End of support for Office 2016 for mac

[dee001]

Hello guys, normally my customers upgrade their office suites ever so often so I am never in a situation when Microsoft is about to end support for the version of the office they are using. But I have a customer that purchase office 2016 for mac 3 years ago and now we learn that Microsoft is about to end support, what vulnerabilities do we run by leaving them with this unsupported program?

 

[Sky-Knight]

All of them?

Every issue that's discovered after Oct 13th. No one can say what that means.

 

[dee001]

For windows I highly recommend my customers to upgrade and not keep an outdated version but wasn't sure if I should be pushy regarding office upgrade.

Sent from my SM-N975U using Tapatalk

 

[Sky-Knight]

Really?

So you're OK with simply receiving an email in outlook to infect the machine? Like this one did: https://www.cvedetails.com/cve/CVE-2019-1200/

Or perhaps something similar triggered in Word or Excel when a file is opened?

Software is either in support, or it isn't. I will not support software the source vendor will not support. The user can either upgrade, or replace it with one of the many free options. Any process otherwise exposes me to liability.

Given your response I'm curious as to why you made this post. You know what will happen... Office is just as important as Windows, all software on a given platform is the same in this regard. It must be patched, or it's not safe to be on the Internet. Unplug it... and you can keep it.

This one is odd though... because 2016 is leaving mainstream support on that day. Only the Apple version is actually dead.

 

[britechguy]

Software is either in support, or it isn't. I will not support software the source vendor will not support. The user can either upgrade, or replace it with one of the many free options. Any process otherwise exposes me to liability.

It only exposes you to liability if you touch it or are the responsible party for maintaining it.

And if a client adamantly insists they want to keep it, then they need to sign something that says they've been warned about the potential perils of unpatched software.

I worry very little about Office in general, as I cannot count the number of clients I've had who continue to use out-of-support versions without issue. However, some use Outlook and some don't.

If this is a residential customer for whom you're doing service, and you've recommended they update and told them why, you've covered yourself provided you can prove that if disaster strikes. Unlike @Sky-Knight, I'm disinclined to believe that disaster will be likely, let alone imminent, if this is a user who's not been inclined to get infections to begin with.

I have a lot of clients, though certainly not all of them, who could likely use Windows XP and Office 2003 and be connected to the internet for years and never have an issue. I don't recommend or support that, but in the end the vast majority of infectious vectors are invited in by direct user action. It's a very small percentage that wheedle their way on to a system completely uninvited. Users have always been the weakest link in the security chain, and the ones that haven't had an antivirus detect something in years and years are very likely to have that situation continue, because it's a direct result of having developed the habits necessary for safe interaction with cyberspace.

Then there are other clients of mine that, if I had not larded their machines with certain software that is meant to protect them from themselves, they'd be having major crash and burns on a weekly basis, even using the latest of absolutely everything.

 

[Markverhyden]

There's separate CVE's for Mac versions of Office. As expected, since the target market is much smaller there's fewer vulnerabilities discovered and probably almost none in the wild.

Who are they and what do they do? All CVE's revolve around opening office attachments and I'm not aware of them being cross platform. Meaning an exploit will work on both, Mac and Windoze OS's, but the payload has to be coded for the underlying OS.

That being said we're not talking $1000's every year. O365 for home users is $100/year, Mac or Windoze. Nickel solution to the dime problem.

 

[britechguy]

As expected, since the target market is much smaller there's fewer vulnerabilities discovered and probably almost none in the wild.

That last bit is something that seldom gets much consideration, but deserves more.

There has to be a potential payoff, and generally one of some "heft," before the amount of work needed to exploit certain vulnerabilities becomes worthwhile.

Look at the hyperventilating about Spectre and Meltdown. Many systems remain unpatched for these (and I seem to remember that certain hardware can't be patched for one or the other, but I can't remember which) and yet we have not been seeing these attack mechanisms being used at all widely.

If an attack surface is difficult to exploit, the potential payoff for the work to do so needs to be very substantial. If it's easy to exploit, you're likely to see those who "hack for amusement" going after it like wildfire, even if the end result is just to annoy, not destroy.

It all comes down to probability of payoff for the effort involved to exploit. And really difficult to exploit with very little likelihood of payoff is relatively low risk.