Microsoft
has released the third service pack for Office 2003 in a 140MB download which
includes major security and stability updates.
The service pack addresses more than 250 performance issues ranging from
flickering screens to application crashes in Access, Excel, InfoPath, Outlook,
PowerPoint and Word.
But it was a range of security issues that got the most attention in the
update, with 14 security bulletins for Office 2003 each of which addresses
multiple vulnerabilities in a single product.
The increased emphasis on security followed a dramatic change in the security
environment, according to David LeBlanc, a senior software development engineer
at Microsoft.
In an
article
for a company blog, LeBlanc credited the change to a rise in commercial
malware and the increased value of the vulnerabilities used to install the
malicious code.
"When Office 2003 shipped, we thought we had done some good work and that it
would be a secure product," he wrote.
"For the first two years after release, it held up really well. Then people
shifted their tactics and we started finding problems in fairly large numbers."
As attackers began to use the new tactics, vulnerabilities in Office began to
pile up and the suite became a ripe target for exploits.
"We did do a great job with Office 2003 against the attacker techniques that
were in use in 2003," LeBlanc wrote. "As it turned out, it did not do as well
against the attacker techniques in use in 2006."
Microsoft had to shift its own tactics to keep up with the attackers. LeBlanc
said that during the development of Office 2007 and Office 2003 SP3, developers
made extensive use of a testing technique known as 'fuzzing'.
Fuzzing involves sending large data packets to every element of an
application that deals with data input. If the software is not properly
safeguarded, the 'fuzz' code will cause it to crash.
The technique is of particular use because it is an easy way to find the
overflow vulnerabilities often used to perform remote malware installations.
Microsoft developers began extensive fuzz testing with Office 2007. After the
suite was released, the team turned their attention to Office 2003.
"We then subjected Office 2003 to the same level of fuzz attacks that we used
against Office 2007, and then some," wrote LeBlanc.
He claims that the new techniques have been "very effective" in reducing
threats, but warned that, as the company learned in 2006, the security landscape
is constantly changing.
Users can obtain
Office
2003 Service Pack 3 from Microsoft's Office Online download site.
Do you agree?
Have your say on this article