2003 SP3 security functionality-ecotmy (featurectomy)

I’ve seen it a few places now, but I’m still not totally clear on the actual impact.

Basically SP3 disables a load of file formats that 2003 used to support ‘for security reasons'(tm).

It adds a bunch of stuff to the registry to enable you to re-enable them if you need to. (and you want to edit your registry freehand (and your admins didn’t set it by policy)).

Here are a few links to keep you busy:

http://www.betanews.com/article/Microsofts_planned_obsolescence_smacks_Office_2003/1199306131

http://support.microsoft.com/kb/938810/en-us

[psst don’t tell the bad guys – I’m still on 2003 SP1, everything since then has been security by removal (featurectomy is the technical term)].

Has anyone actually had a problem with this? I know they did a ton of fuzzing as part of the 2007 development, I assume this is the security issues they found in prior versions being closed (the easy way).

I don’t blame them for cutting stuff out rather than fixing it, but I do find it amusingly ironic. The standard MS response to any accusation of bloatware is always that all those features are there because someone is using them – not any more though, hey? I guess the new ‘more hostile environment’ justification come into play though.

Incidentally I have read a few problems with COM add-ins too after SP3, one to avoid installing if possible I reckon. If security is that much more important than functionality in your organisation you may want to consider pen and paper, or maybe an abacus.

Anyone got any real world experience of actual problems to share?

Cheers

Simon

Advertisements

6 Responses to “2003 SP3 security functionality-ecotmy (featurectomy)”

  1. MikeC Says:

    Interesting take on it that I saw at El Reg yesterday, though it seems it’s a little MSFT-flamebait…

    Far as I can tell, it’s only going to be a problem for archived files that aren’t updated from the original file format. I certainly haven’t seen a .wk3 file for QUITE some time!
    It’s also “changeable” by resetting a couple of registry entries – I would expect that anyone who’s likely to require these sort of files would be able to, or have access to someone who is able to, change these as required to access these file types.

    As usual, I could be completely off-target with that, though…!

    (PS Simon: I’ve only told my Uncle Sergei Troika over in Russia about your SP laxitude, but he’s a nice man who gives me vodka so he doesn’t count as a bad guy, despite what the police and judges say)

  2. Lord Says:

    Soon MS will start charging for these featurectomies.

  3. Harlan Grove Says:

    Cynical me. Some users may have put off upgrading to Office 2007 because Excel 2007 couldn’t load archived legacy .WKS/.WK1/.WK3/.WK4 files. Two ways to address that: build the functionality back into Excel or remove this as an excuse not to upgrade. So which did Microsoft choose?

    I’ll believe MSFT is serious about security when Outlook DEFAULTS to displaying e-mail as plain text.

  4. Harlan Grove Says:

    See the following.

    http://blogs.msdn.com/david_leblanc/archive/2008/01/04/office-sp3-and-file-formats.aspx

    Since that blog doesn’t allow comments, I have to ask whether anyone reading Simon’s blog knows whether .SLK and .DIF files were blocked by SP3, as the original version of the KB article mentioned, or were they left untouched as the current version implies by omission, or were they blocked and no one’s going to help unblock them?

    While it’s nice that blogger provides urls to .REG files that could be used to correct this, IMO it would’ve been easier for users to run batch files or WSH scripts to change the relevant registry keys rather than have to open REGEDIT and import .REG files.

    For Word and PPT I can easily accept the two assertions that (1) the old formats (as a whole) were opened less and less often, even by those sensible users who turned off the automated customer feedback but (2) attackers concentrated more on these older formats. Credit where due, just looking at filenames it’s impossible to distinguish a Word version 1 file from a Word 2003 file since Microsoft decided long ago to use the same filename extension for different versions of their programs’ file formats. From the Excel perspective, I kinda doubt attackers are focusing on old Lotus 1-2-3 or Quattro Pro file formats.

    Interesting that Excel 4 .XLC files would be considered troublesome.

  5. Stephane Rodriguez Says:

    It’s very hard for me to trust those guys, when you know that in the meantime :

    – they are touting backwards compatibility as the major feature of the Office suite.

    – over the years, they are adding more scary dialog boxes in the front of users, and one has to wonder what is the point of doing that if not to force users not to use their (own) files and move on to more recent file formats. For instance, what the SP3 thing does not mention is that, should you work with old files but not old enough to get blocked by default, you’ll get those dialog boxes.

    – the new file formats contain binary blobs of arbitrary MIME types, someof which are directly taken from the “old” bad world of binary formats. Most notably, the VBA stuff, the OLE stuff, and things such as printer settings (which gets loaded right in memory). The only logical step after this SP3 thing is to also make it harder to read new files containing those blobs. Otherwise it’s hypocrisy.

    – If old files are blocked, why not RTF? RTF is known to be a container which hosts virtually any blog an application fancies, and this is by the way how Micrsofot has created a lock-in to Word files. Logically, RTF should go as well. Why isn’t it going away as well?

    Makes zero sense to me. Looks like the guys who did this are refugees from the .NET deployment team. They do this to save us, and in the meantime screw just about everybody on the planet.

  6. Simon Says:

    So ripping out features in 2003 to make 2007 look better? And maybe charging for the privilege in the future?
    I clearly need to work on my cynicism (and humor, Lords charging comment made me laugh out loud!)
    So what will be in 2003 SP4? the ribbon? ;-)
    (btw 2003 retires in 12m so I’m not convinced there will be an SP4)

    I reckon featurectomies are fine for emergency zero day exploit management, but really the parsing code should be fixed. I’m guessing they decided thats not economic.

    All they have really done though is make it so you have to edit the registry to carry on using these formats, I think the COM add-in lock down requires the same registry meddling to undo. I can’t decide whether this is a good compromise, a bit pointless, a worrying trend, too restrictive, or all of the above.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: