Missing Localized Strings Here Office For Mac 2016

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Current Description

According to this page, and confirmed by experiment, the path has changed for Office 2016.It is now /Library/Group Containers/UBF8T346G9.Office/User Content/Templates. (This is what you see in the Finder: if you use Terminal the last two directories have '.localized' appended to their name, which Finder evidently suppresses). According to this page, and confirmed by experiment, the path has changed for Office 2016. It is now /Library/Group Containers/UBF8T346G9.Office/User Content/Templates. (This is what you see in the Finder: if you use Terminal the last two directories have '.localized' appended to their name, which Finder evidently suppresses).

The GDI component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Office for Mac 2011, and Office 2016 for Mac allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka 'GDI Information Disclosure Vulnerability.'

The most recent update added several features. A new download was added for Office 2016 for Mac. Dell had new models added after cleaning up the old list. Also, new images were added. Windows 10 Pro was added for Dell as well. Italian localization was updated. Lastly, they added all the builds up to 19559 with an insider and developer version.

Analysis Description

The GDI component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Office for Mac 2011, and Office 2016 for Mac allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka 'GDI Information Disclosure Vulnerability.'

Localize all the files, including InfoPlist.strings files. Only submit complete localizations, not partial ones. If updating an existing localization, only send back the files which you actually modified. Send only the lproj folders for the specific language you are working on; do not send back the lproj folders for the other languages. Since the launch of Office 2016 for Mac in July, Mac OS X users around the world have been able to take advantage of the highly anticipated new features and improvements since the 2011 release. At the same time, some of our users also have sent us feedback requesting further improvements to our VBA support, particularly around VBA add-ins.

Severity

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Update: for a quick way to do this with PowerShell see: blog here

##########

As discussed in this post, Understanding Office Click-to-Run, Branches, MSI and Skype for Business Client Versions, Office 2016 Click to Run is released in 5 'Channels' (previously branches)

2 for normal users:

• Current Channel (previously called Current) (Current)
• Deferred Channel (previously Current Branch for Business) (Business)

And 2 for validation/testing:

• Office Insider Fast (Insiderfast) – weekly builds, not generally supported
• First Release Channel (FirstReleaseCurrent) – the preview of the current branch, this is the 'pre-release' of current
• First Release for Deferred Channel (previously First Release for Current Branch for Business) (Validation) – the preview of the business branch

The current channel gets feature and security updates monthly and is the default for Home installs

Deferred Channel (the default for enterprises) gets security updates monthly but only gets feature updates every 4 months, giving businesses more time to assess the impact of any changes. There is also a branch for business to test the upcoming Deferred Channel, the catchily titled 'First Release for Deferred Channel'

Office 365 'First Release' Channel (Office Insider Slow), is essentially a preview of the current channel, with build updates once or twice a month. Finally Office Insider Fast offers weekly unsupported builds with all the latest features

You can define the branch of an install at point of install with the Office Deployment Tool which uses an XML file to customise the install and optionally set the branch, for example, this XML sets the install to the Deferred Channel

You can also choose your channel by setting a registry key and/or you can set you branch by GPO, including setting it by GPO on the local machine.

Note, changing the channel 'down' for example from FirstReleaseCurrent to Current does not seem to cause office to 'roll back' from the newer build to the current build for that branch.

Setting Office Click to Run Channel via the Registry

Here is the registry key to choose a channel (Thanks to Kyle in the comments!) Www pc game software command and conquer.

HKEY_LOCAL_MACHINESOFTWAREPolicies

Microsoft
office16.0commonofficeupdate

Value name: updatebranch
Value type: REG_SZ

Set the value to:

• Insiderfast (Office Insider Fast)
• FirstReleaseCurrent (for First Release Branch/Office Insider Slow)
• Current (for Current)
• Validation (for First Release for Deferred Channel)
• Business (for Deferred Channel)

Setting Office Click to Run Channel via Group Policy

Here is how to set it for a machine using a local GPO, i.e. it can be configured on the local machine with administrator access.

First, download the Office 2016 Administrative Template files (ADMX/ADML).

When you run it, it will extract the following files:

• Copy the .amdx files files from the admx folder to C:WindowsPolicyDefinitions

• Copy the ADML files the relevant language folder, e.g. en-us, to the relevant folder on your system e.g. C:WindowsPolicyDefinitionsen-US

Missing Localized Strings Here Office For Mac 2016 Price

You technically only need office16.admx and office16.adml to set the branch

Publisher For Mac

Do a gpupdate/force under CMD as an administrator

Run gpedit.msc and fine the Administrative Template for Office 2016 then Updates and set the Update Channel to one of the following, in order of most up to date to least

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Update: for a quick way to do this with PowerShell see: blog here

##########

As discussed in this post, Understanding Office Click-to-Run, Branches, MSI and Skype for Business Client Versions, Office 2016 Click to Run is released in 5 'Channels' (previously branches)

2 for normal users:

• Current Channel (previously called Current) (Current)
• Deferred Channel (previously Current Branch for Business) (Business)

And 2 for validation/testing:

• Office Insider Fast (Insiderfast) – weekly builds, not generally supported
• First Release Channel (FirstReleaseCurrent) – the preview of the current branch, this is the 'pre-release' of current
• First Release for Deferred Channel (previously First Release for Current Branch for Business) (Validation) – the preview of the business branch

The current channel gets feature and security updates monthly and is the default for Home installs

Deferred Channel (the default for enterprises) gets security updates monthly but only gets feature updates every 4 months, giving businesses more time to assess the impact of any changes. There is also a branch for business to test the upcoming Deferred Channel, the catchily titled 'First Release for Deferred Channel'

Office 365 'First Release' Channel (Office Insider Slow), is essentially a preview of the current channel, with build updates once or twice a month. Finally Office Insider Fast offers weekly unsupported builds with all the latest features

You can define the branch of an install at point of install with the Office Deployment Tool which uses an XML file to customise the install and optionally set the branch, for example, this XML sets the install to the Deferred Channel

You can also choose your channel by setting a registry key and/or you can set you branch by GPO, including setting it by GPO on the local machine.

Note, changing the channel 'down' for example from FirstReleaseCurrent to Current does not seem to cause office to 'roll back' from the newer build to the current build for that branch.

Setting Office Click to Run Channel via the Registry

Here is the registry key to choose a channel (Thanks to Kyle in the comments!) Www pc game software command and conquer.

HKEY_LOCAL_MACHINESOFTWAREPolicies

Microsoft
office16.0commonofficeupdate

Value name: updatebranch
Value type: REG_SZ

Set the value to:

• Insiderfast (Office Insider Fast)
• FirstReleaseCurrent (for First Release Branch/Office Insider Slow)
• Current (for Current)
• Validation (for First Release for Deferred Channel)
• Business (for Deferred Channel)

Setting Office Click to Run Channel via Group Policy

Here is how to set it for a machine using a local GPO, i.e. it can be configured on the local machine with administrator access.

First, download the Office 2016 Administrative Template files (ADMX/ADML).

When you run it, it will extract the following files:

• Copy the .amdx files files from the admx folder to C:WindowsPolicyDefinitions

• Copy the ADML files the relevant language folder, e.g. en-us, to the relevant folder on your system e.g. C:WindowsPolicyDefinitionsen-US

Missing Localized Strings Here Office For Mac 2016 Price

You technically only need office16.admx and office16.adml to set the branch

Publisher For Mac

Do a gpupdate/force under CMD as an administrator

Run gpedit.msc and fine the Administrative Template for Office 2016 then Updates and set the Update Channel to one of the following, in order of most up to date to least

• Insiderfast (Office Insider Fast)
• FirstReleaseCurrent (for First Release Branch/Office Insider Slow)
• Current (for Current)
• Validation (for First Release for Deferred Channel)
• Business (for Deferred Channel)

Missing Localized Strings Here Office For Mac 2016 Best Buy

After another gpupdate, my install previously on the Deferred Channel was ready for an update