In Office 2007, we changed the default to disable a number of older file formats where we saw very low usage and a high security risk in our code that loads these formats. From the security standpoint, this is the right thing to do. From the data we have on file opens, very few users open files in these formats, so we decided to modify the default behavior to this safer approach.
Attack surface reduction is something we spend a lot of energy on – the canonical example is IIS 5.0 vs. IIS 6.0. IIS 5.0 had enabled everything by default. Who's ever actually printed to a web server? OTOH, who's ever taken over a web server with the .printer exploit? Unfortunately, quite a few. Figuring out how to turn off the things that you don't need was too hard for most admins. IIS 6.0 took the opposite approach – turn almost everything off, and make it easy to turn on what you need. The security record of IIS 6.0 shows how effective this has been – they went from having a poor security record to one of the best.
We've been doing some of the same things with Office – there are converters that didn't get installed by default in Office 2003. We noticed that the attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don't need the older format, its risk without reward. This was the thinking behind disabling the older formats by default in Office 2007 and eventually Office 2003 SP3. We'll try harder to make enabling older formats much more user-friendly in the future.
To put things in perspective, many of these formats are very old, with some dating back over 15 years since the app that created them by default shipped. Something I want to be very clear about – we are not removing your ability to read these files. If you need them, the parsers are still there. All we've changed is the default. The older formats are still supported. We understand that some of you have a need to be able to read archived files, sometimes for long periods, and we will continue to support that. There are two ways to continue to open these files:
Recently we released SP3 for Office 2003, and we took a number of the security improvements for Office 2007 and applied those to Office 2003 as well. Unfortunately, we make a couple of mistakes that we will correct immediately.
The .reg files you can use to change the security settings can be downloaded here:
To re-enable Word file formats only - UnblockWord.reg
To re-enable Excel file formats only - UnblockExcel.reg
To re-enable PowerPoint file formats only - UnblockPowerPoint.reg
To re-enable the CorelDraw (CDR) file format only - UnblockCDR.reg
To restore the blocked Word file types only - RestoreBlockingWord.reg
To restore the blocked Excel file types only - RestoreBlockingExcel.reg
To restore the blocked PowerPoint file types only - RestoreBlockingPowerPoint.reg
To restore the blocked CorelDraw (CDR) file type only - RestoreBlockingCDR.reg
In order to change the settings for the CDR file type, you need to be logged on as an administrator, or if you're on Windows Vista, running with an elevated application. By default, regedit will prompt for elevation when it runs the .reg files. This is because the filters used to import some older image formats like CorelDraw CDR files is registered in the machine-wide settings, not the per-user settings.
In closing, I want to emphasize that we're not removing support – we're making the default safer. If you're among the users who do need to be opening these formats, we will continue to support you. We also recognize that we have not made any of this as usable as we'd like, and we apologize that this hasn't been as well documented or as easy as you need it to be. We're also going to take a hard look at how we can do better in the future.