Office 2003's burial will resurrect hacker activity

Just as with some gun owners and firearms, some businesses won't be giving up their copies of Office 2013 when Microsoft cuts support for it in April 2014 until it is pried it from their hands.Ã'Â

That could be a mistake, say security experts. "Microsoft has done a really good job of battening down most of the really big problem areas in Office 2003 a long time ago," Wes Miller, a research analyst for Directions on Microsoft, told CSOonline.

Nevertheless, withdrawal of support will usher in an era of "infinite zero-day" attacks, Miller noted, just as has been predicted for Windows XP, which is scheduled to lose its support at the same time as Office 2003.

"From a security perspective, Office 2003 will become more attackable over time,"Qualys CTO Wolfgang Kandek said in an interview."We habitually find problems today in Office 2003. That will not stop next year just because Microsoft stops supporting it."

"The net effect will be that two or three months after support stops, a toolkit will appear on the market that allows even the unsophisticated attacker to exploit vulnerabilities in the program," Kandek added.

The pattern isn't new. For example, when Oracle released version 7 of Java, many users continued to stick to version 6, even though new security vulnerabilities keep appearing that attack that edition of the programming language.

"We've talked to many Java customers who've said they try to keep it updated but sometimes they have programs that they need for their business that require them to use Java 6," Kandek noted.

Imperva's CTO, Amichai Shulman, saidÃ'Â Microsoft can expect to see a large population of users continue to use Office 2003, and hackers will continue to poke holes in at after support is terminated, only there won't be any more "Patch Tuesdays" to save the day.

"This is the reality of good software," Shulman said. "It stays in use long after it has been declared EOL. The business value it brings is so high, and the cost and time of replacing it is so high,Ã'Â that users accept the implied security risk."

[Also see: Microsoft patches IE, actively exploited Office flaw]

That appears to be the case with both Windows XP and Office 2003, which may be why businesses are reluctant to desert them despite Microsoft's withdrawal of support and the security implications that poses for them.

"Microsoft's biggest competitor has always been Microsoft of a few years ago," Miller said.

In addition to Office 2003 being a solid product, deserting it could pose some problems for businesses because Microsoft changed the interface for the suite after the 2003 edition. It replaced the toolbars in the program with a "ribbon" metaphor.

"People will have to be retrained," Kandek said. "The interface is very different so you can't just install it and say, 'Use this.'"

While withdrawing support for Office 2003 may miff some organizations, ditching the suite entirely may not be an alternative for them. "If Office is a key component, as it is in many businesses, then they don't really have a choice," Miller said.

Google Docs could be an alternative, but Google doesn't have the sympatico with the enterprise that Microsoft does. "Microsoft has an enterprise awareness," Miller said. "It's much more enterprise friendly."

Of course, businesses who choose to upgrade from Office 2003 to Microsoft's Office offering in the cloud could avoid having the support rug pulled out from under them in the future.

"Using this product in the cloud has many advantages, not the least of which is it's always updated," Kandek said.

A Microsoft spokeswoman told CSOonline, "We encourage customers to upgrade to Windows 8 and Office 365 as Windows XP and Office 2003 will reach end of support in April 2014."

"Windows XP and Office 2003 were great software releases more than a decade ago," the spokeswoman said. "But the way we work has dramatically changed and technology has evolved along with the needs -- and more importantly -- the expectations of customers and partners that have already adopted modern platforms and devices."

"With Windows 8 and Office 365, customers will gain immediate benefits that allow them to work anytime, anywhere on the device of their choice to get their work done," she said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsAccess control and authenticationEOLsoftwareoffice 2003end of lifedata protectionOraclequalysMicrosoftsecurityData Protection | Application Security

More about GoogleImpervaMicrosoftOracleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place