Network News

X My Profile
View More Activity

Service Pack 3 Available for Office 2003 Users

Microsoft has released its third service pack for Office 2003 users. The company says the 117-megabyte bundle of security updates and program tweaks "represents a major evolution in security for Office 2003" and that it "further hardens the Office suite against potential attacks and other security threats."

Office 2003 users can download the update from this link.

In addition to bundling a number of security fixes that have been previously released as separate Office 2003 updates, Service Pack 3 includes new security features, and it does away with several features that have opened avenues of attack or disclosed sensitive data. The service pack also includes stability updates, based on information gleaned from program crash dumps reported to Microsoft.

Among the key new security features of SP3 is the addition of MOICE -- also known as the Microsoft Office Isolated Conversion Environment. This clumsy sounding component is probably the most important piece of the entire package. For the past two years, one of the most common sources for new and targeted attacks against Windows users took advantage of flaws in various Office file formats -- such as Word, Excel or PowerPoint -- to launch other programs or write data to other areas of the operating system. What MOICE tries to do is build a wall around each Office file that is opened, and simply not let the file play outside of the wall, for want of a better metaphor.

In the name of security and privacy, certain features of Office 2003 will no longer work after applying Service Pack 3, such as the "Fast Save" option. According to Microsoft, having fast save turned on means certain metadata, such as comments, erased text, previous saved versions and a username may be embedded in the document. "Disabling Fast Save ensures that confidential data is protected against improper disclosure," Microsoft wrote.

Office 2003 users who apply SP3 may also notice they can no longer open or save certain file formats. According to Microsoft, this includes some Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, Microsoft Office Word 2003, and Corel Draw (.cdr) file formats. "By default, these file formats are blocked because they are less secure. They may pose a risk to you." In addition, SP3 blocks certain functions in older Excel file formats -- such as macros -- from running automatically, a chance Redmond hopes will help prevent security attacks on earlier file formats.

By Brian Krebs  |  September 26, 2007; 12:45 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Is Cyber Crime Really the FBI's No. 3 Priority?
Next: Calculating the Costs of Cyber Crime

Comments

"Office 2003 users who apply SP3 may also notice they can no longer open or save certain file formats."

I'm curious to see if M$ can detect files created by OpenOffice and block them... but not curious enough to apply SP3 today.

Posted by: James | September 26, 2007 1:43 PM | Report abuse

Originally I was going to complain; "Tomorrow, Security Fix will examine some indicators of just how much cyber crime is costing American consumers and corporations each year.".

Having read the last comment though, I'm curious about that too. IMHO it would have a very large bearing on the need for two ISO specifications and torpedo Microsoft's chances of ever getting a second format approved.

Posted by: GTexas | September 26, 2007 6:13 PM | Report abuse

Applied the service pack a week ago. No problems with installation or operation since.

Of course, it goes without saying to review the release notes and all pertinent information before installing.

Many of the restrictive changes (ex. file formats) can be reversed via registry changes (see below). Although to do so defeats the reason for the changes to begin with.

Information about certain file formats that are blocked after you install Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810

Overall, seems to be a solid service pack release! And the wealth of documentation is helpful.

Posted by: TJ | September 26, 2007 8:37 PM | Report abuse

"Office 2003 users who apply SP3 may also notice they can no longer open or save certain file formats. According to Microsoft, this includes some Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, Microsoft Office Word 2003..."

So, one of the "features" of this service pack is that Office 2003 can no longer read certain files created by pre-SP3 versions of O2K3. I guess I don't understand how this is a good thing. Microsoft's resolution to the problem is that users should save Office files in formats that are not blocked by the SP3 registry changes, and convert existing files to formats that are not blocked. Which formats are blocked, and how is Joe User supposed to know how to deal with this? I do not look forward to asking one of the boss types to "try again" after sending me an Office file that was saved in a format that SP3 thinks is evil.

Microsoft is admitting here that they should not have implemented certain features, and they're now taking them away. Not a smart way to operate. The MS approach to security needs to be more proactive and less reactive.

Posted by: HoCo | September 27, 2007 9:17 AM | Report abuse

Are the original disks required for this - my laptop is company issued from a licenced disk image, but I do not have easy access to the install disks - in a different city...

Posted by: KDT | September 27, 2007 9:54 AM | Report abuse

KDT -- I believe if you install Service Pack 3 from Windows/Microsoft Update it should not require you to have the CD handy.

Posted by: Bk | September 27, 2007 10:31 AM | Report abuse

I didn't need the original disks. I was nervous about such a huge update but it went smoothly.

Posted by: A | September 27, 2007 3:55 PM | Report abuse

If you grab the ~117mb version, you don't need the original disk, if there's a light version (probably 50mb) then it would require the original disks but at this point (Oct 2007), MS isn't offering a smaller SP that requires the original CD.

Posted by: TravisO | October 2, 2007 12:42 PM | Report abuse

KB938810 details how to remove the FileOpenBlock and FileSaveBlock in the registry, but the instructions are WRONG.
Registry keys do not exist in my PC. Excel files other than XLS do not open.

Posted by: Jason | November 7, 2007 3:10 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company