Outdated MS Office in video "Why do we need so many servers??"
5 hours ago, Ryan_Vickers said:You've misinterpreted my asking a question as stating a fact, and then gotten seemingly quite angry that I don't agree with you before even giving me a chance to read your information, much less respond. Not sure why you're treating this like a fight and getting so riled up but I'd suggest taking a break to do something else for a while.
To get to the actual meat of this, if I understand correctly, you're saying that old versions of office are regularly found to have some vulnerability that newer versions (specifically 2016) are already immune to? If so, that's all I wanted to know. I'm surprised by that to be honest, and it's not something I'd heard of before or ever thought about. Makes me wonder what they've changed that they can't port back to older ones in an update. I mean it's not like it's a highly complex thing like an OS. If you know that too, feel free to explain.
The primary reason is that the newer versions of office (2013 and onwards, but more prominently 2016 and onwards) have had an updated build process that integrates most of the protection that used to require using EMET to achieve. Much of what EMET is needed for on versions of Windows before Windows 10 (1703) is now built into the operating system too, so EMET is not recommended anymore for anyone running Windows 10 1703+. The code refactoring of Office means also that all versions of office across every platform now share the same, unified codebase, meaning problems are easier for Microsoft to fix and deploy.
These built-in protections means that everyone, even standard users and small businesses, get the hardening that EMET offers if they run the newest version of Office, without the need to configure and deploy EMET to all client systems. Of note is that EMET is only partially effective at securing older versions of Office, since they are built on older code that has incompatibilities with the protections EMET offers - the last time I checked, office versions before 2013 could only have basic features forced on like ASLR, and nothing more advanced like SEHOP or heap spray/ROP mitigations without causing feature breakage.
Not having these mitigations by default means that when a vulnerability is found, even if it affects all office versions including 2016 - it's much easier for exploitation on earlier versions.
In many ways, it's worth thinking about Office as being just as complex as Windows - it's got the same multi-decade compatibility that Microsoft clings to, meaning that there are a lot of old pieces of code. They've done a lot of work to bring hardening to Office, but EMET used to be a de-facto requirement for any secure environment (as attested to by the NSA among others) and these mitigations built in from 2016 and above means any business - especially if they are using an older version of Windows like Windows 7 - should use the latest version of Office if at all possible.
Note that the NSA link above will give you a certificate error when you visit it. The NSA wants people to install and use their own root cert when viewing their public documents on the IAD site, but I highly recommend against doing so. If you install it their root cert, the NSA could intercept, decrypt and modify any secure traffic if they ever got MitM access (like by being on an interim network). You can ignore the cert and assume the site is insecure, or you can google for the document - it's titled Microsoft's Enhanced Mitigation Experience Toolkit - A Rationale for Enabling Modern Anti-Exploitation Mitigations in Windows.
Finally, as for how I spoke to you before, it was inappropriate and I'm sorry. I've found in the past that whenever an admin or a staff member posts, they tend to be believed by default, and it makes it much harder to set the record straight in some instances. Still, that's not an excuse, and I apologise.
I hope my explanation above makes sense now though.
Is it dangerous to run an outdated version of MS Office? (Your opinion)
88 members have voted
- Prev
- 1
- 2
- 3
- 4
- 5
- Next
- Page 1 of 5
- Prev
- 1
- 2
- 3
- 4
- 5
- Next
- Page 1 of 5