Office 2003 Service Pack Disables Older File Formats

time961 writes "In Service Pack 3 for Office 2003, Microsoft disabled support for many older file formats. If you have old Word, Excel, 1-2-3, Quattro, or Corel Draw documents, watch out! They did this because the old formats are 'less secure', which actually makes some sense, but only if you got the files from some untrustworthy source. Naturally, they did this by default, and then documented a mind-bogglingly complex workaround (KB 938810) rather than providing a user interface for adjusting it, or even a set of awkward 'Do you really want to do this?' dialog boxes to click through. And of course because these are, after all, old file formats ... many users will encounter the problem only months or years after the software change, while groping around in dusty and now-inaccessible archives."

Default value goes back pretty far

If you read the knowledge base article, you'll see that the default allowed old-version goes back to before even Word 95. PowerPoint 95, but not 97, is blocked. It's very likely that few documents exist in such old formats at this point.

However, I really have to question whether the enhanced security is worth it, since those old versions didn't allow too much of embedded scripting anyway. Are we just worried about buffer overflows, because those are still a symptom of their parser, not the format itself.

The software nanny continues to keep us from hurting ourselves... gee, thanks. (Hmm, anyone smell a similar trend in government lately?)

--
Educational microcontroller kits for the digital generation. [nerdkits.com]

Re:Default value goes back pretty far

Doubt it's really about security at all; I'm guessing it's probably more about 'nudging' the few people still using old versions of the software to upgrade: Those who currently exchange documents with users on newer versions will find suddenly they won't be able to send documents to anyone anymore without getting complaints that people can't open them. Deliberately making it too cumbersome and complex for most people to ever work around this, i.e. leaving it technically (but not really practically for almost everyone) an option, for now at least gives MS an excuse, while still taking a big step towards getting rid of support for those old formats entirely, which is not all that unreasonable I suppose for formats greater than 10 years old.

Re:Default value goes back pretty far

It is unreasonable, and stupid to boot.

Unreasonable:
Most students, business and personal users don't wish to be unable to open their 10 year old document because it's no longer supported. Students want to be able to access old study notes, businesses want to get at statistics, company history and old documentation of systems or business practices, and the end user wants to be able to open that wedding speech they wrote 10 years ago, or that collection of jokes in an MS word doc.

Stupid:
Why do people buy Office instead of using something free? For the 3000 features? No, at least most don't. They buy Office for universal compatibility s that they can exchange documents with everyone. The moment users start complaining that they can't open the MS Office document with Office, but it's okay you can use a free alternative, people will start installing the free alternative. They're not forcing anyone to move up to a later maintained version, they're forcing people away to software that actually does the job they want it to.

Only fools and company sock puppets (sales and marketing) actually believe obsolescence is reasonable, particularly when it comes to data.

Mod parent up!

He's right... their excuse is a joke. It can't be that hard--especially considering the huge profit margin on Office--to figure out a way of opening these file formats securely. It's not even executable data, for pete's sake! And if they *are* talking about macros or something, well then just disable the macro part until you figure out a way to sandbox it.

The richest tech company in the world is throwing its hands up in the air and saying that can't figure out how to make its most profitable (and presumably most actively developed) products render a human readable, non-executable data format safely--PLEASE. This is nothing more than a very clumsy (but brazen) attempt to make people upgrade. I'm surprised they have the balls to do it, what with their current OOXML circus.

Re:Mod parent up!

> This is nothing more than a very clumsy (but brazen) attempt to
> make people upgrade. I'm surprised they have the balls to do
> it, what with their current OOXML circus.

I'm not surprised at all. :o)

It is what one expects from a company that does not respect the people who have used its software (and re-purchased it several times) over many years.

Would Adobe even consider doing this with Photoshop? No.

What we are seeing is nothing more than a "vendor lock-in" ploy.

I'm almost certain that M$ will not fully support OOXML if it gets approved by the ISO. Lets be realistic - M$ Doesn't actually support it now!

Re:Default value goes back pretty far

It's very likely that few documents exist in such old formats at this point.

I can only speculate that you've not worked in any institutions that have persisted for more than 10 years?

I used to run a university help desk; by the time I left in late 2006 we were still getting requests to convert 5.25" floppies and DOS Wordperfect 4 documents.

The situation is complicated by many other issues:

• There is no easy way to identify the files that need conversion. Microsoft gives you no tool or flag to quickly identify old files, which share the same filename conventions as current files. Except of course to open them in Office 2K3SP3 and watch them fail :-(
• Although bulk conversion tools exist, they cost money and they won't reach files that are secured in such a way that IT support staff can't get at them (e.g., on a CD-ROM in a locked filing cabinet).
• Because a ridiculously complicated registry hack is required to enable the converters for the old documents, there's no easy way to apply it, for example as an Active Directory group policy. We're left with error-prone methods like push tools & login scripts.

Ultimately, there is nothing wrong with the "file formats". A file format is not insecure. The issue is that Microsoft is shipping insecure code in Office 2007 and 2003 which may break when these files are opened and allow malicious executable code to run in the user's security context. Rather than fix this insecure code in a shipping product, their policy is to turn off the code and tell the user, "if you want to take the risk, turn it back on, but we won't make it easy."

I work at an organization that has been grappling with this problem since SP3 came out in September 2007. We routinely work on projects that span 15 years, so it's not at all unusual to open project documentation that is 10+ years old. Companies were loyal to MS Office precisely because it promised reasonably complete forward compatibility with archived documents. Microsoft needs to provide a more robust solution to this problem, preferably by fixing the broken code (gasp!) or (less preferably) giving system administrators the tools necessary to enable and disable the functionality in a more global way.

Re:Default value goes back pretty far

Ultimately, there is nothing wrong with the "file formats". A file format is not insecure. The issue is that Microsoft is shipping insecure code in Office 2007 and 2003 which may break when these files are opened and allow malicious executable code to run in the user's security context. Rather than fix this insecure code in a shipping product, their policy is to turn off the code and tell the user, "if you want to take the risk, turn it back on, but we won't make it easy."

Thank you!!! Sanest comment I've seen in a long time.

Time for you for ODF

In 25 years you will still able to use an open ISO standard or convert from one standard to another. Microsoft jsut proved to you they are unreliable for the goal you had (forward compatibility).

Re:Default value goes back pretty far

Reminds me of this story:

With nearly half a century of experience using computers to run their business, Chris M's company knew that law all too well. Ever since that fateful Wednesday -- still known throughout the company as The Crash of '68 -- they swore, Never Again. And forty years later, they've kept their promise.

Over the years, Chris's employer has come as close to a Perfect Technology Infrastructure as anyone. They hire the best network administrators money can buy and give them whatever resources they need to ensure that the infrastructure remains solid. And that they do.

The company's backup and retention plan is nothing short of immaculate. Every system they've ever purchased -- from that old payroll program on the System/360 to that bizarre parts database for OS/2 -- can be brought back to life, if not physically than through virtualization. A walk through their "software archive" was a treat for many; new technicians are often astonished to learn, not only of the existence of 8-inch floppy disks, but that the company still has the 8-inch install disks for CP/M. And a drive to run them on.

Naturally, thanks to the aforementioned Murphy's Law, this elaborate backup and retention is rarely, if ever, called into use. The only excitement the network technicians ever get is that occasional, frantic, "Oh Crap! I accidentally deleted that critical PowerPoint presentation" call. And even that is easily solved by walking the user through their self-service file restoration system.

But a little while back, the network technicians received a restoration request that actually sounded interesting. A production manager needed a report of the "old old" part numbers for a long out-of-production assembly. "Old old" referred an ancient mainframe system that had been replaced by the "old" system over ten years go and finally shut down in 2001. Restoring the "old old" system meant setting up a new emulation environment, mounting the old disk image, and praying that it boots up without a hitch.

This was the first time ever that an actual user had requested such a restoration, so the network technicians were naturally a bit nervous. But thanks to their meticulous planning and procedures, everything went fine. The system booted up without a hitch and the production manager was summoned to log in to the terminal they had set up for him. He sat down at the chair, keyed in his username, and then paused for a moment.

"Now, what was my password five years ago?"

Re:Default value goes back pretty far

Originally from http://thedailywtf.com/ [thedailywtf.com]

Re:Default value goes back pretty far

It's very likely that few documents exist in such old formats at this point.

Really? How about the US government? NASA anyone?

Why should anyone stop supporting old document formats? Are the files created a long ago no longer important? How about 100 year old books? Should we burn them all?

We should stop this file format insanity now, and adopt some open format. Like ODF. Good riddance.

Re:Default value goes back pretty far

Word 95. PowerPoint 95, but not 97, is blocked. It's very likely that few documents exist in such old formats at this point.

I occasionally load in data tapes from as far back as 1982. Reports related to the data will be in whatever file format is popular at the time, which will be MS Word and MS Excel from the early 1990s on. Since computing power is so cheap now a lot of stuff in a lot of feilds gets reprocessed, old data is a lot more useful than repeating 10 years worth of experiments again or sending 50 guys out to survey an area for two months or even trying to examine something that doesn't exist anymore. Old file formats like TIFF, SEGD, tar and so on are deliberately backwards compatible so that archiving is more than just an expensive hobby. Since Microsoft have moved out of the hobby software space and into the office they should realise that they have to take a professional approach throughout the company to avoid mistakes like this.

Re:Default value goes back pretty far

This is not really applicable here:

1. I bet that some of the code is not Microsoft's. They have bought it and I would not be so sure about the right to modify it in the first place. In any case we are back to rewriting code which noone understands any more.
2. You can sandbox in a sandbox-friendly language (not the case here it is all C++ or C at that age) or if your code is written in a manner where sandboxing works. Classic example - using exemptions on out-of-memory or invalid pointers to allocate memory. I know a chap who writes everything like this and he used to work for MSFT at just about that time. Wanna sandbox that? Especially in a multithreaded environment? I doubt it. On top of that I can bet that the internals of the code in question reinvent the wheel left right and center and reimplement functions that are nowdays part of the foundation classes. As a result the size of the piece of code which you have to sandbox suddenly grows on an order of magnitude. And so on.
As I said, I for once can sympathise with a MSFT decision. I have no sympathy to the fact that they do not admit to the underlying reason which is using formats that are not open, well defined and standardised (nothing to do with security), but that is a different story.

Revenge

I am the maintainer of Visicalc. This means war.

Think Visicalc 26 service pack 3 is going to import Multiplan files?

Think again, bitches.

Easy fix

An easy work-around is to just install Open Office and then open the obsolete files using the appropriate Open Office program (Writer for Word documents, Calc for Excel spreadsheets, etc.). The user can then do a "save as" and select a newer Microsoft file format. Voila. Problem solved.

Microsoft probably won't like this work-around since a certain percentage of users may realize that they don't need to pay Microsoft for programs that don't do what they want and they can get a suite of programs that does what they want for free. Realizing this, Microsoft may decide to come up with a better internal solution but don't count on it.

Cheers,
Dave

long careers exclude using proprietary formats

Funnily enough, the thing that finally, permanently, won me over to open document formats (I first used things like openoffice simply because they were free) was discovering I couldn't open my dissertation (written in word 5.1a for mac) on a standard install of office for windows. Yes, I know there's converters, and yes, I know current versions of word for mac can still open 5.1a documents, but I didn't have a mac at the time, and laboriously 'converting' the large numbers of transcripts, notes, papers, and all the other ephemera of writing a dissertation was a huge, timewasting PITA..

After that, the penny dropped. Using open document formats wasn't simply a way to save money, it was an actual necessity for anyone planning to have a career lasting more than 5 years where writing is a core part of your work.

File format is less secure?

They did this because the old formats are 'less secure', which actually makes some sense,

This doesn't make sense to me. A file format doesn't have buffer overflow vulnerabilities, the program that opens it has them. A file format cannot execute a virus or a trojan, the program that opens it is the one that does it. I cannot believe that a file format can have inherent vulnerabilities that cannot be circumvented by the program that reads the file.

On the other hand, considering the ODF vs. OOXML format wars, it seems to me that Microsoft's objective with this is actually to press for the standardization of OOXML. How exactly I don't understand, since the whole point of standard document formats is to avoid this same problem that they've just created.

This is exactly why proprietary formats are bad

This is exactly why proprietary formats are bad, at least for documents that need to be kept for a long time for some reason, such as archival or historical documents. Even if open source office applications do similar things and depricate support for old formats, the older application versions might at least be available. Or third party developers could more easily create conversion programs. While open source programs do also exist to read these old proprietary documents today, we don't know if future proprietary document formats will be able to be supported. The open formats will be supportable.

Mind-bogglingly complex?

I guess the submitter missed the link to an exe you can use to do it for you. I mean, it is buried in the KB article as "Method 1" after all...

Re:Mind-bogglingly complex?

That EXE contains ADM files / Group Policy templates. It's perfect if you're running an AD domain but is not much use for individual users. Those people can get whoever does their support now to use method 2.

'Mind bogglingly complex' indicates the submitter can't be trusted with a box of crayons.

Typical MS "Planned Obselescence"

http://en.wikipedia.org/wiki/Planned_obsolescence [wikipedia.org]
Examples:
-No DirectX 10.x API for WinXP or Win2k. (The nature of the API to be a higher-level Application Programming Interface, I'd forgive not developing for Win2k as it is no longer for sale, but there's NO good reason to deny the API in WinXP, other than to force clearly Planned Obsolescence)
-No IE7 for Win2k. (interestingly, Firefox still bests ALL versions of IE..)
-No Support on your year-old PC for Full Windows Vista use. (Again, why? Even Apple and Linux have pretty eye-candied desktops working on older hardware)
-No to the Sale of WinXP to OEM (non-Business) customers this month http://www.engadget.com/2007/04/12/microsoft-pulling-oem-windows-xp-next-january/ [engadget.com].
-Etc... (insert your own here)

I know that in my present line of work, my colleagues and I write meticulous research reports for our multi-million dollar clients.
Our clients specifically require us to NOT use *any* MS Office 2007 file format; We are to utilize 'not newer than MS Office 2003 format'. (Typically Excel, Access, and Word formats are used).
Our clients have gone on to clarify, specifically, that the Office 2007 file formats are incompatible with the older MS Office versions and necessitate needless corporate updating for their thousands of internal users, (not to mention the client has decades of reports on file that get updated every 10 to 20 years, often utilizing the original editable report document).

I too will soon be installing in Open Office very soon. (Hopefully the Excel 2003 formulas and those dating back to Excel 2.0 all work properly in Open Office?)...
It appears that this "update" is not so much for security or even for ease of development (because it WAS previously WORKING in situ). It stragetically forces users of the older versions of MS Office to update to the new version (or rather adopt the new format) due to interoperability issues.

If MS Office 2003 did 'it' before and it does not do 'it' now, post-SP3... that is *Intentional*, not "For Your Protection".
-This would be akin to IE8 not opening 'older' web page formats at all because they used some older and (potentially) unsafe format of html, CSS, Scripting etc.. it deemed unsafe!

Conflicting Strategies?

Wasn't "bakward compatibility" the whole crusade they were on last year? "We must preserve support for old formats, which is why we won't make IE standards compliant, and our spec has to back-support IndentsLikeWord95" and the rest?

Their sneaky brand of evil is saying two conflicting things and making us believe they work together.

Re:maybe grepping

Is that how one interfaces with rarely-used document archives? via groping?

Bender: If by "interface" you mean "have sex with" and if by "rarely-used document archive" you mean "your girlfriend", then yes, "groping" is the correct term. As follows:

Hey baby, can I interface with your rarely-used document interface?
Later, want to kill all humans?

Thank you Microsoft...

...for demonstrating why we need ODF.

Re:maybe grepping

> Is that how one interfaces with rarely-used document archives? via groping?
Yes, didn't you know? You should have RTFM:

GROPE

NAME

              grope, egrope, fgrope, rgrep - print lines matching a pattern
              in rarely used document archives

SYNOPSIS

              grope (options) PATTERN (FILE...)

DESCRIPTION

              grope searches the named archives FILEs (or standard input if none are
              named, or the file name - is given) for lines containing a match to the
              given PATTERN. By default, grope prints the matching lines.

              In addition, three variant programs egrope, fgrep and rgrep are avail-
              able. egrep is the same as grope -E. fgrope is the same as
              grope -F. rgrope is the same as grope -r.

BUGS

              Backreferences are very slow, and may require exponential time.