Office 2007 left unprotected in update snafu

Computerworld - Office 2007 users running Windows Vista may not have realized that their systems had not received several of this month's patches, Microsoft Corp. said last week when it acknowledged that its security update services had failed to deploy the fixes.

"We have updated the detection logic for the May 8th security and non-security updates for Office 2007," said Mark Griesi, a program manager with the Microsoft Security Response Center (MSRC), in an entry on the team's blog. "In some cases, the original detection logic may not have offered the updates or the updates may not have been installed successfully on systems running Windows Vista," Griesi added.

Only Vista users with Office 2007 on their hard drives who rely on Microsoft Update or Windows Server Update Services (WSUS) for patches were affected, Microsoft said. (Window Vista calls its baked-in update service "Windows Update," but it actually uses the Microsoft Update technology.)

The updates that may not have been deployed two weeks ago included ones for Excel 2007 and Office 2007 in general. All were rated "important," the second-highest ranking in Microsoft's four-level threat system.

"There has been no change to the actual binaries in the updates themselves," said Griesi. "If you have already successfully installed the updates using Microsoft Update, you will not be offered the update again."

Administrators running WSUS must reapprove the updates, and end users served by WSUS will also be prompted again to install the fixes if they weren't installed correctly when the bulletins were first released. Griesi urged users to run Windows Update or WSUS again to guarantee that Office 2007 is up to date.

Microsoft has posted additional information in support documents located here and here.

Read more about security in Computerworld's Security Knowledge Center.