[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: [patchmanagement] Blocking Flash, Shockwave, Silverlight controls from activating in Office Applicat
From: "Susan E Bradley, CPA/CITP/CFF, GSEC" <sbradcpa () pacbell ! net>
Date: 2018-05-25 17:02:36
Message-ID: 437a5b18-7860-dcbe-98cf-712da2693ebd () pacbell ! net
[Download RAW message or body]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><a class="moz-txt-link-freetext" \
href="https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Blocking- \
Flash-Shockwave-Silverlight-controls-from-activating-in/ba-p/191729?utm_source=t.co&am \
p;utm_medium=referral">https://techcommunity.microsoft.com/t5/Security-Privacy-and-Com \
pliance/Blocking-Flash-Shockwave-Silverlight-controls-from-activating-in/ba-p/191729?utm_source=t.co&utm_medium=referral</a></p>
<div class="lia-message-subject-wrapper lia-component-subject"
style="box-sizing: border-box; font-family: SegoeUI, Lato,
"Helvetica Neue", Helvetica, Arial, sans-serif; color:
rgb(51, 51, 51); font-size: 14px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 300; letter-spacing: normal; orphans: 2; text-align:
left; text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<div class="MessageSubject" style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif;">
<div class="MessageSubjectIcons " style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif; display: inline;">
<h2 class="message-subject" style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif; font-weight: normal;
line-height: 1.33333; color: rgb(51, 51, 51); margin: 0px;
font-size: 24px; white-space: normal; word-break:
break-word; word-wrap: break-word; display: inline;"><span
class="lia-message-read" style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif;">
<div class="lia-message-subject" style="box-sizing:
border-box; font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif; white-space:
normal; word-break: break-word; word-wrap: break-word;
color: rgb(51, 51, 51); font-size: 18px; line-height:
1.2; display: inline-block; margin-bottom: 20px;">
<h5 style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif; font-weight: normal; line-height: 1.33333;
color: rgb(51, 51, 51); margin: 0px; font-size: 20px;
white-space: normal; word-break: break-word;
word-wrap: break-word; display: inline;">Blocking
Flash, Shockwave, Silverlight controls from activating
in Office Applications for Security</h5>
</div>
<span> </span></span></h2>
<span class="lia-img-message-has-url lia-fa-message lia-fa-has
lia-fa-url lia-fa" title="Contains a hyperlink" alt="Message
contains a hyperlink" role="img" id="display_2"
style="box-sizing: border-box; font-family: FontAwesome;
display: inline-block; font-style: normal; font-variant:
normal; font-weight: normal; font-stretch: normal;
line-height: 1; font-size: inherit; text-rendering: auto;
-webkit-font-smoothing: antialiased; transform:
translate(0px, 0px); color: rgb(116, 116, 116);"></span></div>
</div>
</div>
<div class="lia-message-body-wrapper
lia-component-message-view-widget-body" style="box-sizing:
border-box; font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif; margin-bottom: 10px;
margin-top: 10px; color: rgb(51, 51, 51); font-size: 14px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 300; letter-spacing:
normal; orphans: 2; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<div id="bodydisplay" class="lia-message-body" style="box-sizing:
border-box; font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif; white-space: normal;
word-break: break-word; word-wrap: break-word; font-size: 16px;
font-weight: 300; line-height: 1.71429; overflow: auto;
margin-bottom: 10px;">
<div class="lia-message-body-content" style="box-sizing:
border-box; font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif; white-space: normal;
word-break: break-word; word-wrap: break-word; font-size:
16px; font-weight: 300; line-height: 1.71429; margin-bottom:
10px;">
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Today we are announcing an upcoming change to
Office that blocks activation of Flash, Shockwave and
Silverlight controls within Office.</p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">We are taking this step based on the following
factors:</p>
<ol style="box-sizing: border-box; margin-top: 0px;
margin-bottom: 12px;">
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Use of some these controls in exploit
campaigns to target end users of Office.</li>
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Low observed use of these controls within
Office.</li>
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Upcoming end of support for some these
components
<ol start="1" style="box-sizing: border-box; margin-top:
0px; margin-bottom: 0px;">
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">On July 2017,<span> </span><span
style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://theblog.adobe.com/adobe-flash-update/"
target="_blank" rel="nofollow noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Adobe announced</a></span><span> \
</span>that Flash will no longer be supported after 2020. Major
browsers including<span> </span><span
style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/"
target="_blank" rel="nofollow noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Edge</a></span>,<span> \
</span><span style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://www.blog.google/products/chrome/saying-goodbye-flash-chrome/"
target="_blank" rel="nofollow noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Chrome</a></span>,<span> \
</span><span style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://webkit.org/blog/7839/adobe-announces-flash-distribution-and-updates-to-end/"
target="_blank" rel="nofollow noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Safari</a></span><span> \
</span>and<span> </span><span style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://blog.mozilla.org/futurereleases/2017/07/25/firefox-roadmap-flash-end-life/"
target="_blank" rel="nofollow noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Firefox</a></span>have
announced their respective roadmaps for ending support
for Flash.</li>
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Silverlight is expected to reach<span> </span><span
style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://www.microsoft.com/getsilverlight/locale/en-us/html/installation-win-SL5.html"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">end of support in
2021</a></span><span> </span>with support for
several browsers and OS platforms already ended in
2016.</li>
</ol>
</li>
</ol>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><strong style="box-sizing: border-box;
font-weight: bold;">Note:<span> </span></strong>This
change only applies to Office 365 subscription clients. It
will not apply to Office 2016, Office 2013 or Office 2010.</p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Customers who wish to enforce this behavior now
in Office 365 subscription clients or in Office 2016
perpetual and down level versions can use the guidance<span> \
</span><span style="box-sizing: border-box; font-family: SegoeUI, Lato,
"Helvetica Neue", Helvetica, Arial, sans-serif;"><a
href="https://support.microsoft.com/en-us/help/4058123/security-settings-for-com-objects-in-office"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172); text-decoration:
underline;">published here</a></span><span> </span>to
block controls targeted by this change.</p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Furthermore, customers can also take advantage
of the recently<span> </span><a
href="https://blogs.technet.microsoft.com/secguide/2018/02/13/security-baseline-for-office-2016-and-office-365-proplus-apps-final/"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172); text-decoration:
underline;"><span style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif;">published Security
Baseline</span><span> </span>for Office 2016</a><span> </span>that
includes a custom Group Policy that blocks Flash.</p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<h3 id="toc-hId-1427786772" style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif; font-weight: normal;
line-height: 1.2; color: inherit; margin: 0px; font-size:
18px;">What does this update block?</h3>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">This change blocks the activation of the
following controls within the Office process.</p>
<table style="box-sizing: border-box; border-collapse:
collapse; border-spacing: 0px; background-color:
transparent; margin: 15px 0px;" width="624">
<tbody style="box-sizing: border-box;">
<tr style="box-sizing: border-box;">
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="171">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif;">Control</p>
</td>
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="453">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif;">CLSID</p>
</td>
</tr>
<tr style="box-sizing: border-box;">
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="171">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif;">Flash</p>
</td>
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="453">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, \
sans-serif;">D27CDB6E-AE6D-11CF-96B8-444553540000</p> <p style="box-sizing: \
border-box; margin: 0px; font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, \
sans-serif;">D27CDB70-AE6D-11CF-96B8-444553540000</p> </td>
</tr>
<tr style="box-sizing: border-box;">
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="171">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif;">Shockwave</p>
</td>
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="453">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, \
sans-serif;">233C1507-6A77-46A4-9443-F871F945D258</p> </td>
</tr>
<tr style="box-sizing: border-box;">
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="171">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, sans-serif;">Silverlight</p>
</td>
<td style="box-sizing: border-box; padding: 10px;
border: 1px solid rgb(209, 209, 209); min-width: 40px;
word-break: normal;" width="453">
<p style="box-sizing: border-box; margin: 0px;
font-family: SegoeUI, Lato, "Helvetica
Neue", Helvetica, Arial, \
sans-serif;">DFEAF541-F3E1-4c24-ACAC-99C30715084A</p> </td>
</tr>
</tbody>
</table>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Some examples of scenarios that would be
impacted by this change are:</p>
<ol style="box-sizing: border-box; margin-top: 0px;
margin-bottom: 12px;">
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Controls directly embedded in an Office
document, for example, Flash video directly embedded
within a PowerPoint document using the<span> </span><span
style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://support.office.com/en-us/article/Insert-an-object-in-Word-or-Outlook-8fc1ea53-0e01-4603-a4cf-98c49b6ea3f5"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Insert \
Object</a></span>functionality</li> <li style="box-sizing: border-box; font-family: \
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Controls invoked by extensibility components
within the Office process, for example,<span> </span><span
style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><a
href="https://support.office.com/en-us/article/Roadmap-for-Power-View-in-Excel-c1f0d0f7-adef-4f03-ae35-46d83294e96b"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172);
text-decoration: underline;">Power View</a></span><span> \
</span>add-in that uses Silverlight</li>
</ol>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"><strong style="box-sizing: border-box;
font-weight: bold;">Note:</strong><span> </span>this
change does not cover scenarios where these controls are
activated outside the Office process, for example, a Flash
video inserted into a document via the<span> </span><span
style="box-sizing: border-box; font-family: SegoeUI, Lato,
"Helvetica Neue", Helvetica, Arial, sans-serif;"><a
href="https://support.office.com/en-us/article/Video-Insert-online-video-bf11b812-0243-4f53-a1f9-432fbf7ace2c"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172); text-decoration:
underline;">Insert Online Video</a></span><span> \
</span>functionality.</p> <p style="box-sizing: border-box; margin: 0px; \
font-family: SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<h3 id="toc-hId--1124370189" style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif; font-weight: normal;
line-height: 1.2; color: inherit; margin: 0px; font-size:
18px;">When would this block take effect?</h3>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">This change only applies to Office 365
subscription clients and is targeted to take effect in the
following order</p>
<ol style="box-sizing: border-box; margin-top: 0px;
margin-bottom: 12px;">
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Controls are blocked in Office 365 Monthly
Channel starting in<span> </span><strong
style="box-sizing: border-box; font-weight: bold;">June
2018</strong>.</li>
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Controls are blocked in Office 365 Semi
Annual Targeted (SAT) Channel starting in<span> </span><strong
style="box-sizing: border-box; font-weight: bold;">September
2018</strong>.</li>
<li style="box-sizing: border-box; font-family: SegoeUI,
Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Controls are blocked in Office 365 Semi
Annual (SA) Channel starting in<span> </span><strong
style="box-sizing: border-box; font-weight: bold;">January
2019</strong>.</li>
</ol>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<h3 id="toc-hId-618440146" style="box-sizing: border-box;
font-family: SegoeUI, Lato, "Helvetica Neue",
Helvetica, Arial, sans-serif; font-weight: normal;
line-height: 1.2; color: inherit; margin: 0px; font-size:
18px;">Can I unblock these controls if I need to?</h3>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Yes. While we are confident that this will not
impact most Office users, we do understand there is
potential to impact some of our users and we apologize for
the inconvenience caused as a result.</p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">Please refer to support guidance<span> </span><a
title="Flash, Silverlight, and Shockwave controls blocked
in Office 2016"
href="https://support.office.com/en-us/article/flash-silverlight-and-shockwave-control \
s-blocked-in-office-2016-55738f12-a01d-420e-a533-7cef1ff6aeb1?ui=en-US&rs=en-US&ad=US"
target="_blank" rel="noopener noreferrer"
style="box-sizing: border-box; background-color:
transparent; color: rgb(20, 108, 172); text-decoration:
underline;">published here</a><span> </span>if you need to
unblock controls critical to your workflow. </p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;">In closing, we believe this is another step
forward in elevating the security of Office. One that
protects our users from malicious attacks without disrupting
day to day productivity for most of them.</p>
<p style="box-sizing: border-box; margin: 0px; font-family:
SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial,
sans-serif;"> </p>
</div>
</div>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic