Obsolete version of Microsoft Office

At first when this vulnerability appeared, it was for Skype for Business 2016 that was left over from past installs. Now that I’ve removed that, I’m getting a false positive for an “old” version that is the current version.

"Vulnerable OS: Microsoft Windows 11 24H2

Vulnerable software installed: Microsoft PowerPoint 2019 16.0.19328.20178 (C:\Program Files (x86)\Microsoft Office\root\Office16\powerpnt.exe)"

16.0.19328.20178 is the latest version. (https://learn.microsoft.com/en-us/officeupdates/current-channel?redirectSourcePath=%252farticle%252f95c8d81d-08ba-42c1-914f-bca4603e1426)

Skype for Business 2016 & PowerPoint 2019 (& 2016) reached their extended end date on Oct 14, 2025.

https://support.microsoft.com/en-us/office/end-of-support-for-office-2016-and-office-2019-818c68bc-d5e5-47e5-b52f-ddf636cf8e16

Th confusion on my end is the existence of these proofs when the deployment is M365.

Thank you, forgot about 2019 EOL as we just went M365. PDQ Inventory keeps seeing 2019 on the workstations so InsightVM is too.

I’m realizing the problem is in the way InsightVM checks. It is looking at the build number and path as if “Office16” is Office 2019 but it is also 365. I removed all 2019 license keys but the path will stay the same and so will the vulnerability.

So the Vulnerability is full positive.

We have the same issue. Has anyone managed to solve this or should we just exclude it?

We are also seeing the same issue. Microsoft 365 is installed and updated but still showing a Skype 2016 vulnerable install. Office 2016 is nowhere to be seen on the device.

what did you guys end up doing? Just exclude it?

May need a redeployment of the app.
I'm assuming most of us are deploying via intune? Double check to make sure your XML file is explicitly excluding SFB

Rebuild it if you need to via config.office.com, and have it uninstall the app then reinstall.

We've noticed this same thing in our environment. We never had SFB excluded. We can see remnants of it in registry.

Turns out this is not a false positive as SfB is packaged with M365

Have to remove it by using ODT with XML file.

Vulnerability is now being remediated in my environment.

I have this same vulnerability in my workplace environment. I had opened a case with R7 support on this and they have attached my case to their investigation. This has been since early November. The 6th to be exact. I made an exclusion for the environment while I await a remediation. I may even attempt to remove it as stran has just mentioned. Im currently researching how to do that.

I was able to figure out how to remediate this vulnerability with some help from Rapid7 support. As long as you have admin permissions, you can go into the registry editor on the system affected by this vuln and remove the following keys from the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OFFICE\CLICKTORUN\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\INSTALLEDPACKAGES
\90160000-012B-0409-1000-0000000FF1CE
\90160000-012B-040C-1000-0000000FF1CE
\90160000-012B-0416-1000-0000000FF1CE
\90160000-012B-0C0A-1000-0000000FF1CE

It turns out that these keys are pertaining to an installation of Skype. They contain the language packages for the program. Delete these keys and it should remediate this vulnerability.

Hope this helps!

I don’t think that’s correct. I believe these are indicators of installed language packs for all of Office. If this is what they are detecting, I’d say it’s a false positive and a sloppy detection. And these will likely just recreate during the next big update or repair.

Yeah, you’re right I have already seen the keys recreated in the registry.
I did more research and it would make better sense to get a fresh install of Office 365 and have the skype product removed from the setup.exe download.