Tracking Office products security patches

Add-in Express™ Support Service
That's what is more important than anything else

Tracking Office products security patches
 
Esteban Astudillo




Posts: 146
Joined: 2006-02-27
I want to propose an idea to ADX and to the community of ADX customers.

I believe that it would be great if ADX could lead the effort of building a knowledge database of the impact of Microsoft's security updates on the different (or current) ADX products.

I get so nervous each time that I see the Windows Update pop-up window containing an update for Outlook 2003, because I know that it may potentially have an impact on my add-in. I almost can hear the support phone ringing.

I think we all agree how good ADX's Customer Support is, so I'm sure these guys have already their hands full, but if for any chance ADX's Support still have some spare cycles it would be really nice if they could take a shot at analyzing the potential impact of applying these updates as they come up and post a report on it. We, ADX users, could contribute to this database with our own experiences and maybe distributing a bit the load of this investigation. I for one offer some of my time to contribute to this effort if ADX agrees to lead it.

We have to remember that our products created with ADX will have to work with *and* without these security patches. We cannot control what end-users will do with their machines, so the more information we get upfront the better prepared we will be if an issue arise.

I'd like to hear what do you think about this. Am I overreacting and this is not an issue or it's worth it and you would be willing to participate? Would ADX?

For now, take a look at the latest security patch for Outlook 2003. There is another one for Excel as well.

Cheers,
Esteban

www.microsoft.com/technet/security/bulletin/ms07-003.mspx
Executive Summary:

This update addresses several newly discovered, privately and publicly reported vulnerabilities. The vulnerabilities are documented in the “Vulnerability Details” section of this bulletin.

When using vulnerable versions of Office, if a user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

...
Posted 12 Jan, 2007 14:57:46 Top
Ryan Groom




Posts: 3
Joined: 2006-05-03
I 100% agree. The new Outlook 2003 patch KB924085 just killed my ADX 2.X application. The ADX extention would no longer show up in a custom inspector form. The leads programmers here are emailing support as I type this.

If we dont get a comminuty going about patching it is going to hurt.

Thanks,

Ryan Groom
Posted 12 Jan, 2007 17:11:38 Top
Andrei Smolin


Add-in Express team


Posts: 17356
Joined: 2006-05-11
Esteban and Ryan,

Sorry for the late answer. We were thinking about your proposal over and over again trying to find a way to reduce its cost for us. Nevertheless, we have to decline it. We wrote too much code to bypass "features" of Microsoft updates and it is impossible for us to look it through again trying to decipher if this or that part of the code was written for this or that case. It will definitely require additional resources which we just don't have at our disposal.

We understand your feelings about the Windows Update tray icon. We feel the same. But this is part of our life.

Please note that for such an extremal case as KB924085 was, we don't see another way for us but to release a patch of our own for ADX.Extensions 1.5. Please contact Fedor (or me) to get the patch.

Sorry and thank you for the proposal.
Posted 22 Jan, 2007 13:08:39 Top
Esteban Astudillo




Posts: 146
Joined: 2006-02-27
Hi Andrei,

I understand and I'd agree with you that trying to track all the changes in the library in the way you presented it could be impossible to implement due to its high cost.

However, I still believe you can do something about it at relatively low cost:

- first, don't try to track past issues or analyze every single MSFT update. That could be really costly.

- the moment one of you find something related to this, post it here so we are all aware. I know that people communicate with you guys directly by email (I do that), so you could warn everybody of the issues (and hopefully solutions) you find as they show up.

- maintain one of those "pinned" posts at the top of the Forum with a list of links to other posts with this type of problems.

The KB924085 issue is specially nasty. See my other post for an example of this.

And thank you anyway for considering the idea.

Esteban
Posted 25 Jan, 2007 18:11:19 Top
Andrei Smolin


Add-in Express team


Posts: 17356
Joined: 2006-05-11
Esteban,

Thank you for the suggestion. I read your correspondence with Sergey on the issues related to KB924085. And I had the same thought: to pin a note about the workarounds Sergey had found.

We will do this today.
Posted 29 Jan, 2007 06:32:41 Top