News

Microsoft Offers Office XP Shim, but No Patch

When it comes to security patching, aging Microsoft products appear to require a bit more attention from IT pros.

That seems to be the case with Office XP Service Pack 3, which is one of the applications to be patched listed in Microsoft's massive April security update. The April patch contains security bulletin MS10-036, designed to fix an "important" vulnerability in Office XP, Office 2003 and Office 2007. However, there's no actual fix included for Office XP users.

Instead of a fix, Microsoft recommends applying a workaround or a shim to Office XP, which Microsoft has automated as a Fix it release. It's not a patch, as Microsoft explains in a footnote to the security bulletin.

Technically speaking, Office XP SP3 is still eligible to receive security updates. Per Microsoft's lifecycle support page, "mainstream support" for Office XP SP3 would have ended in 2009, with "extended support" to end in 2014. Microsoft's lifecycle FAQ provides a table showing that security updates continue to be delivered throughout this latter extended support phase. However, what this appears to mean is that IT pros will get the security update, but there's no guarantee of getting a patch with it.

Microsoft has difficulty patching some of its aging products. In the case of Office XP, a whole different architecture would be required, and introducing that would cause new problems to arise, according to Microsoft.

"The product of such a rearchitecture effort could sufficiently introduce an incompatibility with other applications that there would be no assurance that these Microsoft Office products would continue to operate as designed on the updated system," the security bulletin's FAQ explains.

Microsoft may have made patching easier for IT pros, but it's still no cakewalk, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies.

"While patching software has made patch management easier, administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security," Miller explained in a released statement. "For example, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft. Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability." 

Miller recommended upgrading to Office 2003 or 2007 as one approach, since Microsoft issued fixes for those products. The latest service packs need to be applied first, however. Otherwise, the Fix it workaround should be used, he noted.

Microsoft recommends patching the affected Office versions to address a potential remote code execution security issue. This vulnerability can be exploited if a user "opens a specially crafted Excel, Word, Visio, Publisher or PowerPoint file" as an e-mail attachment, according to Microsoft's security bulletin.

Microsoft has dropped fixes before in previous security updates, and for similar reasons, according to a Computerworld story by Gregg Keizer. Microsoft omitted a TCP/IP fix for Windows 2000 and Windows XP in its September 2009 patch, he noted.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

comments powered by Disqus