MacInTouch Amazon link...

Microsoft Office security

Channels
Security, Products
Does anyone have any thoughts on the security risks of continuing to run Office 16 after security updates end, specifically if I'm only working with files I've created? I'd assume in general that's fairly safe, but am probably overlooking something.
The main security issues seem to be mostly with Word and Excel, with the latter particularly susceptible to "remote code execution vulnerabilities" via opening dodgy files. However, as you say, if you are working only with files you've created yourself, the security risk would be very low.
 


Ouch! I probably have 10,000 such files. The good news is that I discovered I can use the Finder Rename option in my copious spare time, although it also makes me 'ok' everything.
Jeff, Automator still works in Catalina and will add the proper extensions (or anything else you choose) to those 10,000 filenames very quickly.
 


Ouch! I probably have 10,000 such files. The good news is that I discovered I can use the Finder Rename option in my copious spare time, although it also makes me 'ok' everything.
I'll second the recommendations for A Better Finder Rename and Document Converter. Additionally, I'll point out that you can go into Finder > Preferences and uncheck "Show warning before changing an extension"
 






As Henry L. noted last month, macOS 10.13 was required starting with Office 16.31.

This is too bad....my 2011 MacBook Pro runs Office just fine. From what I've read, I'm still leery of putting 10.13 on this machine. Sierra runs well on it, although it's still somewhat less stable than Mavericks was. The MacBook Pro has become a real workhorse for me over the last 18 months (the upgrades to 1TB SSD and 16GB RAM helped a lot).
 


As Henry L. noted last month, macOS 10.13 was required starting with Office 16.31.
This is too bad... my 2011 MacBook Pro runs Office just fine. From what I've read, I'm still leery of putting 10.13 on this machine. Sierra runs well on it, although it's still somewhat less stable than Mavericks was. The MacBook Pro has become a real workhorse for me over the last 18 months (the upgrades to 1TB SSD and 16GB RAM helped a lot).
You can always run Office 2016 on your 2011 MacBook Pro. It will be supported until early October 2020. See the link in the post above from Graham Needham. I have one iMac on El Capitan because of driver problems with a piece of software. It runs Office 2016 flawlessly, or as least as flawlessly as can be expected from Microsoft.
 



You can always run Office 2016 on your 2011 MacBook Pro. It will be supported until early October 2020. See the link in the post above from Graham Needham. I have one iMac on El Capitan because of driver problems with a piece of software. It runs Office 2016 flawlessly, or as least as flawlessly as can be expected from Microsoft.
Keep in mind that Outlook 2016 (and 2011) will likely be unable to connect to G Suite or Gmail as of February 2021, due to Google's forthcoming removal of "less secure app" support. All apps that connect to Google will be required to use OAuth 2.0 to sign in, and Outlook 16.16.x (aka Outlook 2016), at least as of now, does not support it.
 


Keep in mind that Outlook 2016 (and 2011) will likely be unable to connect to G Suite or Gmail as of February 2021, due to Google's forthcoming removal of "less secure app" support. All apps that connect to Google will be required to use OAuth 2.0 to sign in, and Outlook 16.16.x (aka Outlook 2016), at least as of now, does not support it.
Is that true for personal, non-G Suite Gmail and calendaring, too, i.e. accounts that end in gmail.com instead of a custom domain? I don't doubt that Google will make OAuth 2.0 a requirement for their personal Gmail at some point, but I only recall seeing an announcement for the branded G Suite apps.

Also, while it's hard to find a definitive answer in Google's support forums, it seems that turning on an app-specific password with 2-step verification will allow older clients to connect to G Suite once "less secure apps" are no longer allowed.
 


Is that true for personal, non-G Suite Gmail and calendaring, too, i.e. accounts that end in gmail.com instead of a custom domain? I don't doubt that Google will make OAuth 2.0 a requirement for their personal Gmail at some point, but I only recall seeing an announcement for the branded G Suite apps.

Also, while it's hard to find a definitive answer in Google's support forums, it seems that turning on an app-specific password with 2-step verification will allow older clients to connect to G Suite once "less secure apps" are no longer allowed.
I had interpreted the announcement to mean Gmail.com would be impacted too, but you appear to be right -- only G Suite is mentioned, so I stand corrected (at least, as you say, for now). And thanks for the tip regarding app-specific password -- that makes sense, and could be very helpful for tools that may never support OAuth 2.0.
 


With Office 2016, I discovered that the file "MicrosoftRegistrationDB.reg" contains full paths and document names for everything I've worked on for a while. I had previously removed recent documents from Open Recent > More, by right-clicking on each document to remove, so it was surprising to see everything still in this file. "Send full diagnostic data" is unchecked too. Deleting that .reg file did remove a few stuck recent files.
 



I'm unable to receive POP email messages using 2011 MS Outlook. Has anyone else experienced this problem?
Office 2011's Outlook does not support the current TLS (Transport Layer Security) encryption standard. TLS is commonly used to initiate receiving emails. The current common standard is 1.2. Most email providers have turned off earlier versions (1.0 and 1.1).

Typically Outlook would be set up to use port 995 for secure incoming POP email.

Unfortunately, you'll have to use a more modern email app. Both Outlook 2016 and Outlook 2019/365 support modern encryption. I migrated many people from 2011 to 2016 without major issues.

Depending on your email provider, you may be able to get by using a modern web browser and web-based email.
 


With Office 2016, I discovered that the file "MicrosoftRegistrationDB.reg" contains full paths and document names for everything I've worked on for a while. I had previously removed recent documents from Open Recent > More, by right-clicking on each document to remove, so it was surprising to see everything still in this file. "Send full diagnostic data" is unchecked too. Deleting that .reg file did remove a few stuck recent files.
I would be wary of deleting that file. Apparently it contains quite a bit more than the path/document information you are worried about, including a number of preferences, and is a consequence of macOS sandboxing requirements.
Jamf Nation said:
 


I would be wary of deleting that file. Apparently it contains quite a bit more than the path/document information you are worried about, including a number of preferences, and is a consequence of macOS sandboxing requirements.
Perhaps deleting "MicrosoftRegistrationDB.reg" with Office 2016 is an issue for users who log in. I deleted it without issue, the file was recreated, and everything is working fine.
 


I had forgotten to post about this when I noticed it a few weeks ago: The January Office 365/Office 2019 update did not include the latest "Production" version of the OneDrive client, version 19.222.1110.0006. I hadn't noticed this occurring with previous versions of the installers, but perhaps I missed it, or perhaps Microsoft has decided to change its policy on bundling the "Production Ring" version of OneDrive versus the "Enterprise Ring" version in the full Office installer.

In any case, the newest version of OneDrive is downloadable as a separate package on the OneDrive download page. The release notes for the latest release include:
  • Bug fixes to improve reliability and performance of the client.
  • New features gradually rolling out to users:
    • Support for signing in when a conditional access policy is configured.
    • Support for single sign-on when a user is signed in to Office apps.
I've been running the latest version of OneDrive for a few weeks on several machines without trouble.
 



Version 16.34 of Office 365/2019 is available from the Microsoft web site:

and via the AutoUpdate app. It looks like a relatively minor update, primarily impacting Excel:

If you were an early downloader of the website version, you may want to double-check that the version of the installer you downloaded actually was 16.34. It seems that while Microsoft updated the website for version 16.34, the actual download link continued to link to the 16.33 installer until about an hour ago. The site correctly downloads 16.34 now.

I see this sort of thing so often these days from so many companies. I can't say it generates a lot of confidence in their underlying processes.
 


If you were an early downloader of the website version, you may want to double check that the version of the installer you downloaded actually was 16.34. It seems that while Microsoft updated the website for version 16.34, the actual download link continued to link to the 16.33 installer until about an hour ago. The site correctly downloads 16.34 now.
I see this sort of thing so often these days from so many companies. I can't say it generates a lot of confidence in their underlying processes.
I take that back. I tried to run the 16.34 installer, and I was greeted by this warning:
Microsoft_Office_16.34.20020900_BusinessPro_Installer.pkg can’t be installed because its digital signature is invalid. The package may have been corrupted or tampered with. Get a new copy of the package and try again.
The page is back to linking to the 16.33 installer.

What was I saying about confidence in underlying processes?
 


Ric Ford

MacInTouch
It looks like a relatively minor update, primarily impacting Excel:
It looks like one you'd probably want to install...
Microsoft said:
CVE-2020-0759 | Microsoft Excel Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Excel … an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights…
 


It looks like one you'd probably want to install...
I agree that it should be installed, though the question is "when?"

When I called it a relatively minor update, I meant that there weren't a lot of new features, and, even though it includes a security fix, it's just one fix, and it's not aimed at a high-risk vulnerability. Definitely, it should be fixed, but it's not the sort of security issue where people need to drop everything to patch it immediately, especially in a business environment. Given that Microsoft still hasn't fixed the full 16.34 installer, I think it is ok to wait a day or two for the dust to settle.
 
  • appreciate
Reactions: BKN


Version 16.34 of Office 365/2019 is available from the Microsoft web site:
and via the AutoUpdate app. It looks like a relatively minor update, primarily impacting Excel:
If you were an early downloader of the website version, you may want to double-check that the version of the installer you downloaded actually was 16.34. It seems that while Microsoft updated the website for version 16.34, the actual download link continued to link to the 16.33 installer until about an hour ago. The site correctly downloads 16.34 now.

I see this sort of thing so often these days from so many companies. I can't say it generates a lot of confidence in their underlying processes.
Here's another Microsoft website to get Office updates and installers:
 


I have a weird problem in Office 2016. Under the Help menu in Word, Powerpoint and Outlook, I can select Check for Updates. However, in Excel, this option does not appear in the Help menu. I have the latest updates applied, but this has been happening for some time. Has anybody else encountered this problem and, if so, have you found a fix for it?
 


Under the Help menu in Word, Powerpoint and Outlook, I can select Check for Updates. However, in Excel, this option does not appear in the Help menu.
I haven't seen this problem, but it is a relatively minor one that is easily worked around.

All Office apps, when you select "Check For Updates", launch the same external program: Microsoft Auto Update. So you can launch it from Word, PowerPoint or Outlook, and it will still check for Excel updates.

You can also launch it directly, if you're so inclined. The easiest way to do this is to launch it from an Office app, then right-click its Dock icon and select "Options ->
Keep In Dock" from the context menu. Now, you can just click that icon to start it without launching any Office apps.

You can also directly open its app. On my system, it is located in
/Library/Application Support/Microsoft/MAU2.0

You can double-click it or drag it to the Dock for quick access.
 


I haven't seen this problem, but it is a relatively minor one that is easily worked around.
All Office apps, when you select "Check For Updates", launch the same external program: Microsoft Auto Update. So you can launch it from Word, PowerPoint or Outlook, and it will still check for Excel updates.
You can also launch it directly, if you're so inclined. The easiest way to do this is to launch it from an Office app, then right-click its Dock icon and select "Options ->
Keep In Dock" from the context menu. Now, you can just click that icon to start it without launching any Office apps.
You can also directly open its app. On my system, it is located in
/Library/Application Support/Microsoft/MAU2.0
You can double-click it or drag it to the Dock for quick access.
Thank you for your response. That has been my workaround also, but it would be nice to fix the issue.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts