Due to a change in how Microsoft handles Office 365 C2R versions, Flexera has made changes to its detection logic to facilitate accurate vulnerability detection of all Office 365 C2R program versions.
The changes might lead to an increased amount of Insecure / EOL status being displayed for your Office 365 C2R programs in SVM products. It is important to know that Microsoft Office 365 updates do not come in the form of KB fixes as most updates do through the official Microsoft Update service.
Customers should seek more information on released security updates for Insecure MS Office O35 2016/2019 directly from Microsoft, not from the Software Vulnerability Manager solution.
This article addresses the following questions and topics:
How are Office 365 C2R versions identified by Flexera?
Microsoft maintains few concurrent Office 365 channels, one for each Office 365 version, and Flexera looks at these actively maintained channels to identify the versions and incremental builds that are actively supported by MS.
How is that different than any other Microsoft program?
Office 365 Click-2-Run versions are not provided/maintained through the official Microsoft Update KB channels, as opposed to any other actively supported Microsoft software product. This is why Software Vulnerability Manager is unable to use Microsoft Update to analyze what solution there is for your insecure O365 versions. For all other Microsoft programs, Flexera takes the security status from the official Microsoft Update channels. For Office 365 C2R, it looks to these dedicated C2R channels.
What is the impact of the change and what should you expect going forward?
The changes in handling Office 365 C2R versions are positive even though they might drastically impact the security status of your Office 365 programs initially. This impact is a one-time event that is remediated through regular maintenance, and after patching all versions that were impacted and displayed as Insecure / EOL, your reporting will normalize once again.
Why is your version considered EOL, when 2016/O365 is currently supported product?
Microsoft usually maintains several supported Office 365 version channels which can be reviewed at their 'Release Notes Office365 Proplus' page. All other versions and/or incremental builds that are not currently in any maintenance channel and are not receiving active maintenance from Microsoft are considered End-of-Life.
Additional Office 365 Information and Considerations:
Nov 15, 2018 04:52 PM - edited Sep 19, 2019 05:18 AM