Office 2003 soon to lose support too

Office 2003 soon to lose support too

Summary: It's not just Windows XP that reaches support end of life next April on Patch Tuesday, but Office 2003 as well. This was an extremely popular version of Office, and running it without security patches will be dangerous.

TOPICS: Security

Many are outraged that Windows XP will soon reach end-of-life for support and no longer receive security updates, but it gets worse. On the same day, Patch Tuesday, April 8, 2014, Office 2003 and all its constituent applications, will also receive their last updates.

Office 2003 was a wildly popular version of the suite, for reasons which mirror, to a point, the reasons why Windows XP was so popular and remains so entrenched: It was a good version, functionally. The Office suite was mature at this point, and offered pretty much anything that nearly all users needed.

Then came Bill Gates's January 2002 security memo. Whatever their merits, Microsoft products had been developed without sufficient concern for security, and that had to stop. This had a substantial effect on Office, most prominently leading to new Office file formats, but also some changes in program behavior.

The file format changes were necessary. The old formats (.DOC, XLS, .PPT, etc.) were based on a formatting method called OLE Structured Storage. OSS is an absurdly complicated scheme and, as a result, there had been a steady plague of Office vulnerabilities involving malformed data files. It was decided that they would never really be able to secure the old formats, and a move was made to new ones built on a ZIP file containing XML. This was a hassle for many users, but at least the old formats were supported, and Microsoft developed a sandbox method for opening them with diminished risk.

If you look at vulnerability histories in the years since, vulnerabilities in the old formats have continued unabated, and the new formats have been pretty clean. They also released the Microsoft Office Compatibility Pack in order to allow Office 2003 users to access the new formats.

But that wasn't the only problem, and maybe not the biggest one. Office 2007, the next major version, included the then-infamous Office ribbon, the new UI element that replaced the familiar Office UI, without a compatibility mode for the old UI. Push-back was extensive.


I'm sure the ribbon tested well in Microsoft focus groups, but in the real world users asked themselves what upgrading to Office 2007 bought them, other than the burden of learning a new UI and deal with new file formats. It was reasonable for a lot of people to skip a version, much as many people skipped Windows Vista. In fairness to Office 2007, it was a quality release and recognized as such; Vista developed a poor reputation because changes in the driver model caused many devices and service-level programs which worked in XP to fail in Vista.

(As is often the case with Microsoft product "failures", they undoubtedly sold many tens of millions of licenses for Office 2007, making it a failure that any other company would be thrilled with.)

But Office 2003 was good enough for a lot of people, and it's still good enough for a lot of people. Except for the security problems.

In about the last 12 months there have been 10 security bulletins affecting Office 2003 SP3 (the current Service Pack). 5 of them are rated critical:


Bulletin Number


Bulletin Rating



Vulnerability in GDI+ Could Allow Remote Code Execution





Vulnerability in Microsoft Office Could Allow Remote Code Execution





Vulnerability in Microsoft Word Could Allow Remote Code Execution





Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution





Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution





Vulnerability in Microsoft Word Could Allow Remote Code Execution





Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution





Vulnerabilities in Microsoft Word Could Allow Remote Code Execution





Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution





Vulnerability in Windows Common Controls Could Allow Remote Code Execution



(Source: Microsoft TechNet)

Note that even the non-critical vulnerabilities are remote code execution vulnerabilities. These are the classic malformed data file vulnerabilities that were the bane of Office security, but Microsoft has added other mitigating program behavior to warn users before opening potentially dangerous files, so their level of severity is lower.

The bottom line is that there's still plenty of action on the Office 2003 vulnerability front. Just as with Windows XP, don't be surprised if many new vulnerabilities for Office 2003 show up on April 9, 2014 when their value in the malware marketplace will be much greater.

So what are you to do next April when Office 2003 goes out to pasture? I'm not sure what to recommend to you, other than that Office 2003 will not be a safe product to use. Personally, I'm using Office 365 and I'm happy with it. The latest versions of Office really are markedly better than those of 10 years ago, and designed to work with the devices and Internet services that people want to use. Whatever arguments you may have 5 years ago had for sticking with Office 2003 just don't hold up to scrutiny anymore.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Upgrade!

    Upgrade already. It's been 10 years now, you don't even keep a car that long.
    Dreyer Smit
    • Agreed...

      ...although I have had my Jeep for 10 years now! I am on Office 2010 at work and at home.
      • Toyota Corolla 1997

        I've had it since December 1996 and she's still running fine.
    • Cars are not throwaway items

      My car is 15 years old and running fine, thanks.
      • Let me try again .......

        good for you mate, the last car I got rid off to the scrap metal yard I had for 25+ years, pity because it didnt have all that computerised junk on it.
    • upgrade already????

      I really love you guys who love to spend other people's money with your constant tirade against those of us who are unable for various reasons to upgrade to the latest junk that M$ has to offer. I sometimes wonder if you lot are in M$'s pockets. Maybe YOU would like to provide the wherewithall with which i can upgrade my families computers?? [dripping sarcasm]

      Oh by the way, i do keep my cars for longer than 10 years.
      • Re: upgrade already????

        Nobody forces you to upgrade every time a new version comes out. But then again comparing 10 year old car to 10 year old software... well...
    • If it ain't broke...

      I am running XP and Win7, Office 2003 and 2010.
      Still love the (relative) simplicity of Office 2003.
      Nothing wrong with XP, although I do prefer Win7.
      I have no reason to change.
      As far as the document swapping/interchange problems mentioned b y others, I don't see the issue.
      MS Add-in to handle DOCX works just fine.
      And ALL versions of Office (even the useless ribbon-interface ones) can read DOC format.
      • If it ain't broke....

        I'm still running Office '97. I'm sure there hasn't been support for this for years. But I'm running it on a machine that isn't connected to the net so I'm not worried about security. And I don't need to use it for much so I'm not going to be shelling out more bucks any time soon. I do have LibreOffice on my internet machine but I don't use that much either.
    • Upgrade Cars?

      My neighbor is still driving around in his Ford Model A.
    • My

      sports car is older than me! It is a 1967 Austin Healey.

      That said, I love office 365 and I find Office 2003 unbelievably clunky to use.
    • Why should I have to pay for a version that is harder to use?

      "Whatever arguments you may have 5 years ago had for sticking with Office 2003 just don't hold up to scrutiny anymore."

      The ribbon in Office 2007 stinks. More so in Office 2010. Office 2013? Unuseable.

      MS should FIX Office 2003 if it is defective. Just because my car maker has released a new model doesn't mean my current car stops working!
      • Matter of oponion

        I've been using Office, or rather its components since 1987. I find that Office 2013 is easier to use than 2003. I had a few problems with 2007 at first, but after week or so of getting accustomed to it, it was fine.
        • bloatware

          It's subjective of course, but my copy of Office 2013 got uninstalled because - it ran slower. It took longer to start up, was bigger, and managed to stuff up Outlook contacts.
          For some reason, it insisted on adding my Facebook contacts to my Outlook contacts (plenty of Facebook friends playing games, zero need for them in Outlook) then had spasms because Facebook names didn't match real names (for those I had already in Outlook).
          Restored from backup and swore to never touch MS2013 again.
    • late to the party

      I googled this to see if I should upgrade Office on my mom's computer. She still has trouble finding the save button. Not upgrading is pretty valuable to her (and my) sanity.

      And, for what it's worth, my parents have owned 3 cars in my lifetime. Still have 2 of those, from 1995 and 1966. I'm in my mid-twenties. (And my own car just turned 5.) You were saying?
  • Q re .doc format vulnerabilities

    If you open .doc format files in Office 2010 are you subject to the vulnerabilities? What if you open such files in Libre Office or Open Office?
    • Good for you .......

      last car i got rid of to the scrapmetal yard I had for 25+ years :)
      • Thanks ZDNet

        ya put my comment in the wrong spot after ya accused me of spamming :(
    • short answer: yes

      Yes, it's possible to get exploited in Office 2010 with those files, but it's likely that any such exploit would be limited in effect because of sandboxing Microsoft put into later versions of Office. Not so for Office 2003.

      As for Libre Office and Open Office, I'm sure they have plenty of malformed file vulnerabilities, but nobody's researching them because those programs have too small a share to bother with. The vulnerabilities are program-specific so a flaw in Office 2003 is probably not a flaw in Open Office and vice-versa.
      Larry Seltzer
      • Microsoft Office 2010 does indeed have protected view sandboxing

        And while Microsoft Office 2010 is supported on Windows XP SP3, protected view is only available on Windows Vista and newer. Thus, no Microsoft Office 2010 protected view on Windows XP SP3. [Ditto with IE 7 and 8 protected mode.]

        With regard to Libre Office and Open Office, what they don't have is embedded fonts. Many Microsoft Office users have been nailed with exploits relating to embedded font vulnerabilities.
        Rabid Howler Monkey