Security Updates for MS Office X?

[preid]

Over the last few months Microsoft have issued several important
security updates for MS Office 2004 for Mac (5 releases since Jan
'07). However, there have been no security updates for MS Office X
for Mac since the 10.1.9 update in Jan '07.

Does anyone know whether this means that Office X is not prone to
these later security problems or is it simply that Microsoft have
simply stopped issuing security updates for Office X now?

I am asking as one of my clients is still using Office X (waiting for
Office 2008 before considering upgrading!) and I'm concerned about the
security of Office X given the number of security releases for Office
2004 (and all other versions of Office for Windows).

 

[Elliott Roper]

Over the last few months Microsoft have issued several important
security updates for MS Office 2004 for Mac (5 releases since Jan
'07). However, there have been no security updates for MS Office X
for Mac since the 10.1.9 update in Jan '07.

Does anyone know whether this means that Office X is not prone to
these later security problems or is it simply that Microsoft have
simply stopped issuing security updates for Office X now?

The latter.

I am asking as one of my clients is still using Office X (waiting for
Office 2008 before considering upgrading!) and I'm concerned about the
security of Office X given the number of security releases for Office
2004 (and all other versions of Office for Windows).

I wouldn't worry too much. Most of the vulnerabilities being addressed
are theoretical. That is, there are few if any serious exploits in the
wild for Office X or any other Office for Mac. Yet. Excepting macro
attacks. Susceptibility to macro attacks is a built-in feature of all
Office products and is not going away any time soon. It dwarfs all
other vulnerabilities by an order of magnitude.

Macro attacks are always initially trojans. That is, the recipient has
to open an infected document before his Office environment is wrecked.
Once wrecked, the virus will spread to other Office documents more or
less unbidden. Many of the worst of them go on to attack the hosting
Windows computer, in addition to their Office environment. Although
there is little chance of your whole Mac being pooched, it can still
act as a carrier, passing the evil on to other peoples' Windows
machines whenever you send them infected files.

Don't open any Office document you get from anywhere unless you are
sure of the sender's integrity and competence, and you have determined
the authenticity of the transfer to you.
Regardless of whether you have applied all the updates.
There is a preference setting to emit a warning if the document you are
about to open contains macros. It is not a perfect guard, but it helps
a little when used prudently.

In summary. You'll be OK with v.X till 2008 hits. But watch the news.
The first time a Mac virus goes really wild, it will be all over the
papers.

 

[John McGhie]

Hi, whatever your name is...

OK, this is a "When did you stop beating your wife" question!

There are two answers:

1) Microsoft Office X has officially moved to the "Retired products" list.
Basically, that means "the latest version has been on sale for more than two
years".

Which means that you are quite correct: Microsoft has stopped issuing
updates for it. The support that was available remains available. The
knowledgebase remains available, and so do all the patches.

If they find a really dangerous issue that affects X and 2004, they will
make a patch available for 2004, and if it fits X as well, they will publish
it for Office X also. If the patch does not fit X, they *might* make
another version of the patch available for X as well. That's what we pay
for, and it's all explained in the published information we get when we buy
the product.

2) The probability of your client encountering an exploit that takes
advantage of any remaining security holes in Office X is extremely low. The
virus writers stop supporting a product around the same time Microsoft does


So I would be quite comfortable advising your client that he can continue to
wait, and purchase the next version when it comes out.

For extra peace of mind, he might consider installing an Internet Security
Suite. I would advise him to do that anyway, because the next version of
Mac Office is likely to be more "compatible" with the PC version, and thus,
vulnerable to the same exploits. And of course, Office 2007 is attracting
the attention of the most devious minds in the malware community, because it
presents a nice juicy 500,000,000-computer target.

Then again, the finest minds in the Microsoft Security Department spent at
least two years making the next version more secure than the previous
versions, so the malware guys have a harder target this time around.

Bottom line? Provided your client is using normal good computer
house-keeping practices (antivirus, regular backups, sensible internet
usage, no surfing "free" music or pr0n sites...) he has nothing to worry
about.

If your client is one of those "out of sight, out of mind" people, he will
get wiped out by something eventually, and nothing you can say will make any
difference until it happens.

Hope this helps

Over the last few months Microsoft have issued several important
security updates for MS Office 2004 for Mac (5 releases since Jan
'07). However, there have been no security updates for MS Office X
for Mac since the 10.1.9 update in Jan '07.

Does anyone know whether this means that Office X is not prone to
these later security problems or is it simply that Microsoft have
simply stopped issuing security updates for Office X now?

I am asking as one of my clients is still using Office X (waiting for
Office 2008 before considering upgrading!) and I'm concerned about the
security of Office X given the number of security releases for Office
2004 (and all other versions of Office for Windows).

--
Don't wait for your answer, click here: http://www.word.mvps.org/

Please reply in the group. Please do NOT email me unless I ask you to.

John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:[email protected]

 

[Gerald Vogt]

See http://support.microsoft.com/gp/lifemacfaq

Gerald

 

[preid]

Seehttp://support.microsoft.com/gp/lifemacfaq

Gerald

Hi Gerald, John & Elliot,

Thanks for the feedback from you all.

I had guessed that MS had stopped producing updates for Office X, but
hadn't come across anything saying so - like the link from Gerald!

I realised that macros are the major threat and that this is
relatively low level (but not non-existent) for Mac users. However,
recent security updates for Office 2004 seem to imply they related to
non-macro issues and were altogether more serious. So, even though
the threat on Macs is low, I am still somewhat concerned about the
potential for my client to download an Office file or click on a web
site link that triggers one of these issues.

Given that later versions of MS software are supposed to be more
secure than earlier ones, the fact that there have been 5 security
updates so far this year for Office 2004, makes me wonder about the
state of the older Office X?!

I'll just have to make sure my client understands the situation and
can make their own informed decision on what protective measures they
feel are necessary.

Best regards

Peter

PS sorry for the initial anonymity, I'm not hiding, I just hadn't set
up a profile when I posted the query!

 

[preid]

Hello Peter,

I hear what you're saying.

If your client doesn't have many Macs and is still concerned, they could do
a lot worse than buy a cheap copy / cheap copies of Office 2004 on E-Bay or
whatever. Even new the price is now quite low. Depends on the need for peace
of mind. Personally I wouldn't bother, but ...

Cheers,

Clive Huggan

Hello Clive,

I know the director of the small company concerned will not buy the
current/old Office 2004 as he simply could not be persuaded there was
sufficient reason vs. the cost. The standard price for an upgrade of
a business copy of Office in the UK is £150-£175 and they'd need about
20 copies. On top of that, there would be my time installing it
across their 20 systems. It just doesn't make financial sense given
the very low level of threat perceived.

I don't think they'll upgrade Office at all until either a) there is a
major Mac compromise event in reality (not theoretical), or b) they
have serious problems dealing with later Office files coming in from
customers. In general they never send Office files to customers, they
prefer to send PDFs instead, so compatibility is really one-way only -
receiving files rather than sending them.

The reality is that Office X does all they want to do at present and
this isn't likely to change any time soon. In fact, it is more likely
that they'll buy a couple of copies of Office 2008 (when it finally
appears) just to deal with any compatibility issues and stick with
Office X or even switch to using OpenOffice/NeoOffice for the fairly
straightforward stuff they do with Word, PowerPoint and Excel!

To be honest, for most other people I advise, I get them to use
NeoOffice and to delay any purchase of MS Office at least until Office
2008 appears. At that time they can decide whether they really need
to spend mega M$, or whether NeoOffice does all they need anyway!

Cheers,

Peter Reid
Loughborough, UK