Handling of Office 365 "Click-2-Run" versions in SVM
Due to a change in how Microsoft handles Office 365 C2R versions, Flexera has made changes to its detection logic to facilitate accurate vulnerability detection of all Office 365 C2R program versions.
The changes might lead to an increased amount of Insecure / EOL status being displayed for your Office 365 C2R programs in SVM products. It is important to know that Microsoft Office 365 updates do not come in the form of KB fixes as most updates do through the official Microsoft Update service.
Customers should seek more information on released security updates for Insecure MS Office O35 2016/2019 directly from Microsoft, not from the Software Vulnerability Manager solution.
This article addresses the following questions and topics:
- How are Office 365 C2R versions identified by Flexera?
- How is that different than any other Microsoft program?
- What is the impact of the change and what should you expect going forward?
- Why are some versions of Office 365 suddenly listed as Insecure / EOL when after the change?
- Why is your version considered EOL, when 2016/O365 is currently supported product?
How are Office 365 C2R versions identified by Flexera?
Microsoft maintains few concurrent Office 365 channels, one for each Office 365 version, and Flexera looks at these actively maintained channels to identify the versions and incremental builds that are actively supported by MS.
How is that different than any other Microsoft program?
Office 365 Click-2-Run versions are not provided/maintained through the official Microsoft Update KB channels, as opposed to any other actively supported Microsoft software product. This is why Software Vulnerability Manager is unable to use Microsoft Update to analyze what solution there is for your insecure O365 versions. For all other Microsoft programs, Flexera takes the security status from the official Microsoft Update channels. For Office 365 C2R, it looks to these dedicated C2R channels.
What is the impact of the change and what should you expect going forward?
The changes in handling Office 365 C2R versions are positive even though they might drastically impact the security status of your Office 365 programs initially. This impact is a one-time event that is remediated through regular maintenance, and after patching all versions that were impacted and displayed as Insecure / EOL, your reporting will normalize once again.
Why is your version considered EOL, when 2016/O365 is currently supported product?
Microsoft usually maintains several supported Office 365 version channels which can be reviewed at their 'Release Notes Office365 Proplus' page. All other versions and/or incremental builds that are not currently in any maintenance channel and are not receiving active maintenance from Microsoft are considered End-of-Life.
Additional Office 365 Information and Considerations:
- Office 365 versions is typically identified by their YYMM version number (1803, 1809) that indicates Year/Month of the version release. Flexera scans will identify them by looking at the 16.0.<build number> file versions.
- Within each version (e.g. 1803, 1809), Microsoft maintains a mixture of security and feature updates. In most cases, the highest incremental build within a particular version is also the only secure release available.
- The cumulative list of these versions (1803, 1809, etc) is also referred to as Office 365 / Click-to-Run versions. You could cross-reference this information with Microsoft's Monthly Channel Releases Release Notes page.
- On-premises versions of Office 2016 and 2019 have similar major version metadata of 16.x.x.x, but these versions are not handled in the same way as Office 365 C2R is. They are covered just as any other application is in the SVM products.