Three guys got together over pints a while ago and talked about how one of the issues facing Technical Professionals today is keeping their systems patched and up to date. This issue was brought to the forefront at a User Group meeting we were attending (Ottawa Windows Server User Group) where we were holding an “Ask the Microsoft Guy” panel discussion.
Over pints at D’Arcy McGee’s, Pierre Roman, Bruce Cowper and I decided we would try to help solve the issue of information overload regarding patching and put together a timely podcast to go live each “Patch Tuesday”.
- Use plain English terms and every day language that any Technical professional can understand – minimize “corporate speak”.
- Breakdown each Security Bulletin with summary information first followed by more details as to the impact an IT Pro would face.
- Outline mitigation factors in case patches couldn’t be tested or applied in a timely fashion
- Keep it top 15 minutes OR LESS. this one is critical – Keep It Simple, repeatable and get out of the IT Pros way to get on with their day.
- Have fun!
Well – here is our 3rd attempt. Have a listen directly from the embedded Silverlight player OR subscribe to the specific feed and download it to your iTunes / Zune software. Since we didn’t get any feedback this time around, we’ve stuck with what we’ve got for a format. If you have suggestions on making it better – please pass on your comments. Mail me directly – firstname.lastname@example.org
Subscribe to the podcast: (so you don’t miss an episode)
Disclaimer: This podcast was produced with the best information available to us at the time of recording. Your primary source for all things Security Bulletin related should always be the Microsoft Security Response Center blog.
Bulletins discussed for May 12th, 2009: MS09-017.
Podcast Participants: Pierre Roman, Bruce Cowper and myself.
Additional Technical Show Notes:
Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources
The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.
To install MOICE, you must have Office 2003 or 2007 Office system installed.
To install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center:
MOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates:
To enable MOICE, change the registered handler for the .ppt, .pot, and .pps file formats. The following table describes the command to enable or to disable MOICE for the .ppt, .pot, and .pps file formats:
Command to use to enable MOICE to be the registered handler
Command to use to disable MOICE as the registered handler
Note On Windows Vista and Windows Server 2008, the commands above will need to be run from an elevated command prompt.
For more information on MOICE, see Microsoft Knowledge Base Article 935865.
Impact of Workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted.
Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
The following registry scripts can be used to set the File Block policy.
Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.
For Office 2003
Windows Registry Editor Version 5.00
Note In order to use ‘FileOpenBlock’ with Office 2003, all of the latest Office 2003 security updates must be applied.
Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 970980 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.
How to Undo the Workaround:
For Office 2003
Windows Registry Editor Version 5.00
Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
As it was mentioned in the podcast, here is some information regarding what’s included in the Microsoft Office 2007 Service Pack 2.
2007 Microsoft Office suite Service Pack 2 (SP2) gives customers the latest updates for the 2007 Office suite. This service pack includes two main categories of fixes: (http://support.microsoft.com/kb/953195)
- Previously unreleased fixes that were made specifically for this service pack.
- In addition to general product fixes, these fixes include improvements in stability, in performance, and in security.
- All the public updates, security updates, cumulative updates, and hotfixes that were released through February 2009.
There are three key changes in Office 2007 with SP2.
1) Interoperability – Office 2007 SP2 adds support for read, write and save capabilities for the ODF 1.1 file format. There is a great blog post on Working with ODF in Office 2007 SP2 you should check out, as well as these resources for more specific information on what Word, Excel and PowerPoint support.
- What Word 2007 SP2 supports in the OpenDocument Text (.odt) format: http://office.microsoft.com/en-us/word/HA102835631033.aspx?pid=CH100626291033
- What Excel 2007 SP2 supports in the OpenDocument Spreadsheet (.ods) format: http://office.microsoft.com/en-us/excel/HA102877221033.aspx?pid=CH100648071033
- What PowerPoint 2007 SP2 supports in the OpenDocument presentation(.odp) format: http://office.microsoft.com/en-us/powerpoint/HA102877231033.aspx?pid=CH101956361033
2) Performance – Office 2007 SP2 also adds increased performance and reliability to Office client applications and servers. Outlook 2007 SP2 as an example, includes improved calendaring reliability and performance enhancements which has been a pain for users and administrators. I’ve noticed a significant improvement in performance since I installed SP2.
3) Converter API – Office 2007 SP2 adds a new API, called the Converter API, which will allow Office developers to include support and conversion options for the ODF 1.1 file format in their Office add-ons and applications.
Slipstreaming a service pack in Office is fairly straight forward. Download the standalone installer (290 MB). The filename is office2007sp2-kb953195-fullfile-en-us.exe in the US.
- Create two folders one called Extract and Updates for example. (This is really up to you.)
- Move the Office 2007 SP2 installer to the Extract folder. And open a command line window (CMD) and use the following command:
- CD C:\Extract office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates
- Agree to the EULA and then close the Installer when completed.
- Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.
If you’re using Office 2003 you can find the step by step for Office 2003 for example in the following KB article. http://support.microsoft.com/kb/555215.