A lot of enterprises are focused on the end of Microsoft's Windows XP support in 2014, but being at a company that has already transitioned to Windows 7, I'm more concerned with Office 2003 no longer receiving security patches. I've tried to make the case to upper management that we need to update to a newer version of Office, but frankly, they see no need when 2003 serves all of our needs as a business. What steps can we take to secure Office 2003 after it loses support?
Ask the expert
SearchSecurity expert Michael Cobb is ready to answer your application security and platform security questions. Submit them now via email.
Many enterprises are still using Microsoft Office 2003, as it has the functionality that most organizations need. The economic downturn has also made companies question the need to upgrade office applications just because a new version is released. For enterprises reliant on older Microsoft software, the ending of security support for Office 2003 on April 8, 2014 will be just as big a deal as the expiry of support for Windows XP.
Microsoft's Business and Developer product lines, which include Office applications, receive 10 years of support at the service pack level, five of which are Mainstream Support, followed by five years of Extended Support. This means that as of April 9, 2014, Microsoft will no longer offer security updates, non-security hotfixes, free or paid assisted support options or online technical content updates to Office 2003 users. While the Office applications won't suddenly stop working, hackers may be able to find new vulnerabilities in them and Microsoft won't develop and release a patch, leaving the application highly susceptible to attack.
Legacy software has always been an attractive target for hackers -- particularly if it's no longer supported by the original vendor. Currently Office isn't being heavily targeted by hackers, but once the suite of software is left without Microsoft support, that could rapidly change, particularly because it still has a large user base. Keeping antimalware software up to date will become increasingly critical, as many antimalware programs will be able to detect exploits in outdated software. Attacks will likely use malicious email attachments, so users should exercise extreme caution when opening Office files sent by someone else. While enterprises could securely put desktops and other devices with Office 2003 installed on them on an isolated section of the network with no access to the Internet, I'm sure it would adversely impact productivity. Third parties may provide ongoing support, but it's unlikely that these will include addressing fixes and security patch development -- and even if they did, the associated costs would probably be higher than migrating to a supported version of Office. Any existing software support contracts in your enterprise should be reviewed to check whether they cover software no longer supported by the vendor.
Running end-of-life software is considered a control failure by most compliance and regulatory standards, so it may be worth it to try and leverage that fact to convince senior management that an upgrade to a newer version of Office is necessary. Microsoft recommends that Office 2003 users upgrade to Office 365 -- note that Office 2003 is not compatible with Windows 8 -- but a cheaper alternative may be to use a free office suite such as Kingsoft Office 2013 or LibreOffice.
Based on historical customer deployment data, it can take anywhere from six to 18 months to get from business case to full deployment. In the meantime, I would download Microsoft's Enhanced Mitigation Experience Toolkit 4.0 (EMET), which allows administrators to apply a variety of mitigation technologies to applications that don't use them natively. It is updated with new technologies as they become available and can provide some protection going forward against certain new attack techniques.
This was first published in January 2014