Whether OOXML Wins Or Not, Older MS Docs Aren’t Safe

Microsoft’s OOXML formats are controversial – but the older Office formats will be a danger as security holes go unpatched, warns Larry Seltzer. Is this deliberate neglect?

When Microsoft moved to new file formats for Office documents in Office 2007 it was, for the most part, an admission of the failure of the old formats. If you remember a couple years ago, there was a seemingly endless stream of zero-day attacks on Office apps based on vulnerabilities in the old file formats. Is Microsoft trying to kill off these formats quicker than it lets on?

The old formats, based on OLE2 structured storage, have a FAT-like structure for storage allocation, and records in the file can become fragmented. This sort of complexity just begs for errors that lead to vulnerabilities. Creating a whole new file format was a major undertaking, but as a security matter it was much easier to do than to “fix” the old formats. Indeed, a fix may have been impossible.

The vulnerability reports and zero-day attacks have slowed down, but they still happen. In February, we had a zero-day attack on Excel based on an XLS vulnerability, and just last week a similar vulnerability in the old PowerPoint PPT files, exploited in “limited and targeted attacks” in the wild, showed up.

Few, if any, of the reported vulnerabilities in Office 2007 had to do with support for the new file formats, and almost uniformly you can mitigate the effects of these vulnerabilities by using MOICE (Microsoft Office Isolated Conversion Environment), which translates the files into the new Office Open XML formats.

Several sources, including the ESET Threat Blog and The Register, noted that the Excel vulnerability was unpatched, although Microsoft did patch it Tuesday as part of a large Patch Tuesday set of updates. But notice that no non-security updates were released in that set (other than the usual Junk Mail Filter and Malicious Software Removal Tool), and that’s the sort of update that ends as Office 2003 and Windows XP enter Extended Support.

Obviously, Microsoft would like to have us all move to the new formats, mostly by virtue of moving to Office 2007, but that’s not happening soon and Microsoft’s not making us do it. In fact, Office 2003 will be getting security updates for five more years, until April 8, 2014, the same date security fixes for Windows XP will end. See my last column for more on Microsoft’s long, perhaps too long, support life cycles.

Five more years of security updates add up to an absurdly long period of time, That’s why the theory about the Office formats doesn’t wash. It’s not the way Microsoft does things, although perhaps it and the rest of us would be better off if Microsoft did.

But the ESET blog is right that the damage from targeted attacks can be immense, and many users may be exposed. If Microsoft is going to claim to support the old formats for five more years, it needs to make security updates for them a high priority for five more years.

eWEEK.com Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.