There used to be a fine dividing line between the capabilities of operating systems and the applications that ran on them. Operating systems let you manage devices and files, apply permissions, and so on, while applications allow you to create and modify data. In today’s world, though, there’s a lot of blurring of this boundary: you can apply and manage permissions inside documents, synchronize data and files, and do lots of formerly-OS-level things directly from inside applications like the ones included in Microsoft Office. For the most part, this is good news because it makes it easier for all of us to work and share our work more efficiently and effectively. But it also means that a security flaw in an application can expose the underlying OS—and thus the device, and therefore the entire network that the device connects to—to security threats.
In general, the worst vulnerabilities are those that can lead to remote code execution, or RCE. Flaws in this class can let an attacker run their own code on your device. If you’re familiar with the immutable laws of computer security (and you should be!), laws #1 and #2 both highlight why RCE vulnerabilities are bad. This of course, raises the question of how the attacker gets code onto the target machine in the first place. One common vector is in files—if the attacker can trick the victim into downloading or opening a file containing the attacker’s content, that may be sufficient to exploit a vulnerability. This isn’t supposed to be that easy because most applications don’t mean to support code execution. However, application bugs can lead to situations where non-executable data is treated as executable code, and then (pace immutable law #1) it isn’t your computer anymore. One area that’s prone to this kind of problem is in parsers, application components that read input from a specific format and convert it to another. Writing error-free parsers is notoriously difficult for a variety of reasons—which is why applications with parsers are the source of lots of security problems. Look at the history of vulnerabilities found in Adobe Acrobat. For example—Acrobat is basically a giant parser that handles PDF files—and you’ll see what I mean.
The Latest Example: RTF RCE in Word
Microsoft Word has fallen prey to this class of attack multiple times over the years too. The latest example is CVE-2023-21716, an RCE flaw in Word for Windows. An attacker can craft a malicious Rich Text Format (RTF) file that will leverage a bug in Word’s RTF table parser. The bug causes Word to push part of the contents of the RTF file into the heap, where it can be executed—so if the attacker delivers a malicious file and the victim opens it, poof! Now the attacker’s code is running on the victim’s system. Microsoft already patched this bug in the February Patch Tuesday update, and it’s not that interesting a bug in itself. Still, it’s a good illustration of what I really want to talk about: tracking security patch deployment for Office.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
Office security update distribution
You’re probably already familiar with how Office security updates are distributed. In brief, users who are on the Current Channel (which should be the majority of your users per Microsoft’s recommendations) will get security updates whenever they’re ready, with feature updates interleaved as needed. Microsoft’s description makes it clear that security updates will always be released on Patch Tuesday, but can also arrive at any other time that they have an important security fix to release:
Current Channel usually receives new features at least once a month, but there’s no set schedule for when those updates are released…Current Channel also receives other updates during the month, which include security and non-security updates. There’s no set schedule for these updates, but in general there are two or three releases each month, including one on the second Tuesday of the month.
…But Don’t Take my Word for it
The Microsoft 365 Apps admin center allows you to track which specific devices have which specific security updates in your organization. Some organizations take a managed approach to control the distribution of updates. However, if you’re like most admins, you’ve probably been content to let individual client devices download updates and install them automatically. It’s a testament to the overall quality of the Windows Update and Office update services that this laissez-faire approach actually works pretty well for most of us. However, in today’s world, it’s not a great idea to blindly trust that the right devices are getting the right updates. At a minimum, you should be spot-checking devices, but this is time-consuming, and it’s not feasible in large or distributed organizations.
Microsoft has a solution: the security updates dashboard in the Microsoft 365 Apps admin center. The purpose of this dashboard is simple: it shows you which devices do not have the latest Office security update installed. As I write this in early March 2023, that means the February 14, 2023 Patch Tuesday update, but of course, this will change over time. Armed with this knowledge, you can do several things, starting with investigating why those specific devices didn’t get updated, then moving on to determining the best way to get them patched, and concluding with taking steps to ensure they get patched in the future, too.
The dashboard also links to an inventory report that contains a list of all known devices, which is useful if you want a higher-level view because the list contains information about whether each device has Office add-ins, is enabled for Office macros, and when the device was last seen.
In both the “needs update” and inventory views, you can click on a specific device to see details about its OS and Office version, plus some basic information about its hardware. It’s not a replacement for Microsoft Endpoint Manager, but it is useful when trying to determine whether a device that’s missing updates needs special attention.
You can also use the dashboard to set an updated goal. This goal is expressed using two metrics: target time to update (in other words, how long after an update is released should it be installed?) and the target percentage. For example, you might say that you want 90% of devices updated within five days after an update is released. The dashboard will show how well you are progressing towards meeting that goal… or not.
Managing Office updates is one of those thankless tasks, like taking out the recycling, that is sometimes wearisome but contributes to making the world a better place.