Not too long after Microsoft released Office 2003 Service Pack 3, users started reporting a disturbing message when opening older documents. Or rather, when trying to open older documents.Due to a security improvement in Office 2003 SP3, those older documents could not be opened. To re-enable them, you must add new entries to the registry saying that you really, really do want to use them. On Friday, Microsoft fessed up about the mess they had made, and provided a few workarounds.

Microsoft is in a tough situation here. Many of these document converters were written more than a decade ago, before the Internet made it easy to spread infected files. It would be a massive effort to review all of them to eliminate security problems. Security experts call removing these converters reducing attack surfaces and it's been done with many other Microsoft products in this decade. For example, Windows 2000 Server used to enable the Web and FTP services by default, but Windows 2003 disables them unless you specifically ask for them.

If you need an example of the worst-case scenario, think back to the Windows Metafile security problem that happened two years ago. Browsers, mail clients, and all sorts of other applications became vulnerable to an attack merely by processing a ".WMF" file using the standard Windows API. Although Microsoft moved quickly to patch the hole, there was a dicey two-week period when several exploits began to circulate.

Viewed in that light, every creaky old document converter shipped with Office is a juicy attack surface just waiting for a hacker to exploit. For that reason alone, companies shouldn't want to have these converters active on every user's system. The problem is that removing them is destroying functionality. Nobody expected a service pack to remove the ability to process these file formats without some high-profile advance notice. Customers deserved to get advance warning on this, and be offered some reasonable alternatives. Microsoft fell down on that job.