News

Microsoft Offers Office XP Shim, but No Patch

When it comes to security patching, aging Microsoft products appear to require a bit more attention from IT pros.

That seems to be the case with Office XP Service Pack 3, which is one of the applications to be patched listed in Microsoft's massive April security update. The April patch contains security bulletin MS10-036, designed to fix an "important" vulnerability in Office XP, Office 2003 and Office 2007. However, there's no actual fix included for Office XP users.

Instead of a fix, Microsoft recommends applying a workaround or a shim to Office XP, which Microsoft has automated as a Fix it release. It's not a patch, as Microsoft explains in a footnote to the security bulletin.

Technically speaking, Office XP SP3 is still eligible to receive security updates. Per Microsoft's lifecycle support page, "mainstream support" for Office XP SP3 would have ended in 2009, with "extended support" to end in 2014. Microsoft's lifecycle FAQ provides a table showing that security updates continue to be delivered throughout this latter extended support phase. However, what this appears to mean is that IT pros will get the security update, but there's no guarantee of getting a patch with it.

Microsoft has difficulty patching some of its aging products. In the case of Office XP, a whole different architecture would be required, and introducing that would cause new problems to arise, according to Microsoft.

"The product of such a rearchitecture effort could sufficiently introduce an incompatibility with other applications that there would be no assurance that these Microsoft Office products would continue to operate as designed on the updated system," the security bulletin's FAQ explains.

Microsoft may have made patching easier for IT pros, but it's still no cakewalk, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies.

"While patching software has made patch management easier, administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security," Miller explained in a released statement. "For example, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft. Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability." 

Miller recommended upgrading to Office 2003 or 2007 as one approach, since Microsoft issued fixes for those products. The latest service packs need to be applied first, however. Otherwise, the Fix it workaround should be used, he noted.

Microsoft recommends patching the affected Office versions to address a potential remote code execution security issue. This vulnerability can be exploited if a user "opens a specially crafted Excel, Word, Visio, Publisher or PowerPoint file" as an e-mail attachment, according to Microsoft's security bulletin.

Microsoft has dropped fixes before in previous security updates, and for similar reasons, according to a Computerworld story by Gregg Keizer. Microsoft omitted a TCP/IP fix for Windows 2000 and Windows XP in its September 2009 patch, he noted.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.