I recently learned of yet another security hole in Microsoft Word. This one, a particularly nasty problem, could leave my computer totally open to malicious code in an RTF-formatted document.
Naturally, I wanted to download and install the patch. I went to the Microsoft site and read the instructions. I needed to have the SR-1 or SR-1a update already installed. It was. So I downloaded the patch file and ran it.
Sorry, said the Microsoft installer in the middle of the operation, I now needed to insert my original Office 2000 CD-ROM to actually apply the patch. I didn’t know where the CD was at that moment — if you’ve seen my home office you will understand that comment — and besides, it’s ridiculous for Microsoft to demand it.
I asked for an explanation. Here’s the non-responsive response from one of Microsoft’s public-relations legions:
That is normal Windows Installer behavior which is designed to increase the robustness of patching. When the Windows Installer applies a patch, it first verifies that your installation matches the install source so that the patches don’t get applied into an unknown or unpredictable state. If you would like additional information, the following Knowledge Base article is quite helpful: http://support.microsoft.com/support/kb/articles/Q255/4/99.ASP.
The Knowledge Base article is about applying the SR updates. It’s not about security patches that run on top of Office with those updates already installed.
There’s only one plausible explanation for this situation. Microsoft cares more about making sure that someone isn’t using an unauthorized copy of Office than ensuring data security. Protecting profits is more important than protecting customers.
UPDATE: Phillip Karlsson suggests several other plausible explanations for this:
Correction: I originally referred to a security flaw in Outlook, when the hole in this case was in Word.
FURTHER UPDATE: Here are Microsoft PR’s latest words on the subject. I find the explanation not terribly persuasive, but maybe you’ll have different ideas:
All Office XP and Office 2000 product updates, including the Word 2000 update you referenced, require access to installation media or network installation locations for installation to ensure the integrity of Office 2000 or Office XP. This is because of the Windows Installer technology that was introduced with Office 2000. This technology was designed to help individuals and organizations manage the software installation and removal process as well as manage any software modifications or repairs.
This is not an anti-piracy feature – it is included in Office 2000 and Office XP to make sure that your Office installation is stable before any new updates are applied.
The Windows Installer automatically detects and repairs missing or corrupt files in Office applications. This functionality has helped people reduce the number of application failures caused when files are accidentally deleted or overwritten by older files. The installation media or network installation location is required because if a component is found missing or corrupt, Office will repair the component from the original installation source, whether it is from a CD or network installation location.
The Windows Installer technology also enabled the introduction of deployment and administrative tools, the Custom Installation Wizard and Custom Maintenance Wizard, which are used to customize installations for large organizations and provide a variety of maintenance options. More information on these tools is posted at http://www.microsoft.com/office/ork/xp/appndx/appa00.htm.