Office 2003 to get security fixes

Features will come in a future service pack

Microsoft is to give Office 2003 some of the security features introduced in the latest Office 2007 applications, according to reports, in a move to bring the better protection provided by the newer suite to a broader range of customers.

The features are expected to be included in a future service pack update for Office 2003, which will focus on delivering some of the lessons Microsoft learned when it was developing Office 2007, a spokesman for the software firm told reporters in the US.

No release date has so far been set for Office 2003 service pack 3 (SP3), but the update will be a free upgrade for existing users, just as with earlier service packs. SP2 for Office 2003 shipped in 2005.

Most of the changes are likely to be transparent to users, according to Joshua Edwards, a technical product manager for Office at Microsoft. Edwards is reported as stating that the changes will harden the applications that make up the suite, the aim being to protect against vulnerabilities that could be exploited by attackers.

The update is unlikely to include any of the user interface changes that were also introduced in Office 2007, such as the ribbon toolbar and the more task-focused menu system.

But the company was unwilling to discuss in detail the features that SP3 will deliver or even give any indication of when customers will be able to download the forthcoming update.

“We’ve made great strides in security in the 2007 Microsoft Office release and we’re looking at ways to help Office 2003 users realise some of
these benefits. We have nothing further to announce at this time,” a Microsoft spokesperson told IT Week.

Office 2007’s official launch at the end of January 2007 followed its availability to volume licences from the end of November 2006. But most Microsoft customers are still running older versions of the suite, and Office 2003 has been the focus of numerous security threats in recent months. Some of the flaws in Word or Excel have allowed attackers to remotely execute code on a compromised system.