Microsoft locks down Office 2003

Office 2003 Service Pack 3 includes major security and stability updates

Microsoft has released the third service pack for Office 2003 in a 140MB download which includes major security and stability updates.

The service pack addresses more than 250 performance issues ranging from flickering screens to application crashes in Access, Excel, InfoPath, Outlook, PowerPoint and Word.

But it was a range of security issues that got the most attention in the update, with 14 security bulletins for Office 2003 each of which addresses multiple vulnerabilities in a single product.

The increased emphasis on security followed a dramatic change in the security environment, according to David LeBlanc, a senior software development engineer at Microsoft.

In an article for a company blog, LeBlanc credited the change to a rise in commercial malware and the increased value of the vulnerabilities used to install the malicious code.

"When Office 2003 shipped, we thought we had done some good work and that it would be a secure product," he wrote.

"For the first two years after release, it held up really well. Then people shifted their tactics and we started finding problems in fairly large numbers."

As attackers began to use the new tactics, vulnerabilities in Office began to pile up and the suite became a ripe target for exploits.

"We did do a great job with Office 2003 against the attacker techniques that were in use in 2003," LeBlanc wrote. "As it turned out, it did not do as well against the attacker techniques in use in 2006."

Microsoft had to shift its own tactics to keep up with the attackers. LeBlanc said that during the development of Office 2007 and Office 2003 SP3, developers made extensive use of a testing technique known as 'fuzzing'.

Fuzzing involves sending large data packets to every element of an application that deals with data input. If the software is not properly safeguarded, the 'fuzz' code will cause it to crash.

The technique is of particular use because it is an easy way to find the overflow vulnerabilities often used to perform remote malware installations.

Microsoft developers began extensive fuzz testing with Office 2007. After the suite was released, the team turned their attention to Office 2003.

"We then subjected Office 2003 to the same level of fuzz attacks that we used against Office 2007, and then some," wrote LeBlanc.

He claims that the new techniques have been "very effective" in reducing threats, but warned that, as the company learned in 2006, the security landscape is constantly changing.

Users can obtain Office 2003 Service Pack 3 from Microsoft's Office Online download site.