I'd prefer it to say "The document you are trying to access has been secured by Microsoft Rights Management Service, but the signing certificate has expired. Please see your Administrator regarding updating or renewing your certificate."

Still, I suppose no MS coder had ever considered that a time limited certificate would ever expire.

Re:Unexpected error?

[AlgorithMan]

this is simple. Error handling basically works like this

try {
command1
command2
command3
}
catch(DiskFullError E) {
messagebox("not enough free disk space\n"+E.ExtendedInformations()); // this is an expected error
}
catch(NoWritePermissionError E) {
messagebox("you don\'t have write permission in that directory\n"+E.ExtendedInformations()); // this is an expected error
}
catch(DirDoesntExistError E) {
messagebox("the directory you chose doesn\'t exist\n"+E.ExtendedInfo()); // this is an expected error
}
catch(...) {
messagebox("an unexpected error occured"); // this is where the unexpected errors are handled
}

you try to do some stuff and if something goes bad, the codes throw an exception, which can be caught by the error-handlers. and if there is no error handler for the error, then this is an unexpected error. this would crash the program, unless you do catch(...), which can also catch unknown exception types
well, in redmond it goes more like this (see MSDN)

if(!command1) {
switch(ERRNO) {
case 1: messagebox("Error code 1, contact your vendor"); break;
case 2: messagebox("Error code 2"); break;
default: messagebox("unexpected error");
}
}else {
if(!command2) {
switch(ERRNO) {
case 2: messagebox("Error code 2"); break;
case 3: messagebox("Error code 3, press F1 to see some useless hexadecimal bytes"); break;
default: messagebox("unexpected error");
}
} else {
if(!command3) {
switch(ERRNO){
case 1: messagebox("Error code 1, contact your vendor"); break;
case 4: messagebox("Error code 4, why don\'t you switch to linux?"); break;
default: messagebox("unexpected error");
}
} else {
// wohoo, nothing went bad!
}
}
}

if something goes bad, a global variable (ERRNO) is set to some error code and the functions return false. the default case takes all the values of ERRNO, that are not handled explicitly Yes, this is prehistoric and non-thread-safe error handling, but what do you expect from the masters of disaster?

Re:Unexpected error?

[jimicus]

Every error message that Microsoft has ever written is like this.

Sometimes they think to include a way of getting the full error in proper technical language across - maybe by writing to the event log or having a "click for technical details" option but more often than not they don't. As a Unix admin, it's immensely frustrating dealing with software which goes so far out of its way to be opaque.

Re:Unexpected error?

[dargaud]

I blame this kind of error messages on programmers who use exceptions. Instead of doing error checking within the routine that has the problem and crafting an error message in there, you just throw an exception, hoping for the caller to take care of it. If the caller doesn't then the exception keeps floating up until nobody has a clue to what the condition was, hence "unexpected error". I hate exceptions.

Re:Unexpected error?

[dbIII]

The funny thing is I can read in stuff from the 1980s that doesn't even use ASCII and these clowns can't even keep files readable for six years.
Proudly brought to you by the guys that stranded a ship with a divide by zero error and halted devices for a day because they forgot about leap years. They are only ready for the "Enterprise" is you have a few spare redshirts to lose.

Re:Unexpected error?

I love these kind of messages. Everybody keeps calling me, it says here you know what is going on. WTF? I don't have a clue what you've done, just because I am the system administrator I am not telepathic or having some kind of better error messages mailed to me...
Even better, you are installing something and the dialog pops up: "Contact your system administrator". I am the fucking administrator if I wasn't I wouldn't be logged in as 'administrator'...you haven't told me what the problem is...

Re:Unexpected error?

[b4dc0d3r]

Code reuse is the more likely problem. The biggest problem is that each component has to assume there is no UI. It could be in a GUI, or commandline, or silent mode, or a service, or whatever else, so it doesn't pop up an error message - it just returns a value.

You tell your handy security library to use the internet library to connect to the microsoft server thingie, and the internet library doesn't have any reason to know about certificates. The security library assumes the certificate will always be valid (or the network will take care of that), so it doesn't have a "bad certificate" return value. Then the app doesn't check the return values (only success/fail), or it's not in the list of things to check.

Detailing your actions makes it easier to disassemble and comprehend, so lots of proprietary coders don't do that. Bubbling up an exception could have a detailed description of why something failed, but proprietary coders don't want end users to see the gory details of what their code is doing. "Confusing error messages" is one of those things Windows users hate, so they generally either detail what you might do to fix it or, if it's too detailed or on a server instead, just skip that part.

It's nothing the user can do anything about, so why bother reporting it? Plus you need to make translations and test cases to ensure your message pops up in all languages when the cert is expired... more work when you could just ship it, and list a known risk that the server team has to keep the cert up to date.

I know, tldr. Black box programming combined with allowing ignorant users peace of mind will result in this type scenario every time. I always chuckle when I see "Table or view does not exist" errors in Oracle SQL when I can see the table in the list of ALL_USER_TABLES or similar. I don't have access to it, and revealing that it exists but I'm, not allowed to read from it might be a security violation the same way "bad username" vs "bad password" gives brute-force people more information to work with so you say "bad username/password combination" and now they don't know if the user exists. Maybe they thought of that, or maybe they tried to select, got 'denied' return code, and translated that into one they do have a text string for.

So many possibilities, of which yours is the least likely. Exceptions can be done well, there just aren't enough good examples out there so it takes a serious debugging headache before someone looks at a better way of doing it. Then Management says the errors are too wordy and you're back to "Unexpected error" meaning everything from "Network down" to "I crapped my pants".

Totally off the mark.

[IBitOBear]

Microsoft gets people to update by giving their product to the CEOs and "bigwigs". When everybody _else_ in the organization cannot read or use the new format for the documents, they have to keep bouncing transfered documents back to the aforementioned bigwigs. Eventually the bigwigs get tired of the fact that they cannot understand how to use save-as-older-format, and they dislike having their underlings telling them to do things, and they cannot bear to find all the files they saved and re-save them before they downgrade back to the old version... So the entire company naturally has to pay to upgrade everyone.

Repeat that at the border of the company. Every iteration of Little Company that works with and is dependent on Big Company, cannot allow themselves to be seen as unhelpful nor out of date, and they cannot bounce the documents they receive via email etc. without giving that exact impression...

Letting certificates expire is _not_ a Microsoft "strategy", it's an artifact of their adoption of "We don't care. We don't have to. We're The Phone Company" where there is no longer just one phone company, but Microsoft wants to be "The Software Company".

This _is_ egg on their face, but the only ones who will not yell "brilliant omelet" are the people who can connect the "Trusted Computing" dots. Letting the world _again_ see what it means to leave the keys to your property in the hands of any entity that doesn't _have_ to care is just another Microwhoops...

Re:Totally off the mark.

[L4t3r4lu5]

Eventually the bigwigs get tired of the fact that they cannot understand how to use save-as-older-format, and they dislike having their underlings telling them to do things, and they cannot bear to find all the files they saved and re-save them before they downgrade back to the old version... So the entire company naturally has to pay to upgrade everyone.

Or, the admins download and roll out the Microsoft Office Compatibility Pack and leave the CEO with his new shiny-shiny.

Re:Totally off the mark.

[deniable]

And then the admins get to deal with documents that can't be handled by the converter. I had one last month, had to install 2007 to open it. I forgot to check Open Office first though. 2007 isn't as bad as the problems '97 caused, but it still causes some.

Re:Totally off the mark.

[hairyfeet]

Uhhhh...I hate to ruin a perfectly good rant and all, but you DO know they could just choose to get the compatibility pack if they wanted to, right? It is absolutely free, and works on any version of MS Office from Office 2K-2K3. Now if they are still using Office 97 I think they got bigger things to worry about than getting a newer version.

Now I can't tell you how well it does/doesn't work on Office XP or 2K3, since I don't have those, but so far I haven't had any problems with my Office 2K opening 2K7 files with the compatibility pack. Supposedly you can now save to the new format with the compatibility pack, but since I just save as the Office 2K .doc file, which I've found opens just fine in 2K3 and 2K7, I can't comment on that.

So while you may hate Office 2K7 for the bloat or the ribbon (man I hate that thing!) it really isn't hard to open the new formats in the old Office with the compatibility tool, at least that has been my experience.

Re:Totally off the mark.

[WegianWarrior]

Same thing with women
Ah, so you're still single then?

Re:Totally off the mark.

[xouumalperxe]

all XML formats

Cool. I'll send it in OOXML then.

Re:Totally off the mark.

[drinkypoo]

Now if they are still using Office 97 I think they got bigger things to worry about than getting a newer version.

What things are those? Office 97 met my needs just fine, the only reason I stopped using it is that it didn't support multiple monitors correctly, you'd put the app on the second monitor and pop up a menu, and the menu would pop up on the primary display! Goooooo Microsoft, yeah! Now THAT is quality. Now I'm back to one monitor, but I'm also on Ubuntu so I'm using OO.o.

Re:Totally off the mark.

[MadKeithV]

My parents are on OO.o, my girlfriend is on OO.o, and my NetBook is on OO.o. The universal response in this admittedly small sample has been: "hey, that looks a lot more like the Office I'm used to!".
That's a Windows PC, an iMac, and a Linux netbook by the way.

Re:Totally off the mark.

[Red+Flayer]

Emphasis mine:

I had to do some Deep Googling to find someone hosting a copy of the PowerPoint viewer that was old enough to still support the '95 version.

What kid of juju is that? Sounds dangerous, like you might awake some Guardian of the Deep, or even He Who Lies Dead But Dreaming.

Sure hope your wife's employer has paid up their Catastrophic Accidental Awakening of Ancient Evil insurance policy.

Thats why I am NOT an early adopter

[Provocateur]

Now that I know that this won't affect the Isolated Basement Department, I can now safely install Office 2003...

Receipt, check. Shrinkwrap off, check. Must keep original box...

A copy protection system called RMS?

[mattcsn]

Obviously, someone at Microsoft has a sense of humour.

Re:Locks OUT!?

[jimicus]

That's what happens when you hand the keys to your kingdom over to someone whose best interests don't align with your own.

Saying you should avoid that is all very well but it's practically impossible in any business.

Want to take out a loan? The moment the bank thinks you may be in trouble they can and will send you a rude letter saying "Repay the whole lot. Now."

Want someone to do your accounts? Paying an outside company will be a sight cheaper than paying a wage to someone who you only need for a few weeks of the year, but the accounts they prepare will be full of disclaimers to the effect of "We have prepared these using information supplied by our client...." and it's you the tax man will come after if he smells a rat. Too bad if the office junior did your accounts and the senior person who signed them off was in a hurry to get home that day - they'll never admit it in a million years.

Want an email, calendaring and contacts platform? Free clue: The F/OSS exchange alternatives are generally just as complicated as Exchange itself, with the added bonus that finding someone who knows them can be a hell of a lot harder.

Re:Any workarounds?

[deniable]

It sounds like RMS is a good tool for pushing free software.