Microsoft Update keeps Office secure, says researcher

56% of Office attacks in second half of 2009 hit copies last updated in 2003

A move Microsoft made nearly five years ago has kept users of the company's Office suite safer, a security researcher contended today.

Richie Lai, director of vulnerability research at security company Qualys, credited Microsoft's creation of the optional Microsoft Update service in June 2005 for making sure that more Office users keep their applications up-to-date.

"There was a time when Microsoft had only Office Update," Lai said, referring to Microsoft Update's predecessor. "Then, older versions [of Office] needed to be updated separately from Windows."

Lai was reacting to Microsoft's newest "Security Intelligence Report", published yesterday. In the report, Microsoft cited the growth in Microsoft Update use, a service that combines automatic updates for Windows -- which can also be obtained through the better-known Windows Update service -- with fixes, patches and service pack updates for Office. Microsoft Update use increased 16% in the second half of 2009 compared to the first six months of the year, the company said.

Before mid-2005 and Microsoft Update, Office users needed to run two update services -- one for Windows, another for Office -- to keep their operating systems and applications up-to-date. (Microsoft retired Office Update in July 2009 as part of an effort to streamline its patching programs.) The dual -- and dueling -- services were also responsible for many older editions of Office left unpatched, Lai argued, a fact that Microsoft also promoted as it made a case for keeping the suite updated.

"People who haven't updated their [copies of Office] are the most at risk, obviously," said Lai. "Older editions of Office did without the automatic updates of Microsoft Update." Office 2003 Service Pack 2 (SP2), which launched in September 2005, was the first major upgrade that allowed users to access Microsoft Update rather than the Office-only update service, he noted.

Lai attributed the vulnerability of older versions of Office, particularly Office 2003, to the lack of a combined Windows-Office update service when the suite debuted in late 2003. "That shipped without a way to do automatic updates alongside Windows," he said.

Microsoft's own data supported Lai's contention that Office Update was ignored by some users. According to the company, 56% of all attacks in a sample of successful Office hacks during the second half of 2009 affected copies that had last been updated in 2003. "Most of these attacks involved Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003," the report stated.

By comparison, just 2.3% of the attacks in the sample set involved copies of Office that had been updated at some point in the last four years.

The computers that fell victim to Office attacks, however, had had their copies of Windows updated much more recently, Microsoft said. "Almost two-thirds of the Office attacks observed in the second half of 2009 affected computers running versions of Windows that had been updated within the previous 12 months," the report said.

The median amount of time since the last Windows update for PCs in the sample was about 8.5 months, said Microsoft, compared to 6.1 years for the most recent Office update.

Microsoft also repeated what it said last year when it issued a similar report on data during the first half of 2009, that a single vulnerability patched in June 2006 with the MS06-027 update was to blame for more than three out of every four successful Office attacks.

"Microsoft Update is a great story," said Lai. "With [Microsoft Update], it isn't hard to stay updated."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

6 tips for scaling up team collaboration tools
  
Shop Tech Products at Amazon