News

Microsoft Offers Office XP Shim, but No Patch

When it comes to security patching, aging Microsoft products appear to require a bit more attention from IT pros.

That seems to be the case with Office XP Service Pack 3, which is one of the applications to be patched listed in Microsoft's massive April security update. The April patch contains security bulletin MS10-036, designed to fix an "important" vulnerability in Office XP, Office 2003 and Office 2007. However, there's no actual fix included for Office XP users.

Instead of a fix, Microsoft recommends applying a workaround or a shim to Office XP, which Microsoft has automated as a Fix it release. It's not a patch, as Microsoft explains in a footnote to the security bulletin.

Technically speaking, Office XP SP3 is still eligible to receive security updates. Per Microsoft's lifecycle support page, "mainstream support" for Office XP SP3 would have ended in 2009, with "extended support" to end in 2014. Microsoft's lifecycle FAQ provides a table showing that security updates continue to be delivered throughout this latter extended support phase. However, what this appears to mean is that IT pros will get the security update, but there's no guarantee of getting a patch with it.

Microsoft has difficulty patching some of its aging products. In the case of Office XP, a whole different architecture would be required, and introducing that would cause new problems to arise, according to Microsoft.

"The product of such a rearchitecture effort could sufficiently introduce an incompatibility with other applications that there would be no assurance that these Microsoft Office products would continue to operate as designed on the updated system," the security bulletin's FAQ explains.

Microsoft may have made patching easier for IT pros, but it's still no cakewalk, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies.

"While patching software has made patch management easier, administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security," Miller explained in a released statement. "For example, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft. Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability." 

Miller recommended upgrading to Office 2003 or 2007 as one approach, since Microsoft issued fixes for those products. The latest service packs need to be applied first, however. Otherwise, the Fix it workaround should be used, he noted.

Microsoft recommends patching the affected Office versions to address a potential remote code execution security issue. This vulnerability can be exploited if a user "opens a specially crafted Excel, Word, Visio, Publisher or PowerPoint file" as an e-mail attachment, according to Microsoft's security bulletin.

Microsoft has dropped fixes before in previous security updates, and for similar reasons, according to a Computerworld story by Gregg Keizer. Microsoft omitted a TCP/IP fix for Windows 2000 and Windows XP in its September 2009 patch, he noted.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.