Krebs, Qualys and other security experts of note all outlined the reason for this week's Patch Tuesday patches. Windows Updates were installed automatically (for most) but what about MS customers with Office, for example?
I have my Windows Updates settings set to 'give me updates for other MS products' and had always presumed that Office would be updated too but it seems not. Digging deeper I discovered issues about which I had been completely unaware:
(1) MS insist on 'forced' Windows Updates yet imho they put Office Users at severe risk by leaving users to carry out manual updates, something that they have failed to communicate to me.
(2) How are Office Users expected to know that they must update i.e. how do Microsoft alert them? They don't, as far as I can see.
(3) Where/how can Office Users check that the update/new version has patched all the security flaws? I can't find a summary. Is there one?
(4) As for the manual update itself, Office told me "applying updates" and then closed abruptly. There was no message "updated successfully" - how are we to know that an update has completed? Pretty poor.
I try hard not to post a question in more than one forum but in this case I've done just that. There's been a huge silence in the MS Community to my thread even though I'd put in the heading "Is this a major security flaw.
Any Windows 10/Office Users out there who'd care to comment? Or am I wrong?
PS In case you didn't read what the security holes were, Krebs said this: "Patches for IE and Edge address the largest number of “critical” vulnerabilities. (Critical bugs refer to flaws Microsoft deems serious enough that crooks can exploit them to remotely compromise a vulnerable computer without any help from the user, save for the user visiting some hacked but otherwise legitimate site.)
Another bundle of critical bugs targets at least three security issues with the way Windows, Office and Skype handle certain types of fonts. Microsoft said attackers could exploit this flaw to take over computers just by getting the victim to view files with specially crafted fonts — either in an Office file like Word or Excel (including via the preview pane), or visiting a hacked/malicious Web site. Microsoft Office has its own critical patch that fixed at least seven vulnerabilities — including another one exploitable through the preview pane.
Microsoft PDF also received a critical patch thanks to a bug that’s exploitable just by getting Edge users to view specially-crafted PDF content in the browser."
Thanks PhoneMan, especially for "Non-Security updates for Office are on Office Update Tuesday (1st Tues of Month) . MS started this a while back." I think that's the first reference I've seen to Office Update Tuesday!
Thanks Imacri, and everyone who've helped me. I asked via Moderation requests for a Mod to reply to my MS thread and a Community Moderator and MVP has come up with the answer by referring me to this Tech Net page:
I no longer receive email notifications of MS Monthly Update Bulletins due to the failure of MS's system to send them to my new email address. (I changed the address in the correct place in those places to which helpers here pointed me but it made no difference.) So in the future I'll have to rely on contributors here who post details of them regularly!
"Current Channel: Version 1606 (Build 7070.2036), released on August 9, 2016"
-----------
32-bit Vista Home Premium SP2 * Firefox v48.0 * NIS v22.7.0.76 * MBAM Premium v2.2.1
Hi Imacri. Thanks for those links - very useful. I had my Office set to Automatic Updates
but it didn't happen. Perhaps because of the pecking order that you mention but surely major security patches should be installed asap for all.
I also have Update Other Products checked but now realise that Office is not one of them:
Even now, I've no idea what has been installed. View History is a waste of time - the latest shown is for June and is for all products, not what's actually been delivered to my PC.
You can always check for updates manually if you don't want to wait for the products to update themselves
Not any more in "normal" versions of Windows 10 although Pro does have "defer" but I've not tried it to see if it gives you a list and the opportunity to select, as we could in 7 & 8 ....
One step forward means two steps backward. Shades of "1984" ....
Office 2013, Office 2016, and Office 365 are "Click-to-Run," which means they update automatically, but separately from Microsoft Windows Update. Updates for these products are generally made available on Patch Tuesday and are eventually pushed out automatically. You can always check for updates manually if you don't want to wait for the products to update themselves. The following article answers the four questions you raised in the opening post:
FWIW I got 3 security updates to my MS OFFICE 2007 on my Windows 7 desktop yesterday.
Hi Taffy_078:
I also received 3 security updates MS Office with my August 2016 Patch Tuesday updates (KB3114893, KB3115109, KB3115464) but I have a "traditional" desktop version of MS Office installed on my PC.
Keep in mind that your MS Office 365 Home subscription is essentially a cloud-based service. As a home user, most of your updates, patches, and upgrades will be installed silently in the background on the Microsoft servers and don't have to be pushed to your client PC. That's the main advantage of a cloud-based service - you're always using the most up-to-date software because patches are applied for you on the backend server.
-----------
32-bit Vista Home Premium SP2 * Firefox v48.0 * NIS v22.7.0.76 * MBAM Premium v2.2.1
Your thread in the MS Answers Forum indicates that you purchased a one-year subscription for Office 365 Home.
I use an older version of MS Office Professional but from what I understand, updates for Office 365 are not delivered via Windows Update on Patch Tuesdays but are delivered automatically via an internal (built-in) updater as required. According to the article How do I get the newest features in Office 2016 for Office 365? new updates are rolled out first to Office Insiders one to three weeks before regular subscribers.
Do the instructions at Install Office updates help? If you go to File | Account | Product Information | Update Options do you see Enable Updates (to enable automatic updates) or Update Now? Clicking Update Now! to run a manual update should display message stating "You're up to date!" after Office is done checking for and installing any pending updates that haven't been delivered yet by your scheduled (automatic) updates . If those instructions are applicable to Office 365 Home you should also be able to access your update history by clicking View History.
A general description of major feature changes for Office 365 is posted at What's new and improved in Office 2016 for Office 365 but it's only current to July 2016. The MS TechNet support article Version and build numbers of update channel releases for Office 365 clients is intended for Office 365 ProPlus administrators but might give you idea of the current build numbers and release schedule for some versions of Office 365.
-----------
32-bit Vista Home Premium SP2 * Firefox v48.0 * NIS v22.7.0.76 * MBAM Premium v2.2.1
