Office 2003's Burial Will Resurrect Hacker Activity
The end of Microsoft's support for popular suite come April 2014 will usher in an era of 'infinite zero-day' attacks, analyst predicts.
Thu, August 29, 2013
CSO — Just as with some gun owners and firearms, some businesses won't be giving up their copies of Office 2013 when Microsoft cuts support for it in April 2014 until it is pried it from their hands.
That could be a mistake, say security experts. "Microsoft has done a really good job of battening down most of the really big problem areas in Office 2003 a long time ago," Wes Miller, a research analyst for Directions on Microsoft, told CSOonline.
Nevertheless, withdrawal of support will usher in an era of "infinite zero-day" attacks, Miller noted, just as has been predicted for Windows XP, which is scheduled to lose its support at the same time as Office 2003.
"From a security perspective, Office 2003 will become more attackable over time,"Qualys CTO Wolfgang Kandek said in an interview."We habitually find problems today in Office 2003. That will not stop next year just because Microsoft stops supporting it."
"The net effect will be that two or three months after support stops, a toolkit will appear on the market that allows even the unsophisticated attacker to exploit vulnerabilities in the program," Kandek added.
The pattern isn't new. For example, when Oracle released version 7 of Java, many users continued to stick to version 6, even though new security vulnerabilities keep appearing that attack that edition of the programming language.
"We've talked to many Java customers who've said they try to keep it updated but sometimes they have programs that they need for their business that require them to use Java 6," Kandek noted.
Imperva's CTO, Amichai Shulman, saidA'A Microsoft can expect to see a large population of users continue to use Office 2003, and hackers will continue to poke holes in at after support is terminated, only there won't be any more "Patch Tuesdays" to save the day.
"This is the reality of good software," Shulman said. "It stays in use long after it has been declared EOL. The business value it brings is so high, and the cost and time of replacing it is so high,A'A that users accept the implied security risk."
That appears to be the case with both Windows XP and Office 2003, which may be why businesses are reluctant to desert them despite Microsoft's withdrawal of support and the security implications that poses for them.
"Microsoft's biggest competitor has always been Microsoft of a few years ago," Miller said.