-
Notifications
You must be signed in to change notification settings - Fork 0
Security Updates for Microsoft Office Products C2R
Fabien edited this page May 22, 2024
·
1 revision
This documentation provides detailed information about security updates for Microsoft Office Products deployed through Click-to-Run (C2R). Regular updates are essential for addressing security vulnerabilities that may affect various Office applications, including Word, Excel, PowerPoint, and Outlook.
- Severity: Variable (Dependent on the specific vulnerabilities addressed)
Not applying security updates to Microsoft Office products can lead to several risks, including:
- Remote Code Execution: Exploits that allow attackers to run arbitrary code remotely through crafted documents.
- Data Breach: Vulnerabilities that could lead to unauthorized data access.
- System Compromise: Potential for a compromised system if vulnerabilities are exploited.
Security vulnerabilities in Office products can arise from:
- Inadequate input validation.
- Improper handling of objects in memory.
- Flaws in document parsing.
To ensure the security of Microsoft Office applications, it is critical to apply the latest updates provided by Microsoft for products installed via the C2R technology.
- Enable Automatic Updates:
- For Office applications using C2R, updates are typically delivered automatically. Ensure that automatic updates are enabled by going to any Office application:
-
File > Account > Update Options > Enable Updates.
-
- For Office applications using C2R, updates are typically delivered automatically. Ensure that automatic updates are enabled by going to any Office application:
- Manual Check for Updates:
- If automatic updates are not feasible or if immediate patching is required, manually check for updates:
File > Account > Update Options > Update Now.
- If automatic updates are not feasible or if immediate patching is required, manually check for updates:
- Configuration via Group Policy:
- For enterprise environments, configure Office updates via Group Policy to automate and manage updates centrally.
Script to Force Check for Updates: For environments where immediate application of updates is necessary, use a script to force an update check:
$ospp = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"
Start-Process -FilePath $ospp -ArgumentList "/update USER displaylevel=False forceappshutdown=True"N/A
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities