Computerworld - A move Microsoft made nearly five years ago has kept users of the company's Office suite safer, a security researcher contended today.
Richie Lai, director of vulnerability research at security company Qualys, credited Microsoft's creation of the optional Microsoft Update service in June 2005 for making sure that more Office users keep their applications up-to-date.
"There was a time when Microsoft had only Office Update," Lai said, referring to Microsoft Update's predecessor. "Then, older versions [of Office] needed to be updated separately from Windows."
Lai was reacting to Microsoft's newest "Security Intelligence Report", published yesterday. In the report, Microsoft cited the growth in Microsoft Update use, a service that combines automatic updates for Windows -- which can also be obtained through the better-known Windows Update service -- with fixes, patches and service pack updates for Office. Microsoft Update use increased 16% in the second half of 2009 compared to the first six months of the year, the company said.
Before mid-2005 and Microsoft Update, Office users needed to run two update services -- one for Windows, another for Office -- to keep their operating systems and applications up-to-date. (Microsoft retired Office Update in July 2009 as part of an effort to streamline its patching programs.) The dual -- and dueling -- services were also responsible for many older editions of Office left unpatched, Lai argued, a fact that Microsoft also promoted as it made a case for keeping the suite updated.
"People who haven't updated their [copies of Office] are the most at risk, obviously," said Lai. "Older editions of Office did without the automatic updates of Microsoft Update." Office 2003 Service Pack 2 (SP2), which launched in September 2005, was the first major upgrade that allowed users to access Microsoft Update rather than the Office-only update service, he noted.
Lai attributed the vulnerability of older versions of Office, particularly Office 2003, to the lack of a combined Windows-Office update service when the suite debuted in late 2003. "That shipped without a way to do automatic updates alongside Windows," he said.
Microsoft's own data supported Lai's contention that Office Update was ignored by some users. According to the company, 56% of all attacks in a sample of successful Office hacks during the second half of 2009 affected copies that had last been updated in 2003. "Most of these attacks involved Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003," the report stated.
By comparison, just 2.3% of the attacks in the sample set involved copies of Office that had been updated at some point in the last four years.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
