There’s a security problem in Word where an SQL query to get addresses for a mail merge can be misused by a bad guy.
In the last issue of Office Watch we mentioned a strange message from a Microsoft staffer in a public forum. This message detailed the fix for an undocumented addition to Office XP Service Pack 3.
This is the only clue we had to a change introduced in Office XP SP3 – nothing in the list of changes, and the only mention of it in the Microsoft Knowledge Base applies to Office 2003.
We asked Microsoft for an explanation and after some days got what could be best described as an unresponsive reply. No acknowledgement of the problem and to date nothing has been done to properly document the matter.
Long time readers of Office Watch will not be surprised, for rarely can Microsoft bring itself to admit the smallest error, and fixes or updates in public information are slow in coming. It’s what we’ve come to expect but it is still mystifying and annoying. It makes a mockery of the public pronouncements of customer commitment when Microsoft can’t be bothered to properly document their software.
Here’s what we’ve been able to figure out – without any help from Microsoft.
THE UNDOCUMENTED RETROFIT IN SP3
There’s a security problem in Word where an SQL query to get addresses for a mail merge can be misused by a bad guy. This problem was fixed in Office 2003, however some people need to access the feature the way it previously worked so Microsoft put it a ‘backdoor’ registry hack to let you use SQL strings the old way.
All this is detailed in a Knowledge Base article which originally only applied to Word 2003. That’s where the fun begins.
Microsoft decided to retrofit this same security patch into Office XP as part of the Service Pack 3. A good move really except that they didn’t bother to list the change in any of the original SP3 documentation!
The result was users updating to SP3 then finding their mail merges were broken. Looking at the Microsoft public information gave these paying customers no clue. The result – hours of wasted time trying to ‘fix’ a problem.
It was only after the last issue of Office Watch that the company belatedly updated their Knowledge Base so that the article you now see includes Office XP SP3 – though the KB article is still wrong – see below.
Even then the public list of changes in SP3 has not been updated. If you’re a network administrator who is responsible for many computers, or a power user who relies on Office XP a lot then you need to know what changes are likely when patching Office. Sadly Microsoft has, yet again, not fully disclosed all the changes made. And before you ask … who knows what else they’ve ‘forgotten’ to tell us?
All in all it’s another botched Service Release – incomplete documentation followed by poor public relations that seems to be aimed at keeping the bad news cycle going for as long as possible. Microsoft complains that Office Watch gives out bad news about Office yet the company does its best to prolong that bad news across several issues.
ERROR IN KNOWLEDGE BASE
You’d think that having omitted important information from the public and been caught at it, Microsoft would update the Knowledge Base and make sure it’s correct. Buzzzt!
Look here (at least as it is as we go to press). Look under the info for Word 2002 SP3 and you’ll probably see the error quickly.
The registry setting in step 2 is wrong – it should be 10.0 not 11.0 – the key is correct a few lines above but not in the explicit instructions. Easy to do, the steps where copied from the Word 2003 ones but the vital change was overlooked.
Now Office Watch’s editor isn’t the swiftest guy on the planet, especially when he’s just hopped off a long plane trip – yet he noticed the mistake in seconds despite jet-lagged eyelids. At least a half-dozen Office Watch readers also found it and wrote to us.
So why didn’t anyone at Microsoft? What level of checking happens before a KB article goes public – very little it seems.
