Microsoft fumbles Office security patch updates

Microsoft stumbled into security SNAFU when its December bug-fix for Microsoft Office ( MS14-082) disabled ActiveX form controls in Microsoft Excel and other Office modules.

As Jan Karel Pieterse reported on Daily Dose of Excel, after installing the update he was no longer able to add an ActiveX control to a worksheet and got back instead the error message: “Cannot insert object”.

He discovered that the security update had updated the control, and also left behind some temporary .exd files that interrupted the usual ActiveX functions.

On 22 December Microsoft released a Fixit workaround for the problem, but came under renewed criticism this month when January’s regular software patch failed to correct the previous month’s update flaw.

Woody Leonhard reported on Infoworld.com  that there was a newly reported problem that scrambled the default naming of ActiveX controls. The patches for different versions of Office are still being offered via Automatic Update, he warned.

While this has been going on with MS Office, Microsoft has been tangling with Google over the latter’s  Project Zero initiative to expose zero-day software vulnerabilities. Project Zero reports any security flaws it hears about to developers and if they don’t respond within 90 days.

In a TechNet blog, the senior director of Microsoft’s  Security Response Center, Chris Betz, hit back: “We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created.”