Skip to content

Security updates - if it suits Microsoft

Producer for Powerpoint 2003 shows that Microsoft will patch security bugs, but not if they can find an excuse, however feeble.

In the March 2010 list of security patches from Microsoft was one labeled “Vulnerability in Windows Movie Maker Could Allow Remote Code Execution” but it also affects a Microsoft Office application. That program has been ignored in the patch process, leaving it vulnerable to what Microsoft itself says is an ‘important’ severity.

So how and why has Microsoft decided not to update the program?

The vulnerable program is called just ‘Producer 2003’ by Microsoft Security, presumably to further deflect attention. The proper name is “Producer for PowerPoint 2003”. According to Microsoft the add-in is “very popular add-in for PowerPoint 2003 and PowerPoint 2002. Producer 2003 provides users with many powerful new features that make it easier to synchronize audio, video, slides, and images to create engaging and effective rich-media presentations”. Note the ‘very popular’ boast.

So “Producer for PowerPoint 2003” is actually part of Office 2003 and since Office 2003 is still updated according to Microsoft’s own policies there should be a patch for ‘Producer’ as well? Well, no. Microsoft has decided that it’s too hard to patch this part of Office 2003 and dragged out some flimsy excuses instead.


‘Limited Distribution’

According to Microsoft, Producer for PowerPoint 2003 is in “limited distribution” – whatever that means. In fact it’s been on the Microsoft web site for years, available as a download and promoted as an add-in for Powerpoint. As we’ve seen, Microsoft itself still calls is ‘very popular’.

On 12 March 2010 – three days after the security alert Microsoft itself promoted the download and use of ‘Producer 2003’ in a broadcast email titled “Microsoft Download Notifications” which goes out to hundreds of thousands if not millions of people.

Producer 2003 - newsletter suggestion to download after security alert image from Security updates - if it suits Microsoft at Office-Watch.com

Even if people didn’t know about Producer 2003 before, they did after Microsoft had reminded them.

Just to add to the irony – three paragraphs above the Producer for PowerPoint 2003 link there is a link to the March security updates from which Producer has been omitted.


No automatic update

Microsoft’s other excuse for not patching Producer 2003 for Powerpoint is that it “does not offer a means for automatic update”. This excuse is offered as if Microsoft wasn’t responsible for this omission in the first place and presumes there is no other way to update the software than via Windows/Microsoft Update.

If Producer 2003 isn’t updatable via Microsoft’s automatic update system – why not? The program has been around long enough for it to be added to the auto-update system just like many other programs from Redmond. Could it be that no-one at Microsoft bothered?

Windows Update isn’t the only way to update a program, it might be Microsoft preferred method of delivery but it’s not the only option. Microsoft could issue a standard ‘delta’ patch to amend the existing executables or provide a fresh download to replace the entire program.


OK then – but not now

Microsoft’s excuse about an inability to patch Producer rings even more thinly when we checked the update history for the software.

Back in September 2004 Microsoft released a series of ‘urgent’ security updates for Windows and Office.  The same day that the updates for the operating system and Office were released, Microsoft managed to release an update for Producer.  There was no delay, let alone lame excuses.


Where we stand

At the moment, Producer for PowerPoint 2003 has been removed from Microsoft’s download web site – but in a most curious way.

The download page is there and it lacks any warning about the ‘important’ security vulnerability.

Instead the download file itself has been replaced with a text file – yes we are in the 21st Century but the best a major tech company can do is drop in a text file saying:


Due to a security issue, we have suspended the offering of Microsoft Producer 2003 as an optional download. We will be releasing a new updated version in the near future. Please check back later for availability.”

We leave readers to ponder how poor the web content management system is at Microsoft.com – the company can’t update a single web page with ‘important’ information and instead resorts to a DOS-like readme file.

The three sentences give no timeline for the updated version – in Microsoft speak ‘near future’ can mean anything from tomorrow to the end of time itself.

Worse still, there’s no warning on the web page or the measly text file to the security problem workarounds.

It’s probably just as well that Microsoft has stopped downloads of Producer for Powerpoint 2003, especially given the embarrassment of promoting a vulnerable and unpatched product. Surely the download web page could have been updated more elegantly with a link for existing users as well.


Workarounds

Microsoft does offer some workarounds for anyone using Producer for PowerPoint 2003 – though how these people are supposed to learn about them is yet another question.

There are two workarounds – one is the standard ‘alternative’ offered by Microsoft Security, they recommend you stop using the application. Yes, not using an affected program is an option but it’s hardly a workaround.

The other option, in this case, is to remove the file associations that link certain file types with Producer for PowerPoint 2003. This is offered as a ‘Fix It’ download from the Microsoft Support web site.

Yet again, the documentation is extremely poor. The ‘Fix it’ is described as “remove the Microsoft Producer 2003 file associations automatically” with no indication of what associations are being changed. It is probably all the associations with Producer, but Microsoft isn’t telling. The KB article has a long set of tables for various versions of Windows – but nothing on exactly what the ‘Fix It’ download does.

Removing the file associations doesn’t protect Producer from an infected file, it just reduces the chances that it will open an nasty file accidently.

About this author