Practical Protection: Five Years is Too Long

Let’s take a trip down memory lane. Five years ago, in August 2018, Aretha Franklin, Anthony Bourdain, and John McCain had all recently passed away; Pope Francis came out against the death penalty; a large heat wave in Europe killed dozens of people; and Microsoft was just getting ready to release Office 2019. As they do every month, Microsoft also released a wave of security patches, and they encouraged people to apply them to their Office 2010, Office 2013, and Office 2016 clients. As they do every month, some customers listened and applied the patches, and some didn’t.

Return to today and… surprise? Some customers still haven’t applied patches dating back to November 2017. At least, that’s the report this week from Russian cybersecurity firm Kaspersky Labs, which claims that CVE-2017-11882, a vulnerability in the Word 2010/2013/2016 equation editor, is still being actively exploited. Kaspersky doesn’t disclose any specifics about how often they’re seeing this vulnerability in the wild, but the fact that it’s showing up at all is a problem.

It might be tempting to say “Well, if you’re still running Office 2016, you probably deserve to get hacked.” That’s not wrong but it’s also not helpful. I’m going to take it on faith that the people reading this column have enough technical savvy to realize when they need to deploy OS or application upgrades to stay in support and enough political savvy to get it done. I actually wrote about patching Office back in March 2023, Instead, let’s talk about the mechanics of patching in a little more depth.

Patch Delivery

One point I didn’t touch on in the earlier column: the Office desktop apps actually come in three varieties: “MSI applications” install using the familiar Windows installer format, a version packaged for download from the Microsoft Store, and “click-to-run” (C2R) applications that install using an App-V-based installer. Microsoft has a document that details some of the differences between these formats, but most of us will mostly have C2R applications deployed because that’s the native format for the Microsoft 365 apps and for the volume-licensed version of Office 2019. If you have older versions of Office, or the Visio or Project apps, or users who for some inexplicable reason bought Office from the Microsoft Store, you may have a mix of these license methods.

The installation method matters for two reasons. One is that there are limitations on mixing and matching different installation mechanisms, as described in the Microsoft documentation. The bigger difference is that the update channel you use to receive updates differs between volume-licensed versions of the Office apps and the “regular” versions. However (and, admittedly, this is a bit of an oversimplification) the bits are delivered, though, the basic mechanism for applying them remains the same: a service running on the client workstation checks for updates, downloading any that it finds from the specified source, then updates the applications. The reason I say “specified source” is that both the C2R and MSI versions can be configured to get updated either directly from Microsoft’s content delivery network (CDN) or from a System Center Configuration Manager server that you run yourself. Using ConfigMgr gives you more control over which updates are made available, and when, and that’s attractive to some clients.

Checking your Patch State

In the March column, I briefly mentioned that you can use the Microsoft 365 apps admin center to check on the patch state of machines on your network. However, a few readers have asked questions about why they didn’t see a full complement of their workstations. The answer is that you will only see patch status data for machines that appear in the Inventory view. Simply put, that means you’ll see Windows 10/11 computers running the Microsoft 365 apps builds—no earlier versions will appear. Devices have to be able to reach login.live.com and *.config.office.{com, net} in order to appear here, too. If you look at the Inventory view and don’t see all the expected devices, troubleshoot and fix that problem first. Once the inventory correctly reflects your device estate, you can start using the insights in the Security Update Status page to understand what patches you do and don’t have.

Bait, Switch, and Patch

I started this column by pointing out that there are still people running old and unpatched versions of Office—then I explained how to use modern tools that can’t patch these old versions. This might seem like a bit of false advertising, and in some ways it is. Your ability to automate and monitor patch distribution for these older apps is limited compared to what the Office 365 apps today support. While that might be a partial explanation for why there are still unpatched machines out there, it’s not an excuse. Attackers never get tired of the golden oldies and they’ll keep trying to exploit them in your network when they find them. if you can’t upgrade 100% of your fleet to supported versions that are still getting updates, you owe it to yourself and your organization to ensure that you’re applying whatever security updates are available (if any) but also blocking and remediating old exploits.