XPost: alt.comp.os.windows-11   
   From: winstonmvp@gmail.com   
      
   On 1/28/2026 9:38 PM, Boris wrote:   
   > =?UTF-8?B?Li4ud8Khw7HCp8KxwqTDsQ==?=  wrote in   
   > news:10lefpf$vf8m$1@dont-email.me:   
   >   
   >> On 1/28/2026 5:45 PM, J. P. Gilliver wrote:   
   >>> On 2026/1/28 22:43:36, ...w¡ñ§±¤ñ wrote:   
   >>>> J. P. Gilliver wrote on 1/28/2026 2:11 PM:   
   >>>>> On 2026/1/28 16:6:23, ...w¡ñ§±¤ñ wrote:   
   >>>>> []   
   >>>>>   
   >>>>>> - Versions supported are update-able and fixable, as in the past   
   >>>>>> earlier non-supported versions are not. Likewise, MSFT does not   
   >>>>>> report vulnerability to versions older than indicated in the CVE.   
   >>>>>   
   >>>>> So earlier versions are not fixable (by this patch, anyway), but may   
   >>>>> not be vulnerable in the first place.   
   >>>>     It would be wise to assume the opposite => vulnerable   
   >>>>>   
   >>>>>> - applies to any malicious Office file => 'whatever' in your   
   >>>>>> terminology   
   >>>>>   
   >>>>> When I said does it have to be .docx or whatever, I meant does it   
   >>>>> have to be (for example) .docx, .xlsx, or whatever, as opposed to   
   >>>>> .doc, .xls, and so on - i. e. the "new" formats.   
   >>>>     All those file types can include links or phishing content - not   
   >>>>     sure   
   >>>> why you wouldn't know that.   
   >>>   
   >>> This thread started about a _specific_ exploit, that MS had released a   
   >>> patch to protect against.   
   >>   
   >> The link provided to the CVE specified the exploit parameter as:   
   >> "An attacker must send a user a malicious Office file and convince them   
   >> to open it."   
   >>   => should be interpreted as any possible 'Office' file, i.e. no   
   >> delineation for prior version file extensions.   
   >>   
   >   
   > I read the article:   
   >   
   >  l>   
   >   
   > I have some questions.   
   >   
   > My understanding is that any of the Office programs in versions 2021 and   
   > later, will be protected with a 'service-side change'.  What is a   
   > service-side change?   
      
   Afaik...a service side change indicates a future update deployed   
   automatically by Office or manually attempted by user(within Office   
   program - check for updates.   
     - Note: Office 2019/2021/M365 is updated within the program, not   
   Windows Update.   
      
   >   
   > My understanding is also that if one doesn't open (preview is ok, but why   
   > would one bother?) the attached Office document, in any version, there's   
   > no harm.   
     That is the current understanding. The malicious Office file would   
   need to be opened.  Have yet to see an example of how that Office file   
   is named.   
   >   
   > Additionally, the article gives the updates that should be applied to   
   > Office versions 2016 and 2019.  Then, the article gives a registry edit to   
   > 'mitigate' the issue, I assume for the same Office versions, 2016 and   
   > 2019.  Why the registry edit if the updates are applied?   
      
   The 2016/2019 info may be for a pro-active approach(and the only   
   approach) for 2016/2019 end-users - which may be necessary since both   
   2016 and 2019 have reached end-of-support, whereas, 2021 and later have   
   not reached that milestone.   
      
      
      
   --   
   ...w¡ñ§±¤ñ   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)