Office 2003’s burial will resurrect hacker activity

Just as with some gun owners and firearms, some businesses won’t be giving up their copies of Office 2013 when Microsoft cuts support for it in April 2014 until it is pried it from their hands. 

That could be a mistake, say security experts. “Microsoft has done a really good job of battening down most of the really big problem areas in Office 2003 a long time ago,” Wes Miller, a research analyst for Directions on Microsoft, told CSOonline.

Nevertheless, withdrawal of support will usher in an era of “infinite zero-day” attacks, Miller noted, just as has been predicted for Windows XP, which is scheduled to lose its support at the same time as Office 2003.

“From a security perspective, Office 2003 will become more attackable over time,”Qualys CTO Wolfgang Kandek said in an interview.”We habitually find problems today in Office 2003. That will not stop next year just because Microsoft stops supporting it.”

“The net effect will be that two or three months after support stops, a toolkit will appear on the market that allows even the unsophisticated attacker to exploit vulnerabilities in the program,” Kandek added.

The pattern isn’t new. For example, when Oracle released version 7 of Java, many users continued to stick to version 6, even though new security vulnerabilities keep appearing that attack that edition of the programming language.

“We’ve talked to many Java customers who’ve said they try to keep it updated but sometimes they have programs that they need for their business that require them to use Java 6,” Kandek noted.

Imperva’s CTO, Amichai Shulman, said Microsoft can expect to see a large population of users continue to use Office 2003, and hackers will continue to poke holes in at after support is terminated, only there won’t be any more “Patch Tuesdays” to save the day.

“This is the reality of good software,” Shulman said. “It stays in use long after it has been declared EOL. The business value it brings is so high, and the cost and time of replacing it is so high,  that users accept the implied security risk.”

[Also see: Microsoft patches IE, actively exploited Office flaw]

That appears to be the case with both Windows XP and Office 2003, which may be why businesses are reluctant to desert them despite Microsoft’s withdrawal of support and the security implications that poses for them.

“Microsoft’s biggest competitor has always been Microsoft of a few years ago,” Miller said.

In addition to Office 2003 being a solid product, deserting it could pose some problems for businesses because Microsoft changed the interface for the suite after the 2003 edition. It replaced the toolbars in the program with a “ribbon” metaphor.

“People will have to be retrained,” Kandek said. “The interface is very different so you can’t just install it and say, ‘Use this.'”

While withdrawing support for Office 2003 may miff some organizations, ditching the suite entirely may not be an alternative for them. “If Office is a key component, as it is in many businesses, then they don’t really have a choice,” Miller said.

Google Docs could be an alternative, but Google doesn’t have the sympatico with the enterprise that Microsoft does. “Microsoft has an enterprise awareness,” Miller said. “It’s much more enterprise friendly.”

Of course, businesses who choose to upgrade from Office 2003 to Microsoft’s Office offering in the cloud could avoid having the support rug pulled out from under them in the future.

“Using this product in the cloud has many advantages, not the least of which is it’s always updated,” Kandek said.

A Microsoft spokeswoman told CSOonline, “We encourage customers to upgrade to Windows 8 and Office 365 as Windows XP and Office 2003 will reach end of support in April 2014.”

“Windows XP and Office 2003 were great software releases more than a decade ago,” the spokeswoman said. “But the way we work has dramatically changed and technology has evolved along with the needs — and more importantly — the expectations of customers and partners that have already adopted modern platforms and devices.”

“With Windows 8 and Office 365, customers will gain immediate benefits that allow them to work anytime, anywhere on the device of their choice to get their work done,” she said.