Office Sustained Engineering

July 2008 Update Release

On Tuesday, July 8th, 2008, Office released two critical non-security updates to Outlook and two updates to the Outlook Junk Email Filter. The Update for Microsoft Office Outlook 2003 (KB953432) consolidates hotfixes to address several issues, including an issue that prevents users from opening certain JPEG attachments after installing the MS08-015 security update. The Update for Microsoft Office Outlook 2007 (KB952142) also consolidates hotfixes to address several issues, including an issue that causes Outlook to hang and behave oddly if the MS08-015 security update was installed before Outlook was started for the first time. We recommend that all users of Outlook 2003 and 2007 install the appropriate update for your version of Outlook. In addition to these updates, Office also released Update for Microsoft Office Outlook 2003 Junk Email Filter (KB953465) and Update for Microsoft Office Outlook 2007 Junk Email Filter (KB953463).

Office hotfixes to be delivered on a defined schedule in the form of Cumulative Updates

June 2008 Update Release

On Tuesday, June 10^th, 2008, Office released Update for Microsoft Office Outlook 2003 Junk Email Filter (KB951476). Microsoft will not release an update for Microsoft Office Outlook 2007 Junk Email Filter for this June.  We are committed to releasing high quality public updates and will continue releasing updates to the junk email filters for both Outlook 2003 and 2007 in July.

Updates to Office 2007 Service Pack 1 to address WSUS language filtering issue

On Tuesday, June 10^th 2008, Office released revisions to The 2007 Microsoft Office Suite Service Pack 1 (SP1).  These revisions correct a problem on Windows Server Update Services (WSUS) where some language-specific content of the service pack may fail to download.   Subsequent client installs from the WSUS server do not result in an installation failure, although the clients are not completely updated.

The 2007 Microsoft Office Suite (and the service pack) is composed of global and language-specific components.  “Global” updates are updates apply to all installations of a 2007 Microsoft Office product regardless of language, while “language-specific” updates apply only to components in a particular language. Most 2007 Microsoft Office products include language-specific components from multiple languages. For example, a customer with English Office 2007 Professional needs updates that are global, updates that are English-specific, and updates that apply to other languages such as French and Spanish. With the release of WSUS 3.0, WSUS administrators are required to select a default language filter setting (e.g. “English”) as opposed to “All languages” as the default setting.  In our example, this means that the French and Spanish updates, by default, will not be downloaded to the WSUS server.

The revisions ensure that each service pack update is marked with the appropriate language filter settings such that the entire Service Pack is downloaded for any given language.  WSUS administrators should approve the revision and then re-deploy the service pack to their clients. 

More background on the issue can be found in the following KB article:  2007 Microsoft Office Suite Service Pack 1 causes a request for approval in Windows Server Update Services (WSUS) administration approval screen again

Note:  No Service Pack files or patches have been modified.

May 2008 Update Release

On Tuesday, May 13th, 2008, Office released 10 security updates across 2 bulletins. The security updates apply to Microsoft Office Word 2000, 2002, 2003, 2007, Word Viewer, the 2007 Microsoft Office System and the Microsoft Office Compatibility Pack, and Publisher 2000, 2002, 2003, and 2007. For complete details, see “Microsoft Security Updates for May 2008” for home users and “Microsoft Security Bulletin Summary for May 2008” for advanced users.

In addition to addressing several new vulnerabilities, the Word update also adds additional security mitigations against public attacks using Microsoft Word to exploit vulnerabilities in Microsoft Jet Database Engine first described in Microsoft Security Advisory 950627. We have added logic enhancements to the way Word processes documents containing database connections. After applying this update, Word will prompt a user for confirmation before running SQL commands or queries when opening Word documents. In addition to installing this update, we highly recommend that customers install the update provided in Microsoft Security Bulletin MS08-028: Vulnerabilities in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749) for the most up-to-date protection against these types of attacks.

Office 2007 SP1 releasing to Automatic Update

As we noted when we released Office 2003 Service Pack 3 via Microsoft Update (MU), we are committed to providing at least 30 days notice before making Office service packs available via Microsoft Update automatic distribution (for Vista and XP).  Today, we are giving notice that SP1 for  the 2007 Microsoft Office System will begin being available via MU Automatic Update starting around June 16th.  We released SP1 for Office 2007 to customers approximately 5 months ago and since that time we have had 10’s of millions of downloads and a very good reaction from our customers.

Given our commitment to advance notice, we wanted to use this blog as one of many avenues to alert our customers to the fact that we will be distributing SP1 automatically via Automatic Update beginning June 16th.  The availability will happen gradually and not everyone will see it at the same time.  Think of the 16th as the earliest possible start of distribution and that no sooner than that date will SP1 start to become available to customers' systems via this channel.  This is necessary to ensure that our service infrastructure can meet the enormous demand for the service pack.

This policy approach seems to have worked really well with SP3 for Office 2003 because it gave the market plenty of time to evaluate the SP and gave us time to address specific customer concerns.  We’ve undertaken the same steps for SP1 for Office 2007 and so it’s great to be getting it out to those customers who depend on Automatic Update.

 - The Office and MU teams

Updates to Office 2003 include changes made in Office 2003 Service Pack 3

As you may know, Office 2003 Service Pack 3 contains some changes to the behavior of Office. For example, certain file types cannot be opened or saved by default, although you can re-enable this functionality by setting registry keys as described in this Microsoft Knowledge Base article and on David LeBlanc’s blog. A common question is whether these behavior changes are included in post-SP3 security updates. In short, yes: security updates released after SP3 contain behavior changes first released in SP3, even if you do not have SP3 installed. This post will briefly describe why that occurs and will outline which updates contain which changes.

For several reasons, Office patches are cumulative - broadly speaking, they contain all changes from previous updates to the same component, including service packs. By “component”, we mean the set of files in the patch - typically, this is the file or set of files like excel.exe that define the core, central functionality of an application. We plan to provide a more thorough explanation in a future post. The key thing to know for this discussion is that the latest update to Excel will contain SP3 changes in Excel, including behavior changes, and likewise for the other Office applications. This occurs even if SP3 has not been installed - if you have SP2 installed and install a security update released after January 1st, 2008, you will see the SP3 behavior changes. The information in this post applies to all update types, including security updates, non-security updates, and hotfixes.

Below, you will find a list describing which changes are contained in which updates. For the most part, the title of an update should make it clear which product is affected - for example, “Security Update for Microsoft Office Word 2003” is an update for Word. A few files like mso.dll and cdrimp32.flt may be more confusing. These files are typically contained in updates called “Security Update for Microsoft Office 2003”, and you can determine exactly which files are affected by such an update by consulting the “File Information” section of the security bulletin.

If you install an update to Microsoft Office Access 2003, you will see the following behavior change:

·        Access add-ins can no longer be configured for use by all users. For more information, see Microsoft Knowledge Base Article 938809.

If you install an update to Microsoft Office Excel 2003, such as MS08-014, you will see the following behavior change:

·        Certain macros in older Excel file formats have increased security. For more information, see Microsoft Knowledge Base Article 938806.

If you install an update to Microsoft Office Outlook 2003, such as MS08-015, you will see the following behavior change:

·        MAPI forms do not run in public folders and user folders. For more information, see Microsoft Knowledge Base Article 938816.

·        Attachments with the .gadget extension can no longer be opened in Outlook. For more information, see Microsoft Knowledge Base Article 938811.

If you install an update to Microsoft Office Project 2003, such as MS08-018, you will see the following behavior change:

·        Documents saved in certain formats no longer contain the version number of Office. For more information, see Microsoft Knowledge Base Article 938807.

If you install an update to Microsoft Office Word 2003, such as MS08-009, you will see the following behavior change:

·        The Fast Save setting in Microsoft Office Word has been removed. For more information, see Microsoft Knowledge Base Article 938808.

If you install an update to Microsoft Office Excel 2003, Word 2003, PowerPoint 2003, or cdrimp32.flt, you will see the following behavior change in the updated application:

·        Office 2003 can no longer open or save certain file formats. For more information, see Microsoft Knowledge Base Article 938810.

If you install an update to the file MSO.DLL, such as MS08-016, you will see the following behavior changes:

·        Office 2003 can now be configured to allow or deny specific COM components. For more information, see Microsoft Knowledge Base Article 938815.

·        Some COM components with unusual characteristics may not function as expected. For more information, see Microsoft Knowledge Base Article 938814.

·        Changes have been made to the behavior of Microsoft Office Document Imaging. For more information, see Microsoft Knowledge Base Article 938813.

·        Documents saved in certain formats no longer contain the version number of Office. For more information, see Microsoft Knowledge Base Article 938807.

Edit: The behavior covered in this post is described by Microsoft Knowledge Base article 951646.

April 2008 Update Release

Today Office released 6 security updates across 2 bulletins, along with 3 non-security updates. The security updates apply to Microsoft Office Project 2000, 2002, and 2003, and Visio 2002, 2003, and 2007. For complete details, see “Microsoft Security Updates for April 2008” for home users and “Microsoft Security Bulletin Summary for April 2008” for advanced users. The non-security updates are updated definitions for the Outlook 2003 and 2007 Junk Email Filters and an update to fix a problem that prevented some users from installing the 2007 Microsoft Office suite Service Pack 1. This last update had been previously released to the Microsoft Download Center, but starting this month it will also be delivered through the Microsoft Update, Office Update, and Automatic Updates services. For more information on this update, see the Microsoft Knowledge Base article KB946691.

Introduction

·         Announcements of released and upcoming updates

·         Deployment guidance – how to distribute and install the updates

·         Explanations of complex or confusing scenarios, problems, and known issues

·         General information about how Office updates work

·         Responses to your comments

·         Anything else we think you’ll find interesting and useful

While we’ll discuss security updates after they’re released, we won’t go into depth about the security aspects – that discussion can be found on other sites such as the Microsoft Security Response Center, Secure Windows Initiative, and David LeBlanc’s blogs. We’ll focus on deployment and Office functionality.

The articles will be written for a relatively technical audience: IT professionals, consultants, enterprise users, power users – in other words, those with a relatively high degree of expertise in updating and deploying. If that’s not you, you may find some of our posts to be hard to understand. But stick around and you‘ll start to pick it up. And if you are one of these power users, you’ll find lots of useful information here. We plan to post about once or twice per month, but that may vary depending on what’s going on.

Some ground rules:

·         This isn’t a support forum. We aren’t support personnel and don’t have the expertise to answer support questions, so we won’t try – we don’t want to lead you astray. Instead, visit Microsoft Support or contact the appropriate support resource, which may be your computer manufacturer. We are program managers, testers, and developers, and we’ll speak only to what we know.

·         We can’t answer every comment. We promise to read all of them, but there just isn’t time to respond to each individual comment or question. That said, we plan to use comments as a source for future posts, so don’t hold back!

·         Comments are moderated. This is mostly intended to prevent spam, but unproductive flamewars may be cut off too – we want the comments section of the blog to remain useful for our readers and ourselves. We promise to use a light hand when moderating, and we certainly want to hear your constructive criticism – it helps us improve.

·         We won’t discuss confidential information. ‘Nuff said.

Thanks for tuning in, and see you soon!