Office 2003 soon to lose support too
Many are outraged that Windows XP will soon reach end-of-life for support and no longer receive security updates, but it gets worse. On the same day, Patch Tuesday, April 8, 2014, Office 2003 and all its constituent applications, will also receive their last updates.
Office 2003 was a wildly popular version of the suite, for reasons which mirror, to a point, the reasons why Windows XP was so popular and remains so entrenched: It was a good version, functionally. The Office suite was mature at this point, and offered pretty much anything that nearly all users needed.
Then came Bill Gates's January 2002 security memo. Whatever their merits, Microsoft products had been developed without sufficient concern for security, and that had to stop. This had a substantial effect on Office, most prominently leading to new Office file formats, but also some changes in program behavior.
The file format changes were necessary. The old formats (.DOC, XLS, .PPT, etc.) were based on a formatting method called OLE Structured Storage. OSS is an absurdly complicated scheme and, as a result, there had been a steady plague of Office vulnerabilities involving malformed data files. It was decided that they would never really be able to secure the old formats, and a move was made to new ones built on a ZIP file containing XML. This was a hassle for many users, but at least the old formats were supported, and Microsoft developed a sandbox method for opening them with diminished risk.
If you look at vulnerability histories in the years since, vulnerabilities in the old formats have continued unabated, and the new formats have been pretty clean. They also released the Microsoft Office Compatibility Pack in order to allow Office 2003 users to access the new formats.
But that wasn't the only problem, and maybe not the biggest one. Office 2007, the next major version, included the then-infamous Office ribbon, the new UI element that replaced the familiar Office UI, without a compatibility mode for the old UI. Push-back was extensive.
I'm sure the ribbon tested well in Microsoft focus groups, but in the real world users asked themselves what upgrading to Office 2007 bought them, other than the burden of learning a new UI and deal with new file formats. It was reasonable for a lot of people to skip a version, much as many people skipped Windows Vista. In fairness to Office 2007, it was a quality release and recognized as such; Vista developed a poor reputation because changes in the driver model caused many devices and service-level programs which worked in XP to fail in Vista.
(As is often the case with Microsoft product "failures", they undoubtedly sold many tens of millions of licenses for Office 2007, making it a failure that any other company would be thrilled with.)
But Office 2003 was good enough for a lot of people, and it's still good enough for a lot of people. Except for the security problems.
In about the last 12 months there have been 10 security bulletins affecting Office 2003 SP3 (the current Service Pack). 5 of them are rated critical:
Date | Bulletin Number | Title | Bulletin Rating |
7/9/2013 | MS13-054 |
Critical | |
6/11/2013 | MS13-051 | Vulnerability in Microsoft Office Could Allow Remote Code Execution |
Important |
5/14/2013 | MS13-043 | Vulnerability in Microsoft Word Could Allow Remote Code Execution |
Important |
5/14/2013 | MS13-042 | Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution |
Important |
1/8/2013 | MS13-002 | Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution |
Critical |
12/11/2012 | MS12-079 | Vulnerability in Microsoft Word Could Allow Remote Code Execution |
Critical |
11/13/2012 | MS12-076 | Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution |
Important |
10/9/2012 | MS12-064 | Vulnerabilities in Microsoft Word Could Allow Remote Code Execution |
Critical |
10/9/2012 | MS12-043 | Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution |
Critical |
8/14/2012 | MS12-060 | Vulnerability in Windows Common Controls Could Allow Remote Code Execution |
Critical |
(Source: Microsoft TechNet)
Note that even the non-critical vulnerabilities are remote code execution vulnerabilities. These are the classic malformed data file vulnerabilities that were the bane of Office security, but Microsoft has added other mitigating program behavior to warn users before opening potentially dangerous files, so their level of severity is lower.
The bottom line is that there's still plenty of action on the Office 2003 vulnerability front. Just as with Windows XP, don't be surprised if many new vulnerabilities for Office 2003 show up on April 9, 2014 when their value in the malware marketplace will be much greater.
So what are you to do next April when Office 2003 goes out to pasture? I'm not sure what to recommend to you, other than that Office 2003 will not be a safe product to use. Personally, I'm using Office 365 and I'm happy with it. The latest versions of Office really are markedly better than those of 10 years ago, and designed to work with the devices and Internet services that people want to use. Whatever arguments you may have 5 years ago had for sticking with Office 2003 just don't hold up to scrutiny anymore.