Office trying to ‘phone home’ — unsecurely

Home Forums Office Office 2010 / 2013 General Issues Office trying to ‘phone home’ — unsecurely

This topic contains 20 replies, has 3 voices, and was last updated by Avatar Anonymous 4 years, 5 months ago.

Viewing 21 posts - 1 through 21 (of 21 total)
  • Author
    Posts
  • Avatar
    RicklesP
    Participant
    #165274

    Client system is behind firewalls/proxies which do not allow direct access to the Web, and very little downloading is permitted. Until the April cycle of updates, the Office 2010 ADMX GP templates gave us all we needed to prevent default behind-the-scenes attempts by Office components to contact the MS sites for themes, etc. but after the update cycle, each user sees 4 nag boxes the first time they open an Office module, such that access to an HTTP site is not permitted. Wireshark shows the site URL is ‘http://office14.microsoft.com/…’, and the resultant address does give an XML file with other URL links in it for Office stuff we want blocked. I’ve been thru every setting throughout the GP templates and have checked each setting available, but it won’t stop. Google searches have turned up nothing, either.

    I know HTTP is unsecure, and I don’t need Office’s default security settings to tell me that. But I also don’t get which update (out of 30 or so) has changed the behavior such that Office insists on trying to get to the unsecure site, then complain to the user that it’s unsafe to do so. If you acknowledge the nags for that app, they’ll go away for the rest of the day, but reappear the next day. So if a user has work for Word, Excel, PowerPoint and at least Visio every day, they’ve got to clear 16 nag boxes every day.

    Anyone got any ideas about how to turn this off?

    Avatar
    biggles77
    Spectator
    #213760

    If you can provide me a list of those Updates (screen capture of the Update History for 15 April or install date), I can go through them one by one and see if I can track it down. Got heaps of time on my hands and I have run out of pr0n to watch.

    Since today is Patch Tuesday/Wednesday in OZ, I just checked the new surprises MS have bestowed on us this month. There are, for me, 11 Office Updates and Security Updates. I wonder if they may fix the problem you are having because as sure as a bear craps in the woods, if you have discovered this issue then there will be other as well. They may have gone straight to MS support and not posted it.

    Avatar
    biggles77
    Spectator
    #213761

    This link seems to refer to an outside intrusion but I wonder if it got cocked up? https://nakedsecurity.sophos.com/2015/04/15/update-tuesday-april-2015-urgent-action-needed-over-microsoft-http-bug/

    On the off chance you didn’t read this. Microsoft Security Bulletin Summary for April 2015

    Avatar
    Anonymous
    #371819

    Thanks for the offer, much appreciated. The links you gave didn’t shed any light, unfortunately, and I’m still not finding anything on-line. Outlook users are seeing 4 prompts for web proxy credentials to get out to the I’net, while other Office users get the nag screen, 4 times each occurrence. It’d be nice if I could find a white paper which talks about locking Office down in a protected environment, but I haven’t found that, either.

    I’ve attached a screen shot of last month’s updates, just sorted by date. If you do stumble across a likely answer, I will sing your praises forever!

    The forum doesn’t appear to like newer-format Office files. Tried attaching my original PPTX file, but forum wouldn’t have it. Re-saved as PPT, no sweat. I look forward to any insight you may have. Cheers!

    Avatar
    biggles77
    Spectator
    #213766

    The attachment issue has been made aware to the appropriate staff. Thanks for letting us know about that. Got your file and will start looking. Hopefully I can find something.

    Avatar
    biggles77
    Spectator
    #213791

    Spent a little time and the results are in the hopefully soon to be attached file. I would look closely at KB2881026 because if the Filter is looking at Home for some weird MS reason then…..? However it is more a guess based on the Filter Search. If you were running Win 8.1 then I would be more hopeful since we know the Search looks at the HDD and eventually reports back to the Mothership.

    Got any FREE TechNet support calls laying around unused?

    Avatar
    Anonymous
    #371820

    Sorry, biggels77, only saw this today. Many thanks for the review you put together! I’m having a look thru the synopsis doc now, and I agree with some of your sarcasm! I also agree with your suggestions of possible reasons for my predicament, and will chase them up. I will try uninstalling the Filter Pack update and let you know. BTW: the latest update set didn’t change anything in Office this month, so whatever was done in April is still doing its thing.

    Sadly, I don’t have any support calls lying around. But based on my previous experience with MS support due to issues with standing up a new SAN + Hyper-V environment, I don’t know as I’d trust anything they said about this. We spent more time listening to MS & Dell bad-mouthing each other than we did anything else. Those questions never did get resolved, and we struggled on, on our own. Now it’s a production environment so we’re stuck with what we bought.

    Avatar
    Anonymous
    #371821

    Update for today: I’ve removed the update regarding the Filters patch, turns out the prerequisite wasn’t installed ’cause the WSUS scan said it wasn’t applicable, so we declined it last year. But that removal solved nothing. Then I went to uninstall the update with the comments in red, and it isn’t uninstallable. At least not thru Ctrl Pnl nor browsing the registry for the KB #. Have to try looking for the update GUID, but ran out of time today. The MS article which describes this update says it’s removable thru normal means, but I can’t find it. And if this is the failure, it’s on every machine on my Development and Production systems. I’d already rolled out the May updates to my Dev client PCs, maybe one of them ‘ate’ this other, questionable update.

    My boss tells me we DO have MS support tickets available thru our MSDN subscription, so we’re gonna raise it with them. After all, it’s pretty stupid for MS Office to try and talk to an HTTP site of it’s own, and then complain to me that it’s not SSL in the first place.

    Avatar
    biggles77
    Spectator
    #213802

    Isn’t MS just the bees knees. One of my pet hates with them is getting an error message, clicking on the “more info” link only to get told not information available. In the list you sent the one that made me laugh (frustrated laugh) was KB3046269 that didn’t have an info page. I do not look forward to Windows 10 and it’s continual updates. Instead of rebooting once a month it is likely to be every other day.

    Hope you get a result from your support call. It is going to be real interesting what was causing this.

    Avatar
    Anonymous
    #371823

    We have something from MS: change a reg key so that all of the Office components, not just Outlook, see proxy login boxes instead of the SSL web page warnings. While this reg change does force the change so that the proxy login shows up, it doesn’t answer the original question of why Office is trying to go out to the Internet at all. Still slugging away. Got a lot of personnel/IT moves this week in a multi-corporate environment, so it may be a while before I can post another update.

    Avatar
    Anonymous
    #371827

    Haven’t forgotten this, just taking a while to get anything useful from MS. It’s taken nearly a fortnight to get them to understand my concern at long last, and their suggestion is to install an update from April (KB2956191) that’s supposed to fix the issue. I can’t install it because it’s already installed according to WSUS logs and the PC’s System logs, and there’s no way to remove it that I can find (Prgms/Featrs doesn’t list it, registry doesn’t list an uninstall string for it). But it’s definitely recorded as going on in April, and that’s when this all started.

    Avatar
    biggles77
    Spectator
    #213868

    Remove/uninstall Option 1
    Remove/uninstall Option 2
    Remove/uninstall Option 3

    Unbelievable. Try the above and see if one of them works for you. Toes crossed due to onset Arthur Eyetis onset in fingers. :mrgreen:

    Avatar
    Anonymous
    #371830

    Not at work now, will try Opt 2 & 3 tomorrow (hopefully) and let you know. MS told me to try creating a new reg key, but the 2 levels above what they want don’t exist. I’ve asked for clarification.

    Avatar
    Anonymous
    #371834

    The MS advisor in the Excel forum I’ve been visiting has washed her hands of the whole thing, because she couldn’t remote-in to the system I’ve been trying to diagnose. I’ve found other users who’ve posted the same issue in an overall Office forum and added to that. April 2015 (KB2956191) updates caused it, May 2015 (KB2999439) was supposed to fix it but didn’t, and now Jun 2015 KB3054875 isn’t looking promising, either.

    Avatar
    biggles77
    Spectator
    #213879

    Geez, this must be driving you bonkers. Good thing MS are so diligent in helping to solve this issue. [/sarcasm off]

    Avatar
    Anonymous
    #371837

    Another news flash: applied 3 updates for Win7 (not Office) on the PC I’ve been using as the test bed for my troubleshooting, and the problem is gone! Added the same 3 updates to a machine that hasn’t been touched other than deployed updates and GP since it was deployed, and the problem still manifests. So now I have to work out how to apply all of my troubleshooting steps to all clients (some settings have no GP items, and I haven’t found them in registry yet), and then add these last 3 updates and maybe it’s fixed. Once I know the fixes, I’ll post here and in the MS Office forum.

    Avatar
    biggles77
    Spectator
    #213881

    [ATTACH=CONFIG]n491102[/ATTACH] [ATTACH=CONFIG]n491103[/ATTACH] [ATTACH=CONFIG]n491104[/ATTACH] [ATTACH=CONFIG]n491105[/ATTACH] Would that just about sum up how you feel about this issue at the moment?

    Avatar
    Anonymous
    #371838

    Got it in one! But knock the walls down now, we have a fix! It’s not one thing on it’s own, it’s several things–you’re gonna love this.

    First, set 2 GP items:
    *-One is for your user policy(ies): Users – Preferences – Windows – Registry, create an entry of ‘BasicAuthLevel’ as a DWORD = 2 under ‘HKCUSoftwareMicrosoftOffice14.0Common’ (not in any of the subkeys, though). Set the policy to Update. If you have your admin users in separate OUs, but they use Office, they’ll need this too.
    *-One is for your computer policies (including any Terminal Servers where Office is used): Computer – Preferences – Windows – Registry, an entry of ‘EnableAutomaticUpdates’ as a DWORD = 0 under ‘HKLMSoftwarePoliciesMicrosoftOffice14.0CommonOfficeUpdate’. (This key didn’t exist on our workstations from Office, on down.)

    Next, install all the updates from May & June, esp. making sure you install KB3040272, KB3065979, and KB3064209. I have no idea why these 3 made a difference, but the morning after I rolled these out, all my problems went away. I’ve read the KB articles on all 3 and I can’t see how Office update issues are affected, but at this point I’m not looking a gift-horse in the mouth.

    Finally, make some settings changes in Office, from any of the apps–set these once and it’s common to the rest of the apps. With Excel open (for example), click on File, then Options. In the new window click Trust Center, then at the right window edge click Trust Center Settings. In the next new window click Privacy Options. In the right pane, untick (clear) the 7 tick boxes that talk about reaching out to Office.com. I’ve been digging today and cannot find a single reference between any of those settings and corresponding Registry entries, so I can’t advise how to push the settings out. About the only thing I have found is to re-package our Office setup rollout as a new *.msp file and re-deploy Office to our domain. It was infinitely easier to put together a couple of PowerPoint slides and add them to our Help Desk system’s Knowledge Base. The GP settings are rolling out tonight and I’ll be broadcasting the fix announcement to the masses tomorrow, telling them to refer to my KB article. Once they clear those settings, all should be well with the world again.

    Until the next ‘safe’ MS update rollout. :!: But for now, it’s Miller time! :beer:

    Avatar
    biggles77
    Spectator
    #213882

    WTF????? Lucky it was only a simple fix. If it had been a complex one……….

    SIX bloody weeks spent on an MS cockup. Unreal!

    Think you got the last sentence wrong. It’s Millers time! :beer: :beer: :beer: :beer: :beer: :beer:

    Avatar
    Anonymous
    #371839

    As long as they’re all pints, I’m in!

    Avatar
    biggles77
    Spectator
    #213883

    I would have suggested Darwin Stubbies but they don’t make them any more.

Viewing 21 posts - 1 through 21 (of 21 total)

You must be logged in to reply to this topic.