Microsoft has quietly delivered another round of security updates for Office 2016, even thought the software officially ended support two months ago. These patches focus on critical vulnerabilities that could still affect businesses and individuals running this older version of Microsoft Office. Here’s what’s been fixed and how to get the updates.
We’re obliged to Susan Bradley at Ask Woody who picked up this interesting extra in the latest load of security updates …
Office 2016 is getting some security updates this month, even though the suite is officially past end of life back in October.
That “just-one-more-patch” routine isn’t new. It’s happened before when the Office team clearly had fixes in the pipeline and released them only after support ended. Microsoft also keeps an escape hatch open: it says it may release updates when a large enough customer base is still on older versions and would otherwise be left exposed.
Here are the updates being pushed:
Getting these patches, like all Office 2016, depends on how it was installed. Most people will have “Click to Run” so update from File |Account, under Update Options choose Update Now. Older .MSI installs are updated via Microsoft Update or download the individual patches from the links above.
If you don’t know Click to Run from MSI (understandable), look for the Update Options under File | Account, if that’s not visible, go the MSI route.
Many of these address remote code execution (RCE) vulnerabilities—exactly the kind of bugs attackers target because they can lead to compromise. For the Excel issues, the Preview Pane is not an attack vector: you generally have to open a malicious workbook for an attack to trigger.
Mac users are still in limbo. Excel for Mac 2021 and 2024 does not have these fixes available yet. For Outlook, the situation is more worrying because the Preview Pane is an attack vector, including for users on Office LTSC for Mac 2021 and 2024—and those Mac fixes are not available yet, either.
