VMware Horizon Community
solgae
Contributor
Contributor

Any security implications on not including security updates on ThinApp'ed Office 2010?

Hi,

I have a question regarding ThinApp'ed Office 2010. We have a virtualized Office 2010 package that is running on our VDI environment. Over time, Microsoft will release new security patches for Office components, some of them being absolutely criticial. I tried using sbmerge process (by making the cmd.exe entry point when running build.bat) to include the security patches (manually downloaded them) but the patch install itself just keeps failing - or at least it reports that it has failed.

So my question is: what would be the risk of not including new security patches on your ThinApp'ed Office package? Minimal since your app is sandboxed? Or should it be treated like a natively installed app. For now, it looks like I'll have to re-start the Office capture every time I need to install the security patch for Windows/Office, and that seems rather unwieldly, if not too tedious.

One strategy I employed was to snapshot it after installing the patches during setup capture and shut down the ThinApp workstation VM. That way, I can install new security patches by rolling back to the snapshot. Once the new security patches are applied, I can run the post-scan. The only drawback is that all the tuning applied to the Office package has to be re-applied. Also, if Windows patch needs to be installed, I'll have to roll back to the clean state, install the windows patches, and then re-do all the setup capture again. I hoped that sbmerge process would work, but it doesn't seem to be that easy.

Thanks in advance.

Reply
0 Kudos
5 Replies
kjb007
Immortal
Immortal

Are you storing the app locally in an image or on a network share?  You can create a new package and have the updated package be used the next time the app is invoked, side by side update.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
solgae
Contributor
Contributor

I am not referring to updating the ThinApp after building an updated thinapp package - I am well aware of the side-by-side update technique. I'm referring to incorporating new security patches to the office during the build or using SBMERGE, in which sbmerge process didn't work well with installing new security patches to thinapp version of Office.

Reply
0 Kudos
Theta12
Contributor
Contributor

Sorry to revive a dead post, but this is the EXACT issue/question I'm having.  I'm new to ThinApp and have just created my first Office 2010 package.  We are going to try and stream this from a network share, but I can't find any good documents or discussions on whether or not to completely patch Office during the build proccedure.  Just from working with physical clients for so long, my first inclination is that the Package should be kept up to date every month with any new patches.  That seems like a lot of work to have to maintain each and every package (Office, Adobe, etc...).  The question is, since it is running in an isolated sandbox from the OS, are monthly security patches necessary or not?  Does anyone else have a take on this?

Reply
0 Kudos
pbjork
VMware Employee
VMware Employee

ThinApp is not to be considered a security product. The recommendation is therefore to make sure you have all the security patches implemented in you packages. That said.. The virtualization layer does give you some extra protection but any malicious code will be able to execute, it might not infect your physical client but it will still run. If you will be infected of not depends on the virus.

Reply
0 Kudos
Theta12
Contributor
Contributor

Ok, that's what I had assumed but I have had a really hard time finding other people that are talking about this with Office products.

Reply
0 Kudos