In Office 2007, we changed the default to disable a number of older file formats where we saw very low usage and a high security risk in our code that loads these formats. From the security standpoint, this is the right thing to do. From the data we have on file opens, very few users open files in these formats, so we decided to modify the default behavior to this safer approach.
Attack surface reduction is something we spend a lot of energy on – the canonical example is IIS 5.0 vs. IIS 6.0. IIS 5.0 had enabled everything by default. Who's ever actually printed to a web server? OTOH, who's ever taken over a web server with the .printer exploit? Unfortunately, quite a few. Figuring out how to turn off the things that you don't need was too hard for most admins. IIS 6.0 took the opposite approach – turn almost everything off, and make it easy to turn on what you need. The security record of IIS 6.0 shows how effective this has been – they went from having a poor security record to one of the best.
We've been doing some of the same things with Office – there are converters that didn't get installed by default in Office 2003. We noticed that the attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don't need the older format, its risk without reward. This was the thinking behind disabling the older formats by default in Office 2007 and eventually Office 2003 SP3. We'll try harder to make enabling older formats much more user-friendly in the future.
To put things in perspective, many of these formats are very old, with some dating back over 15 years since the app that created them by default shipped. Something I want to be very clear about – we are not removing your ability to read these files. If you need them, the parsers are still there. All we've changed is the default. The older formats are still supported. We understand that some of you have a need to be able to read archived files, sometimes for long periods, and we will continue to support that. There are two ways to continue to open these files:
- You can create a trusted location and place the files there. This is documented in http://support.microsoft.com/kb/922849. It's an easier process if you're running Office 2007 than if you're on Office 2003, but it is an available option.
- You can change the default version that we'll still open, which is discussed in more detail below.
Recently we released SP3 for Office 2003, and we took a number of the security improvements for Office 2007 and applied those to Office 2003 as well. Unfortunately, we make a couple of mistakes that we will correct immediately.
- We did a poor job of describing the default format changes. There is a KB article for it here - http://support.microsoft.com/kb/938810. In the KB article we stated that it was the file formats that were insecure, but this is actually not correct. A file format (with some exceptions, like .hlp files) isn't insecure – it's the code that reads the format that's more or less secure. The parsers we use for these older formats aren't as robust as the code we've written more recently, which is part of our decision to disable them by default. But again, it isn't the format that's the problem, nor is it the app that wrote the format – it's the app that reads the format. We just revised the KB article to correct this error.
- Some of the formats blocked are from products built by companies other than Microsoft, and we apologize for implying that there were any problems in those companies file formats.
- We did not provide an easy way for end users to change this behavior so they could open these older files. There are admin templates that system administrators can easily use, and there are also some registry keys that people can set, but that was it. In order to make this easier for anyone to override, we'll update the KB article and provide the following files that anyone can download and run to override the security settings.
The .reg files you can use to change the security settings can be downloaded here:
To re-enable Word file formats only - UnblockWord.reg
To re-enable Excel file formats only - UnblockExcel.reg
To re-enable PowerPoint file formats only - UnblockPowerPoint.reg
To re-enable the CorelDraw (CDR) file format only - UnblockCDR.reg
To restore the blocked Word file types only - RestoreBlockingWord.reg
To restore the blocked Excel file types only - RestoreBlockingExcel.reg
To restore the blocked PowerPoint file types only - RestoreBlockingPowerPoint.reg
To restore the blocked CorelDraw (CDR) file type only - RestoreBlockingCDR.reg
In order to change the settings for the CDR file type, you need to be logged on as an administrator, or if you're on Windows Vista, running with an elevated application. By default, regedit will prompt for elevation when it runs the .reg files. This is because the filters used to import some older image formats like CorelDraw CDR files is registered in the machine-wide settings, not the per-user settings.
In closing, I want to emphasize that we're not removing support – we're making the default safer. If you're among the users who do need to be opening these formats, we will continue to support you. We also recognize that we have not made any of this as usable as we'd like, and we apologize that this hasn't been as well documented or as easy as you need it to be. We're also going to take a hard look at how we can do better in the future.