Speaking of the strategic advantage of moving to newer software…
I did another post recently around helping customers realize the “latent pain” (potential risk) of staying on legacy versions of the OS, here’s a follow up to that that shows there are risks with staying on legacy versions of other apps, such as Office, as well.
In the last couple of weeks, we’re finding that attackers are using doctored PowerPoint files to exploit an unpatched vulnerability in that app. Although the attacks are described as “limited and targeted” so far, this points out the potential for exposure and risk associated with the attack. FYI, the exploit is a Trojan dropper embedded within certain .ppt or .pps data files.
The main point I want to make here though is that Microsoft Office PowerPoint 2007 and Microsoft Office for Mac 2008 are not affected. Which speaks to a couple of the points I’ve been trying to make: 1) that our newer software, developed under the Trustworthy Computing Initiative, is more secure than previous versions, and 2) that there is an increased risk associated with staying on legacy versions of any software
Now that I’ve brought it up, here’s a list of the affected software:
- Microsoft Office PowerPoint 2000 Service Pack 3
- Microsoft Office PowerPoint 2002 Service Pack 3
- Microsoft Office PowerPoint 2003 Service Pack 3
- Microsoft Office 2004 for Mac
Also know that Microsoft has activated its security incident response process, and the company will issue a bulletin with patches, but this could take some time. In the meantime, Microsoft recommends that Office users avoid opening or saving files, even from trusted sources because those could be spoofed.
On a related note, if PowerPoint usage is heavy in your business, then you should consider implementing MOICE, a tool that uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format. And, of course, you can download and use the Office Compatibility Tool to allow legacy Office versions to work with Office 2007 XML-based file formats.
FYI, admins could also use the Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.