Microsoft Patch for Office Breaks Click-to-Run


The recent Microsoft patch for Office has broken one of the newest features of Office 2013 for some users. Microsoft patches that break something aren’t new. In fact, it happens quite often. However, patching problems in application code without adversely affecting other parts of the code is not easy. Security problems created by some of the Java patches have been all over the tech news world this year, to the point where it’s been recommended that you uninstall Java unless you absolutely must use it. According to reports, only about one percent of people that use the feature in question will experience problems.

New Click-to-Run Feature of Office 2013

The Microsoft patch for Office that was released to the public in June breaks the Click-to-Run feature for a very small number of people. Click-to-Run is a pretty cool feature that lets you run applications within the Office 2013 Suite before they completely install. What makes this possible is that the parts of the code that are needed to run the desired application stream to your computer while the program is installing, allowing you to work while the installation continues in the background. Unlike a few other software companies, Microsoft was quick to acknowledge the problem.

A Little on How Click-to-Run Works

I’ve never used this feature, but it sounded pretty cool, so when I heard about the issue, I did some research on Click-to-Run. There are two neat facts about this feature. First, it allows you to use an Office product without having to wait for it to install fully. This could save you quite a bit of time if you’re on a slower computer or installing over a network. The other neat thing is that when you use the feature, you run the newest and most update bits of code. This means that if there are issues in the version of Office you’re installing, chances are those issues will be solved using the Click-to-Run code.

I know I said that there are two neat things, but, for the security-conscious, there’s also a third thing: The bits being used by Click-to-Run run inside a virtual environment on your computer. A virtual environment is an operating system within an operating system, with the virtual operating system usually not being able to communicate with the outside world. This means that if there are serious security flaws in the code that haven’t been discovered yet, your computer, and more importantly your private information aren’t at risk. It also lets you run a newer version of Office if there is already an older version installed on the computer.

I Want Click-to-Run Back!

Never fear. Once they were made aware of the problem, Microsoft engineers were pretty quick to publish a fix for the problem. In fact, you may already have it and not know it. However, if you’re still experiencing the problem, they have published a work-around: Uninstall using a special FixIt tool, and then reinstall the product from your My Accounts page. I don’t hide the fact that I’m not a fan of the Redmond company, but I have to say they were extremely proactive and fast in getting this problem fixed and getting the fix out to customers.

What Else Did the Update Contain?

The June Microsoft patch wasn’t just an update for Office 2013. In total the June 10th updates fixed 66 vulnerabilities, 59 of which were related to memory corruption issues in Internet Explorer, the company’s web browser. These vulnerabilities were discussed in a Microsoft Knowledge Base article.

One of the problems that was addressed had been previously disclosed to the public in Security Bulletin MS14-035. This update was rated as “Critical” by Microsoft engineers meaning that the underlying issue was extremely serious. This issue allowed “bad guys” to gain access to a user’s computer with the same rights as the user. This could be problematic for home users with an Admin account, but for companies and home users that have system policies decreasing user privileges, the issue isn’t as dangerous. I’m not going to get into the nitty-gritty of the issue because of the technical jargon, but you can follow the link above and read all about it.

Again, it’s important to remember that problems like these aren’t limited to Microsoft or even Office products. Every large software vendor has them from time to time. As I mentioned above, there are computer security experts that are recommending that Java usage be limited because of some very serious security issues in updates from earlier this year (2014).

I use Nightly — the “official” 64-bit version of Firefox as my browser. They tend to push out updates at least once a day. Two weeks ago their daily update broke Yahoo for thousands of users. I’ve also had problems with other software products occur after a “required” update. So, Mr. Gates, please don’t get the idea that I’m singling you out for your Microsoft patch for Office.