News

Microsoft Offers Office XP Shim, but No Patch

When it comes to security patching, aging Microsoft products appear to require a bit more attention from IT pros.

That seems to be the case with Office XP Service Pack 3, which is one of the applications to be patched listed in Microsoft's massive April security update. The April patch contains security bulletin MS10-036, designed to fix an "important" vulnerability in Office XP, Office 2003 and Office 2007. However, there's no actual fix included for Office XP users.

Instead of a fix, Microsoft recommends applying a workaround or a shim to Office XP, which Microsoft has automated as a Fix it release. It's not a patch, as Microsoft explains in a footnote to the security bulletin.

Technically speaking, Office XP SP3 is still eligible to receive security updates. Per Microsoft's lifecycle support page, "mainstream support" for Office XP SP3 would have ended in 2009, with "extended support" to end in 2014. Microsoft's lifecycle FAQ provides a table showing that security updates continue to be delivered throughout this latter extended support phase. However, what this appears to mean is that IT pros will get the security update, but there's no guarantee of getting a patch with it.

Microsoft has difficulty patching some of its aging products. In the case of Office XP, a whole different architecture would be required, and introducing that would cause new problems to arise, according to Microsoft.

"The product of such a rearchitecture effort could sufficiently introduce an incompatibility with other applications that there would be no assurance that these Microsoft Office products would continue to operate as designed on the updated system," the security bulletin's FAQ explains.

Microsoft may have made patching easier for IT pros, but it's still no cakewalk, according to Jason Miller, data and security team manager at Minneapolis, Minn.-based Shavlik Technologies.

"While patching software has made patch management easier, administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security," Miller explained in a released statement. "For example, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft. Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability." 

Miller recommended upgrading to Office 2003 or 2007 as one approach, since Microsoft issued fixes for those products. The latest service packs need to be applied first, however. Otherwise, the Fix it workaround should be used, he noted.

Microsoft recommends patching the affected Office versions to address a potential remote code execution security issue. This vulnerability can be exploited if a user "opens a specially crafted Excel, Word, Visio, Publisher or PowerPoint file" as an e-mail attachment, according to Microsoft's security bulletin.

Microsoft has dropped fixes before in previous security updates, and for similar reasons, according to a Computerworld story by Gregg Keizer. Microsoft omitted a TCP/IP fix for Windows 2000 and Windows XP in its September 2009 patch, he noted.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft To Switch to Subscription Model for Some Server Products

    New application server products coming from Microsoft in the second half of 2021 will be offered only on a subscription basis.

  • Party Lights Graphic

    Microsoft Positions Itself as the Platform of Choice for 5G

    As telecom companies begin rolling out 5G services, Microsoft is touting its 5G bona fides, namely Azure support for SDN.

  • Ivanti Plans Double Acquisition of Pulse Secure and MobileIron

    In a bid to enhance its mobile endpoint security offerings, Ivanti announced on Monday "definitive agreements" to acquire MobileIron and Pulse Secure.