M$ Publisher Update

[analog]

A couple of years back, Microsoft issued a security update for Publisher,
KB894540. Said brilliant bit of code updating had a slight side effect: it
rendered almost every .pub file on our half-dozen machines unreadable. The fix
was to doctor the registry or roll back to the unpatched state, a daunting task
on a dial-up connection due to the necessity to install Office 2000 from scratch
and download all the sequential updates.

What was happening was that the security patch saw any older .pub file as
potentially malicious code, and there was no easy way to prevent that. The
entire experience was a royal PITA!

On February 12, M$ issued a new set of updates for Office that apparently are
aimed at the same malicious code (and some other newer threats as well). On
February 13, the KB article was updated to say there are no known issues with
these patches. Having gone through hell once before, I was hesitant to install
these updates without knowing for certain they would not flag old work product
files as malicious, and render them as unreadable.

I contacted M$, and of course could not get a straight answer. Heck, I could
not even get them to understand the question... I then demanded escalation, and
here is an email I received:

"Hi Syd ,

"This is Yogesh with Microsoft Technical Support.
I am contacting you regarding your case 1058846320.

"I wanted to inform you about the kb articles that you have provided for the
updates of Publisher 2000 that these updates are as security updates of the
application reading the earlier files as malicious.

"I escalated the issue and found some solution that you can try by:

"Re-save the file publisher files again and the install (kb 946255) the updates
which makes the files as new and the updates can be done and the files will not
be treated as malicious.

"Please let me know if the steps we discussed have resolved your issue by
replying to this e-mail, so that I can update your case accordingly. We would be
happy to continue to assist you if necessary."

Is this correct? Has anybody had a problem with these latest updates?

TIA.

Syd

 

[Don Schmidt]

Syd,
I have Publisher 2000 on my Windows XP Pro 2SP computer but don't have
either of the KBs you mentioned. I verified (google) both exist but to date
MS hasn't informed me to get them. I do have about 60 other SPs though
listed in BelArc Advisor report.

My Publisher 2000 program came as a stand alone CD.

 

[Mary Sauer]

Not sure I know what you are asking.

I can open Publisher 2.0 files in Publisher 2000. I know before I could not, but
after the new security update I was once more able to open 2.0 files in 2000 and
2002. The files will not open in 2003 or 2007 unless I re-save them.

I don't want to steer you wrong on this. I can only relate my experience.

 

[DavidF]

Syd,

Reference:
http://www.microsoft.com/technet/security/bulletin/ms08-012.mspx

from that article:
"How could an attacker exploit the vulnerability?
This vulnerability requires that a user open a specially crafted Publisher
file with an affected edition of Microsoft Office Publisher.
In an e-mail attack scenario, an attacker could exploit the vulnerability by
sending a specially-crafted file to the user and by convincing the user to
open the file."

Seems to me that unless you open an "infected" Pub file, that you do not
need the patch. Consider the workaround proposed:
"Microsoft has tested the following workarounds and states in the discussion
whether a workaround reduces functionality:. Do not open or save Microsoft
Office files that you receive from untrusted sources or that you receive
unexpectedly from trusted sources. This vulnerability could be exploited
when a user opens a specially crafted file."

Du'oh! When was the last time you opened a Pub file that you didn't
create? When will be the next?

I am certainly not trying to suggest not installing a patch that MSFT
considers "critical"...

DavidF

 

[analog]

Yeah, I am aware of those realities. I do not think I have EVER opened a
Publisher file on these computers I did not create. Nevertheless, like you say,
M$ calls this a critical update for Office (my profile actually causes a group
of three related updates to show). Since I got badly burned when I installed
the predecessor to these updates, I cannot help feeling a bit paranoid. I do
like to keep my machines fully updated, but I have a hard time trusting M$ after
that last fiasco that took many hours to fix.

 

[analog]

Mary:

You probably do not remember ragging my ass about this a couple of years ago.
You suggested I could not possibly be right about that original update rendering
perfectly good .pub files unreadable in the very program that created them. But
that was exactly what happened, and M$ finally addressed the problem including
issuing instructions for manually fixing the registry (gawd forbid).

Once burned, twice shy is the reason am a bit hesitant to install this group of
patches. What I want is for somebody at M$ to say yea or nay as to whether
these latest patches were done with an eye toward the inadvertent disaster
caused by the original patch. The KB says "no issues" as of the February 13
revision to the article, but that email from tech support seems to suggest
otherwise by requiring resaving of all old work product files. A better
explanation is in order.

 

[Mary Sauer]

Wow, Syd, I would have called it differently than ragging your a**. I found my
reply to you, I replied before I knew about the 2.0 files were unusable with the
security patch. There was an lame apology posted, I'm sorry if you are still
smarting.

I have an old computer with 2.0 installed on it. I copied a few files to a
floppy yesterday, copied them to this Vista hard drive, they opened fine on
Publisher 2000 and 2002. If I re-save them they will open with 2003 and 07. So,
I am assuming the Security Update for Windows Vista (KB943055) did cure the
problem.

 

[Don Schmidt]

Update!

I missed the KB946255 update mentioned later in the OP's original note.

Yep, I installed KB946255 and when I went to edit a website pub file, delete
a text box, up popped the insidious "..... has run into ...." "please inform
Microsoft". Next tried to uninstall the KB but in the Add/Remove list it
states, "can not be removed". Next googled for KB946255 and got the
Microsoft page that tells all about this KB and in the verbiage it says to
remove the KB, uninstall Publisher then reinstall Publisher without the KB.
Got out the Pub CD, SR1a, SR2 and SR3.

BUT!!!

If you need to do this, be sure you have the ProductKey available.

Did the reinstall and I think all is fine again.

These little annoyances do tend to keep us old folks at the edge of our
rocking chairs. <G>

 

[DavidF]

Syd,

I understand what you are saying, and you can color me even more paranoid if
you want. I accept the fact that in spite of their best efforts some of the
patches that MSFT provides fix one thing, and break another. Rather than
take the risk of a patch breaking something on my machines, I have turned
off automatic updating. I run a good antivirus and a good firewall (not
MSFT), and practice "safe computing", and as a general rule only install
SPs, not the individual patches...and even then only when I have to. I
figure that by the time a SP is released, a lot of these fix/break patches
that are introduced between SPs have been tweaked and fixed. I am sure that
isn't always true, but I figure it is less risky to my machines than the hot
fixes and patches. I also set a restore point and/or make an image of my C
drive before installing SPs. Acronis True Image is a great program...

I refuse to "upgrade" to Vista, to IE7, etc., and I am willing to take my
chances by not installing patches, even if MSFT deems them critical. But, I
am not willing to suggest other people do the same. It is up to you to
evaluate the risk/reward. Don and Mary's comments are probably more relevant
to this discussion than mine, as they have installed the patches. Good luck.

DavidF

 

[analog]

I largely agree with your philosophy. I use Norton Ghost to accomplish the same
thing. Every machine has at least two hard droves with one reserved for a
carbon copy of the C: drive. That has come in handy a couple of times, but I
had forgotten to do that when I installed that older patch. Senility is hell...

 

[analog]

My problem was with files that were created in Publisher 2000, then would not
open in that very same program once the patch was installed.

Smarting is a bad way to describe it, but I am often less than favorably
impressed with the reaction of MVPs.

As you may recall, I have been very annoyed with M$ over their failure to
provide a way to migrate from Publisher to some other html editing program. I
was recruited for a class action lawsuit concerning said problem, but for
whatever reason, it has still not been filed. I think I may still be
maintaining the largest commercial website in Publisher unless some other fool
has made the same mistake I did.

 

[analog]

Don:

Am I understanding that you ran into trouble installing the February 12, 2008
patch, and not the one from 2006?

Yeah, you hafta have the product key, and lots of patience if you do not have
all the updates on CD.

On Sat, 23 Feb 2008 04:18:59 -0800, "Don Schmidt" <Don

 

[Don Schmidt]

Yes, after installing the Feb 12, 2008 patch I could no longer delete a text
box in my website pub 2000 file. I kept getting the "Pub 2000 ran into a
problem" notify Microsoft. But, all is well again after the uninstall and
reinstall of Publisher 2000 and its three SRs.