Announcement

Collapse
No announcement yet.

Office trying to 'phone home' -- unsecurely

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Office trying to 'phone home' -- unsecurely

    Client system is behind firewalls/proxies which do not allow direct access to the Web, and very little downloading is permitted. Until the April cycle of updates, the Office 2010 ADMX GP templates gave us all we needed to prevent default behind-the-scenes attempts by Office components to contact the MS sites for themes, etc. but after the update cycle, each user sees 4 nag boxes the first time they open an Office module, such that access to an HTTP site is not permitted. Wireshark shows the site URL is 'http://office14.microsoft.com/...', and the resultant address does give an XML file with other URL links in it for Office stuff we want blocked. I've been thru every setting throughout the GP templates and have checked each setting available, but it won't stop. Google searches have turned up nothing, either.

    I know HTTP is unsecure, and I don't need Office's default security settings to tell me that. But I also don't get which update (out of 30 or so) has changed the behavior such that Office insists on trying to get to the unsecure site, then complain to the user that it's unsafe to do so. If you acknowledge the nags for that app, they'll go away for the rest of the day, but reappear the next day. So if a user has work for Word, Excel, PowerPoint and at least Visio every day, they've got to clear 16 nag boxes every day.

    Anyone got any ideas about how to turn this off?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    If you can provide me a list of those Updates (screen capture of the Update History for 15 April or install date), I can go through them one by one and see if I can track it down. Got heaps of time on my hands and I have run out of pr0n to watch.

    Since today is Patch Tuesday/Wednesday in OZ, I just checked the new surprises MS have bestowed on us this month. There are, for me, 11 Office Updates and Security Updates. I wonder if they may fix the problem you are having because as sure as a bear craps in the woods, if you have discovered this issue then there will be other as well. They may have gone straight to MS support and not posted it.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      This link seems to refer to an outside intrusion but I wonder if it got cocked up? https://nakedsecurity.sophos.com/201...soft-http-bug/

      On the off chance you didn't read this. Microsoft Security Bulletin Summary for April 2015

      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        Thanks for the offer, much appreciated. The links you gave didn't shed any light, unfortunately, and I'm still not finding anything on-line. Outlook users are seeing 4 prompts for web proxy credentials to get out to the I'net, while other Office users get the nag screen, 4 times each occurrence. It'd be nice if I could find a white paper which talks about locking Office down in a protected environment, but I haven't found that, either.

        I've attached a screen shot of last month's updates, just sorted by date. If you do stumble across a likely answer, I will sing your praises forever!

        The forum doesn't appear to like newer-format Office files. Tried attaching my original PPTX file, but forum wouldn't have it. Re-saved as PPT, no sweat. I look forward to any insight you may have. Cheers!
        Attached Files
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          The attachment issue has been made aware to the appropriate staff. Thanks for letting us know about that. Got your file and will start looking. Hopefully I can find something.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Spent a little time and the results are in the hopefully soon to be attached file. I would look closely at KB2881026 because if the Filter is looking at Home for some weird MS reason then.....? However it is more a guess based on the Filter Search. If you were running Win 8.1 then I would be more hopeful since we know the Search looks at the HDD and eventually reports back to the Mothership.

            Got any FREE TechNet support calls laying around unused?
            Attached Files
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment


            • #7
              Sorry, biggels77, only saw this today. Many thanks for the review you put together! I'm having a look thru the synopsis doc now, and I agree with some of your sarcasm! I also agree with your suggestions of possible reasons for my predicament, and will chase them up. I will try uninstalling the Filter Pack update and let you know. BTW: the latest update set didn't change anything in Office this month, so whatever was done in April is still doing its thing.

              Sadly, I don't have any support calls lying around. But based on my previous experience with MS support due to issues with standing up a new SAN + Hyper-V environment, I don't know as I'd trust anything they said about this. We spent more time listening to MS & Dell bad-mouthing each other than we did anything else. Those questions never did get resolved, and we struggled on, on our own. Now it's a production environment so we're stuck with what we bought.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment


              • #8
                Update for today: I've removed the update regarding the Filters patch, turns out the prerequisite wasn't installed 'cause the WSUS scan said it wasn't applicable, so we declined it last year. But that removal solved nothing. Then I went to uninstall the update with the comments in red, and it isn't uninstallable. At least not thru Ctrl Pnl nor browsing the registry for the KB #. Have to try looking for the update GUID, but ran out of time today. The MS article which describes this update says it's removable thru normal means, but I can't find it. And if this is the failure, it's on every machine on my Development and Production systems. I'd already rolled out the May updates to my Dev client PCs, maybe one of them 'ate' this other, questionable update.

                My boss tells me we DO have MS support tickets available thru our MSDN subscription, so we're gonna raise it with them. After all, it's pretty stupid for MS Office to try and talk to an HTTP site of it's own, and then complain to me that it's not SSL in the first place.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment


                • #9
                  Isn't MS just the bees knees. One of my pet hates with them is getting an error message, clicking on the "more info" link only to get told not information available. In the list you sent the one that made me laugh (frustrated laugh) was KB3046269 that didn't have an info page. I do not look forward to Windows 10 and it's continual updates. Instead of rebooting once a month it is likely to be every other day.

                  Hope you get a result from your support call. It is going to be real interesting what was causing this.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment


                  • #10
                    We have something from MS: change a reg key so that all of the Office components, not just Outlook, see proxy login boxes instead of the SSL web page warnings. While this reg change does force the change so that the proxy login shows up, it doesn't answer the original question of why Office is trying to go out to the Internet at all. Still slugging away. Got a lot of personnel/IT moves this week in a multi-corporate environment, so it may be a while before I can post another update.
                    *RicklesP*
                    MSCA (2003/XP), Security+, CCNA

                    ** Remember: credit where credit is due, and reputation points as appropriate **

                    Comment


                    • #11
                      Haven't forgotten this, just taking a while to get anything useful from MS. It's taken nearly a fortnight to get them to understand my concern at long last, and their suggestion is to install an update from April (KB2956191) that's supposed to fix the issue. I can't install it because it's already installed according to WSUS logs and the PC's System logs, and there's no way to remove it that I can find (Prgms/Featrs doesn't list it, registry doesn't list an uninstall string for it). But it's definitely recorded as going on in April, and that's when this all started.
                      *RicklesP*
                      MSCA (2003/XP), Security+, CCNA

                      ** Remember: credit where credit is due, and reputation points as appropriate **

                      Comment


                      • #12
                        Remove/uninstall Option 1
                        Remove/uninstall Option 2
                        Remove/uninstall Option 3

                        Unbelievable. Try the above and see if one of them works for you. Toes crossed due to onset Arthur Eyetis onset in fingers.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment


                        • #13
                          Not at work now, will try Opt 2 & 3 tomorrow (hopefully) and let you know. MS told me to try creating a new reg key, but the 2 levels above what they want don't exist. I've asked for clarification.
                          *RicklesP*
                          MSCA (2003/XP), Security+, CCNA

                          ** Remember: credit where credit is due, and reputation points as appropriate **

                          Comment


                          • #14
                            The MS advisor in the Excel forum I've been visiting has washed her hands of the whole thing, because she couldn't remote-in to the system I've been trying to diagnose. I've found other users who've posted the same issue in an overall Office forum and added to that. April 2015 (KB2956191) updates caused it, May 2015 (KB2999439) was supposed to fix it but didn't, and now Jun 2015 KB3054875 isn't looking promising, either.
                            *RicklesP*
                            MSCA (2003/XP), Security+, CCNA

                            ** Remember: credit where credit is due, and reputation points as appropriate **

                            Comment


                            • #15
                              Geez, this must be driving you bonkers. Good thing MS are so diligent in helping to solve this issue. [/sarcasm off]
                              1 1 was a racehorse.
                              2 2 was 1 2.
                              1 1 1 1 race 1 day,
                              2 2 1 1 2

                              Comment

                              Working...
                              X