macs exposed to zero-day defects after Microsoft Office update

macs exposed to zero-day defects after Microsoft Office update

Microsoft distributed its latest Patch Tuesday update, fixing 55 security flaws in Windows, including two that have been exploited by hackers. [because one of the two zerodies is also active in older versions of Office for Mac, for which no patches have yet been provided.

"Security updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC (Long Term Servicing Channel, enterprise version) for Mac 2021 are not immediately available." Microsoft's security advisory for the flaw, cataloged as CVE-2021-42292, states. An update will be released as soon as possible and customers will be notified via a revised version of this CVE bulletin as soon as it becomes available."

The flaw is defined as a "Microsoft Excel Security Feature Bypass Vulnerability" and requires local access to exploit. While this usually means that the attacker must be sitting at the machine, Microsoft notes that local access can also be achieved by remotely hacking into the machine or "tricking a legitimate user into opening a malicious document."

Microsoft explains who is exploiting this flaw, who they are targeting, and how this exploit works specifically, noting that the Office preview pane, which is the thumbnail that appears once you click on a file in File Explorer, is an "attack vector," but makes no mention of it other than to say that it is "not a vector.

However, older Windows versions of Microsoft Office, including Office 2013, Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365, have patches for this flaw. The consumer version of Office 2021 for Mac or PC, just released last month, was not listed as vulnerable in Microsoft's advisory.

There appear to be two related flaws that have not yet been exploited, but now that the secret has been leaked, it may only be a matter of time.

CVE-2021-40442 is a remote code execution (RCE) flaw in Excel, whose patch is also not available for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021; CVE-2021- 42296 is an RCE flaw in Word that affects only the enterprise edition of Office.

If you are using Microsoft Office 2019 or LTSC 2021 on a Mac, until Microsoft pushes a patch for Macs as well, Excel Do not open the file.

Another zero-day flaw that is currently being exploited concerns the Microsoft Exchange Server, software used by companies that run Microsoft's e-mail system. Two are related to the optional 3D Viewer software, and and the other two are related to the ever-annoying Remote Desktop Protocol.

As always, you want to install Microsoft security patches in a timely manner. As mentioned above, malicious hackers are quick to find vulnerabilities that Microsoft releases each month and try to attack machines that have not yet installed the patches.

Categories