Many Businesses Found To Be Running Old Microsoft Office Versions

When an operating system reaches the end of its supported life, such as Windows XP, NT and Vista have, it’s big news. It makes headlines. When other forms of software reach the end of the line, there’s just not as much fanfare. It’s not that it’s not important; it’s just not something people think or care very much about.

They probably should, at least according to a recently released survey by Spiceworks, which revealed statistics that were both shocking and dismaying. Here are a few of the highlights:

• Fully 68 percent of businesses surveyed are still running instances of Office 2007, in spite of the fact that the software stopped receiving security updates in October
• Nearly 50 percent (46 percent to be exact) are still running Office 2003
• 21 percent are still running Office 2000
• 15 percent are running Office XP
• And three percent are amazingly still running some instances of Office 97

Of particular interest was the fact that most of the firms running outdated software are mid-sized companies employing between 100 and 1000 people. Large companies have the resources to keep their software up to date and smaller firms, recognizing their lack of resources, have readily moved to embrace Office 365, which is always up to date, and thus, saves them money and headaches.

Those firms stuck in the middle, though, and possibly your own company, find themselves in a tricky position. They’ve invested heavily in productivity tools, then found themselves in the unenviable position of not having the resources to keep them fully updated, and of course, are reluctant to lose their investment by switching to Office 365.

It’s undeniably a balancing act, but the reality is that if your company is using outdated productivity tools, your risks of a breach are higher than they should be. It’s something that’s too important to gloss over or delay. If you’re using an outdated version of Office or other productivity tools, find a way out of that box as soon as is feasible. Your data security staff will thank you for it, and it’ll give you peace of mind.

Vulnerability Found In Popular Grammar Checker

On February 2, Tavis Ormandy, a researcher on Google’s Project Zero team discovered a critical flaw in the popular online grammar checking app, “Grammarly.”  Tens of millions of users make regular use of the app to improve the quality of their writing.  The bug allowed a hacker to steal a Grammarly user’s authentication token and use that token to log on and access every document they’ve run through the Grammarly system. This along with that user’s history, logs and other data. They were able to do it all using just four lines of JavaScript code.

The bug was found in both the Firefox and Chrome Grammarly extensions and was reported immediately.

While response time to such a report varies greatly, Grammarly set a new record for speed and efficiency.  The bug was reported on a Friday, and by Monday, it was patched.  If you use either the Chrome or the Firefox Grammarly extension, there’s nothing for you to do, as these should update automatically.

A spokesman for Grammarly had this to say about the matter:

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery.  At this time, Grammarly has no evidence that any user information was compromised by this issue.

We’re continuing to monitor actively for any unusual activity.  The security issue potentially affected text saved in the Grammarly Editor.  This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.  The bug is fixed, and there is no action required by Grammarly users.”

Kudos to Tavis Ormandy for finding the bug, and a hearty round of applause to Grammarly for their speedy and deft handling of the issue.  Given the severity of the bug, it’s easy to see how such a discovery could have gone an entirely different direction. As it turns out, Grammarly set a new bar for excellence with their handling of the issue.

Microsoft Office Update Available To Only Windows 10 Users

There are big changes coming to MS Office which you need to be aware of, given how widely used “Office” is in most companies.

First, the headline change:  When MS Office 2019 is released, it will only run on Windows 10.  If you’ve still got machines on older operating systems, and you want to keep your productivity suite up to date, then you’ll need to upgrade those older systems.

Also, be aware that when Office 2019 ships, it will only have “Click-to-Run” technology.  No MSI, although Office Server will have an MSI deployment option.

In terms of software support, the company had this to say:

“Office 2019 will provide five years of mainstream support and approximately two years of extended support.  This is an exception to our ‘Fixed Lifecycle Policy’ to align with the support period for Office 2016.  Extended support will end 10/14/2025.”

The Office 2019 bundle will include the following apps:

  • Word
  • Excel
  • PowerPoint
  • Outlook
  • Skype for Business

Additionally, server versions of SharePoint and Exchange will be available.

In conjunction with the announcement above, the company also announced service extensions for Windows 10, and changes to the system requirements for people who use Office 365 ProPlus, the company’s online office suite.

Beginning on January 14, 2020, Office 365 ProPlus will no longer be supported on Windows 7, Windows 8.1, Windows Server 2016, or any Windows 10 LTSC (Long Term Servicing Channel) release.  Windows 10 support (versions 1511, 1607, 1703, and 1709) will get an additional six months of support for both enterprise and education customers.

Although these changes will no doubt inconvenience some users, overall, they have to be judged as a positive.  Microsoft has been taking a number of meaningful steps in recent years to streamline and simplify their product support, and these latest changes are very much in keeping with that.

Microsoft Helping With Ransomware In Office 365

Microsoft recently made small but significant changes to its Office 365 subscription service and to OneDrive, which are often used in tandem.  The goal is to make it easier for users whose files have been encrypted by ransomware (or otherwise corrupted) to recover them.

The most significant of the changes is a new button that Office 365 users will see a new “File Restore” function in both applications.  If you’ve saved your Office 365 files to OneDrive, you’ll be able to restore files in a thirty-day window.  In the event that your files are accidentally deleted or corrupted, getting them back is as simple as pressing the button and selecting the files to be restored.

That’s a huge win for Office 365 and OneDrive users, but there’s more.

The additional changes include:

  • A mobile alert sent to the phone number you select, which will inform you if your files may have been encrypted or otherwise tampered with
  • Support for end-to-end email encryption in their mail service (Outlook), including the web version of the mail app
  • Office now scans all links embedded in PowerPoint, Excel and Word documents to check if they point to malicious content on the web
  • All file attachments and links embedded in emails are now scanned for known phishing threats and viruses
  • now gives users the ability to prevent email recipients from forwarding your emails
  • The ability to password protect OneDrive shared links

That last one is also significant, and is a feature that OneDrive’s user base has been clamoring on about for quite some time.  OneDrive has made it incredibly easy to share files via a link-based system, but unfortunately, never offered users a way to secure those links.  That, thankfully, has now changed.

Individually, all these changes are quite good, but taken together, they represent a significant step in the right direction.  Kudos to Microsoft for taking the threat of ransomware so seriously, and adding specific features to help protect their users.

New Trick Lets Hackers Bypass Office 365 Email Security

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts.  The gimmick?  Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences.  What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font.  Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts.  Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly.  Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view).  Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new.  They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled.  Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Watch Out For Rise In Microsoft Office Attacks 

Menlo Security has recently published a new report that will probably dismay you if you’re a business owner.

Microsoft Office has been named as the attack vector of choice for hackers around the world. The most common form of the attack is a malicious Word document or other office document attached to an innocent looking email.

There are, of course, plenty of other ways to take advantage of various security weaknesses in MS Office and Office 365.  These include the use of remotely hosted malicious components embedded within documents that deliver zero-day exploits when the document is opened.

The reason MS Office is such a wildly popular choice isn’t because it has an unusual number of security loopholes that can be exploited (although it’s certainly got its share).  Rather, it has everything to do with the overwhelming popularity of the office suite.  Simply put, lots of people use it on a regular basis, and that means the pool of potential victims is enormous.

As the report explains:

“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage applications and operating system vulnerabilities, both old and new.

With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer.  By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises…Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits.”

All true, and beyond troubling.  If your business uses Microsoft Office or Office 365 (and odds are excellent that it does), continued vigilance is the key.