Microsoft says controversial Office SP3 was never in Automatic Updates
The controversial Service Pack 3 was never distributed to Microsoft Office end users through Automatic Updates, Microsoft told BetaNews. So if you're a Lotus Notes or Corel Quattro user who wants to undo its impact, you can.
Microsoft representatives responded to BetaNews -- in fact, they made the effort of responding at length -- in putting forth the company's case that it never had any intention of arbitrarily declaring older, non-Microsoft Office formats a security risk.
In response to questioning by BetaNews, Microsoft also confirmed that fixes issued for SP3 in December and January do in fact re-enable Corel Quattro and Notes files, although the Quattro and Notes re-enablement is not clearly evident from Microsoft's support documents, which explain how users can go about accessing those Corel and Lotus files.
The file blocking "only impacts really old formats," Microsoft's reps told us, and that Microsoft only decided to disable them in SP3 after examining usage data indicating that very few systems administrators and end users are still using the earlier applications.
In terms of Microsoft Word files for Windows and Macintosh, for example, the update only blocks formats in releases of Word before 6.0, a Microsoft spokesperson said.
Nonetheless, ever since SP3's release in September, some users have been complaining to Microsoft and in Web forums that the update has suddenly eliminated the ability to access documents that they still need.
A support document issued in December to help users re-enable the blocked files actually backfired, as was later admitted by David LeBlanc, a Microsoft software development engineer. That document mistakenly identified "insecure file formats" from Microsoft and other vendors as its reason for blocking those file formats.
Meanwhile, in interviews with BetaNews and other news sources, Corel officials entered the fray by calling the contents of original support document into question.
Through a blog posting, Microsoft's LeBlanc then apologized to vendors and users for the error, saying that the problem instead revolved around parsing software in Microsoft Office -- used for opening and saving application software files -- which has created security holes in Office that attackers are trying to exploit.
That same day, Microsoft revised the original support document, adding an easier-to-use software fix to two other methods provided in the original support document as ways of re-enabling the blocked formats.
In the original support document, posted online as a Microsoft KnowledgeBase article, as well as in the revision, Microsoft said that, unless one of the fixes is applied, SP3 blocks older file formats from the following programs: Microsoft Word, Excel, and PowerPoint; Lotus Notes; and Corel's Quattro spreadsheet and CorelDRAW drawing package.
Yet although both versions of the KnowledgeBase article have spelled out fixes for Word, Excel, PowerPoint, and CorelDRAW application software, specific fixes haven't been clearly given for older file formats in two products that have traditionally competed against Microsoft's line-up: Lotus Notes and Quattro, a program initially developed by Borland and later marketed by Novell, but now sold by Corel.
However, a Microsoft spokesperson told BetaNews today that the same fixes for older versions of Microsoft's Excel, delivered in both support documents, can also be used to re-enable access to blocked Quattro and Lotus Notes files.
The spokesperson also pointed out that, beyond giving users an easier method of re-enabling access to old files, the revised document provides a relatively quick method for reversing that process. After accessing any older files they need, users who have downloaded SP3 can then start protecting themselves again against the security problems posed by the parsing software in Office.
Microsoft officials also maintained this week that, before issuing the SP3 update, they tried to carefully weigh the risks associated with preventing access to some very old file formats -- which by their estimates, very few people still use -- with those associated with security around the now widely deployed Office 2003.
"From a security standpoint and reducing the total surface area for attack -- we want to do everything we can to secure our users -- this was the right thing to do," the spokesperson said.
BetaNews also asked Microsoft about the plight of non-technical home and small business users, who don't typically have access to systems administrators or other people who might explain the consequences of installing (or not installing) software updates such as SP3.
Officials said that before users download SP3 from Microsoft's updates site, they are clearly warned about the potential consequences of the download.
BetaNews was also told that Office 2003 SP3 has never been included in Automatic Updates, a capability in Microsoft Windows which, if turned on by the user, automatically downloads recent security fixes from Microsoft.
"We announced last year that we would give users 30 days notice before releasing any SP to AU (Automatic Updates) and at least three months for the market to evaluate it -- for issues exactly like this," according to a spokesperson.
"To that end, the system worked as planned. A small group of customers felt that the current way of unblocking files was not good enough and a fix was immediately produced."
Of course, a down side to Microsoft's decision not to include SP3 in Automatic Updates is that some users -- not realizing that it isn't in there -- might think that they are protected against the parsing software exploits, when they are not.
But on the other hand, as one of the spokespersons suggested, end users will not experience the problem of blocked file access unless they -- or their systems administrators at work -- have intentionally downloaded Microsoft's SP3 update.
"So this won't happen [to a home user] unless that user is technically savvy enough to begin with to be able to go up and download the update," the spokesperson told BetaNews.