Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Is Excel 2003 a Security Threat?

//

If I am using appropriate anti-malware software how can using Excel 2003 be a threat? I have heard that opening that program can allow threats to come into the computer if you are connected to the internet since support is over for MS Office 2003. Yet, it would seem to me that good anti-malware tools would catch and remove any threats ….. if indeed there are any.

Why do I ask? It is because I love Excel 2003. There are things I love about Excel 2003 and especially when building initial spreadsheets, I would prefer to use that version.

Just wondering if the threats are real and wondering if it really hurts to have MS Office 2003 installed on the computer and if it really hurts anything to use Excel 2003.

There are two very important issues raised by your question:

  1. Is Microsoft Excel 2003, or any Office 2003 application, a security risk simply because support for it has ended?
  2. Wouldn’t anti-malware tools catch anything anyway?

The answers might surprise you.

Become a Patron of Ask Leo! and go ad-free!

The threat that is, and is not, Excel 2003

I’m not sure where you’re hearing this statement that “opening that program can allow threats to come into the computer”, so I can’t know with what authority – or accuracy – that statement has been made. It’s possible they’re saying that on principle only because support has ended, and for no other reason. Or it’s possible that they’re saying that because they know of specific threats.

I can tell you two things, though:

  • The relative security of Office 2003 applications is getting worse over time.
  • Office 2003 applications will probably work just fine, and safely, if your version of Windows still supports them and you take normal/traditional security precautions.

In other words things are never simple. It is a security issue, and it’s not.

That warrants some explanation.

Decreased security: the fate of any unsupported software

The fact is once any software stops being updated, then its security, relative to the rest of the world, begins to get worse.

The application itself doesn’t change. It doesn’t “get worse”. But the rest of the world does. For example, very slowly more and more vulnerabilities may be found in the old software – vulnerabilities that will not be fixed.

That means that over time the list of ways to “break”, say, Office 2003 applications will get longer and longer. It can never get shorter because things will never get fixed.

That’s the very definition of end-of-support: things will never get fixed.

Very slowly the application becomes less secure as more people discover more ways to hack it. This is true for any application for which support has ended; Office 2003 and Windows XP being the most common topics of discussion lately.

Excel 2003Decreased popularity: a surprising saving factor?

Office 2003 is, as I write this, nearly a dozen years old by now. Not only is it no longer supported, but quite frankly, not that many people are using it any more either.

For those that continue to use it, that’s a good thing.

Why?

When hackers set out to create malware and compromise machines, which do you think is more interesting to them? An aging application whose user base is only getting smaller? Or perhaps just about anything else?

The fact is, there’s just not that much demand for malware targeting Office 2003.

Now, there’s still a risk, since later versions of Office do share code with Office 2003. That means malware that exploits an issue in Office 2010 could, completely as an unintended side effect, affect Office 2003 as well. It’ll presumably get fixed in Office 2010, and not in 2003. So it’s not completely clear sailing.

But it’s not like you have a bullseye on your computer simply by using Office 2003.

About those anti-malware tools

Let me be clear about one thing: you cannot count on any anti-malware solution to protect you from all malware. There is no perfect anti-malware tool, and there are no guarantees; none at all.

So your comment “it would seem to me that good anti-malware tools would catch and remove any threats” is not something you can count on.

Yes, it’s probably safe to assume that your anti-malware program will catch most threats. But any threat? No. Definitely not.

As one very simple example of how any anti-malware tool can fail, consider this scenario:

  • On Monday morning new malware is released into the world that specifically targets Excel 2003 users.
  • You update your anti-malware tool’s database on Tuesday.

You’re looking at a one-day window where you are completely vulnerable to the malware that targets the software that you are running.

Security is a spectrum, not an absolute

Unfortunately security isn’t as simple as “you are protected” versus “you are not protected”.

There are many, many shades of gray in between. The choices we make are what determine how secure we are and how much risk we’re willing to take on compared to the tradeoffs they require.

The traditional security litany is along the lines of:

  • Keep your software as up-to-date as possible.
  • Use good anti-malware tools.
  • Keep those anti-malware tools as up-to-date as possible, particularly their database of malware definitions.
  • Get behind a firewall.
  • Use common sense.

… and so on.

You can choose to violate that first step – keeping software as up to date as possible – by continuing to use Excel 2003. That doesn’t mean you suddenly are “at risk” – it means that you are slightly more at risk than you were when Excel 2003 was still supported. The additional risk is probably low, but there is absolutely some amount of additional risk you’re choosing to take on. It’s a tradeoff for continuing to use the Excel 2003 interface that you’re familiar with rather than moving on to newer, different, and more secure versions of Excel.

The strength of the other factors – things like anti-malware tools, and yes, even your own common sense – absolutely affects the degree of that additional risk you’re taking on, but it does not eliminate the risk.

The ultimate safety net

Whenever folks ask me about choices they have made, or plan to make, that ultimately increase the risk they’re choosing to take on, I remind them of one important safety net: image backups. The closest thing to a silver bullet for computing, regular image backups can save you from almost anything that goes wrong – and that absolutely includes malware.

Consider that scenario I described earlier where your machine was vulnerable to malware for a day. Let’s update it with an infection, and a backup:

  • Sunday night, like every night, your machine automatically performs an image backup.
  • On Monday morning new malware is released into the world that specifically targets Excel 2003 users.
  • On Monday afternoon your copy of Excel falls victim to the malware and is infected.
  • You restore your machine to the backup that was taken Sunday night. The machine is no longer infected.
  • You then avoid whatever it was that caused the infection in the first place.
  • You update your anti-malware tool’s database on Tuesday, and it’s now able to protect you as well.

Having an image backup makes this scenario an annoyance, rather than the disaster it could have been.

19 comments on “Is Excel 2003 a Security Threat?”

  1. Just wanted to add that application-specific macros are one of the least detectable forms of malware as seen in the results of AV Comparative. Hence why Excel usually shows that bar saying macros are disabled. Sometimes even simply renaming all the variables in a malicious macro is enough to fool detection.

    Reply
  2. The exact level of threat that comes from using old software depends on who you listen to.
    Microsoft employ a high level of “scare-mongering” when dealing with old versions of their own software, simply because these are Microsoft’s greatest ‘competitors’.
    As for actual malware, no anti-malware program will protect you from software you invite onto your sytem. Think of the anti-malware as the lock on your front door, and your firewall as the door – if you open the door and invite someone in, what they do is then outside of its control.

    Reply
    • Thank you Bob. You are absolutely right on! I am still using Office 2003. I do not understand why people get so “scared” about “old stuff” when there are so many other ways to get malware into your computer. They (Microsoft) need to sell their new Office 2013 ( a disaster)

      Reply
    • As the article points out, a vulnerability could be discovered in it that allows malware in – perhaps through a malformed spreadsheet that you get from someone, or some other type of malicious file that leverages or uses Excel.

      Reply
  3. I dislike all the bloat that MS added after the 2003 version of Office, so 2003 is what I use. I don’t worry about it being “vulnerable”. I have no reason to open an Excel file that originated anywhere outside of my own PC, and I don’t use Word except on a very rare occasion. There wonderful, less bossy, less bloated, and far less expensive office applications out there that don’t use a ribbon and don’t have side bars popping up all over the place. Oh yeah, and they can open Excel and Word files.

    Reply
    • But there isn’t a single one of them that can handle Excel macros or advanced Excel formulas. Only Excel is Excel if you are using its advanced features.

      Reply
  4. In my humble opinion, Office 2000 was the closest thing to perfect that Microsoft ever created. The migration to Office 2003 was unpleasant, but not frustrating. But when my company went to Office 2007, everyone’s productivity fell. I finally found a free Office add-on from Ubit software that adds a “Menu” tab to the ribbon. That helps, but I still prefer the older versions.

    Reply
  5. It seems to me that the best way to prevent security problems with old software (Office 2003 or XP or anything else) is to unplug your network cable, so that you are not on the network when using the program. Of course you could still potentially have an issue when you do plug back in. And what if you forget to unplug one time? Better yet, if you can manage it, have a computer that is simply never network connected. Run your old software on it and you should never have an issue. The problem of course is that so much of what we do these days is internet dependent. If your program depends on an internet connection to function, you still have an issue. If you need to transfer files to or from your non-network connected computer, you can use USB sticks. Of course even those can transfer malware, but at least you have cut down the risk a lot by keeping your old programs on an isolated machine that can’t directly be touched from the network. Another important thing is to keep your data off your primary computer and on network attached drives (NAS). Those used to be expensive, but are affordable now. If my computer crashes, I still have my data on a NAS drive that is backed up often to an offsite backup. I can reinstall any software that is damaged, but recovering data that is damaged is hard if your computer crashes, unless you have recent backups.

    Reply
  6. I have a huge file of documents on Word 2003 and also use on a limited basis Word 2007. I have a USB backup of all the 2003 docs.
    Can I transfer all to units running Word 2007? I believe the .doc is not what Word 2007 uses.

    Reply
  7. About a year and half ago, I finally drove my 1980 Lincoln Mark VI to the scrap yard. I felt about that car like a lot of people seem to feel about Office 2003 and Windows Xp. I had lots of (good ?) reasons for keeping that car, but my wife told me that either I have to fix the body on the car, or park it where people can’t see it. So I let it go, because it was the only solution that made sense. Most of the people above would eventually realize that switching to Windows 8.1 and Office 2013 is about the only solution that makes sense. So go for it. Bite the bullet and go through the pain. In a few months, you’ll wonder why you made such a fuss about it!

    Reply
  8. I’m using Office 2003 to keep track of a few things using Excel on my own home PC or work on a couple of personal documents. I don’t even have half the office suite installed because I have no use for it. Over the last 10 or 11 years, I’ve downloaded/received maybe 5 or 6 documents from others. I think I represent the vast majority of casual PC users that are not in college/university and do not use their personally owned PC for work.

    Under these circumstances, is it worth the money to my copy of upgrade Office 2003 that’s running on a fully updated Windows 7 machine? Is the risk really just downloading malicious office files or is there a way to circumvent windows security simply by having Office 2003 installed? Again, bear in mind I’ve received roughly 1 document from others every 2 years.

    Reply
  9. I have more or less the same question as Fishman, however, I don’t see a direct answer to his question. Those who replied were suggesting alternatives BUT he was asking about the relative security of running Office 2003 on a Windows 7 computer. I would like to know the same thing.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.