Time to patch your Office 2013/Pro Plus: ms13-104

The token security issue reported in May 2013 (Read the full story on http://adallom.com/blog/severe-office-365-token-disclosure-vulnerability-research-and-analysis/), that Office Pro Plus could be tricked in sending out it’s token for Office 365 while talking to a malicious site. Through that mechanism users tokens could be collected and be used for easy access to the users data, mailbox, …

The resolution is finally released as a part of the automatic updates of Windows/Office. You can download the patch on http://technet.microsoft.com/en-us/security/bulletin/ms13-104 if you only want to deploy this one.

I urge you to install it as soon as possible.

Read also Paul Robichaux’ blog post about the topic: http://paulrobichaux.wordpress.com/2014/01/02/office-365-token-disclosure-flaw-patch-your-desktops-now/?utm_content=buffer0f5ae&utm_source=buffer&utm_medium=twitter&utm_campaign=Buffer

Previous versions of Office available in Office 365 for Download

One of the advantages of using Office 365 is that you have always the latest version of Office Pro Plus, which is at this time the Office 2013 version. Until now it was not possible to get the Office 2010 version from the Office 365 Portal.

Now it is! How to get it?

  1. Within the Admin Center,  navigate to Service Settings
  2. Select the User Software section.
  3. Go to “Previous Versions” section that contains Office Professional Plus 2010 and Lync 2010 (both 32 and 64-bit).

This is only available for the Administration, not for the End User