Establishing Digital Trust: Don't Sacrifice Security for Convenience
Almost hidden in the notes to this week's massive "Patch Tuesday" security fix drop was a notice that one bug in Office XP won't be patched because it would require a lot of re-architecting that's just not feasible.
Microsoft (NASDAQ: MSFT) issued one of its largest security patch releases ever on Tuesday.
Office XP, which originally shipped in 2001, is still officially covered under "extended" technical support, and that coverage doesn't end until July 12, 2011, according to Microsoft's support lifecycle document.
However, the vulnerability, which is located in Office XP's COM validation technology, would require too much work to make it practical to repair the nearly ten-year-old version of the application suite. COM (short for component object model) is an outmoded interprocess communications technology meant to enable communications between processes running on different networked Windows computers.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The architecture to properly support the fixes to correct validation does not exist on Microsoft Office XP, making it infeasible to build the fixes for Microsoft Office XP products to eliminate the vulnerability. To do so would require re-architecting a very significant amount of the Microsoft Office XP products, not just the affected components," said an FAQ in the Security Bulletin describing the vulnerability.
Luckily for Office XP users, the validation flaw is only rated as "important" -- the second-highest severity rating in Microsoft's four-tiered scale -- which means that it's less likely to be attacked by malicious hackers. Flaws that garner a "critical" rating are often much easier to successfully exploit than an important flaw.
Microsoft made a similar decision when it came to patching a vulnerability in Windows XP and Windows 2000 last summer. That flaw was rated as important for Windows 2000 and "low" -- Microsoft's lowest threat level -- for Windows XP.
In the earlier case, a successful exploit would only result in what's called a "denial of service," which usually means it would cause the attacked computer to crash, but little else.
In the case of the validation flaw, however, a successful attack could end up with the attacker taking control of the user's PC.
Validation flaw has a 'Fix-It' solution
Although Microsoft has no plans to patch Office XP, it won't leave users completely out to dry. It has released a Fix It solution that will at least mitigate the problem. Microsoft's Fix It solutions aim to automatically remediate end users' problems -- whether by installing a bug fix or a workaround.
"Although this is not a code fix in the Office products themselves, the Microsoft Fix It solution provides similar protections against the vulnerability described in this bulletin," the FAQ continued.