Microsoft Pushes Office for Mac 2011 14.5.0 Update — Beware, it’s a Double-Edged Sword [Updated]
Posted on by Derek Erwin
Microsoft has released Office for Mac 2011 version 14.5.0 with patches for a remote code execution vulnerability that exists in Microsoft Office software when it fails to properly handle objects in memory. The software update is available for Mac OS X version 10.5.8 or a later version of Mac OS.
The Office for Mac 2011 update applies to the following Microsoft software: Office for Mac 2011, Microsoft Excel for Mac 2011, Microsoft PowerPoint for Mac 2011, and Microsoft Word for Mac 2011.
However, before updating, Mac users should beware, it comes to you as a double-edged sword: while Office for Mac 2011 14.5.0 fixes security bugs, it also opens an Outlook bug.
Microsoft described the vulnerability (CVE) resolved in this update, as follows:
CVE-2015-1682 : Remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. Microsoft’s security team addressed the vulnerability by correcting how Microsoft Office parses specially crafted files.
Normally we strongly encourage all users download and install such updates immediately. After all, the new Office for Mac 2011 fixes a remote code execution vulnerability. However, the update, as numerous reports are suggesting, can be a double-edged sword.
Before you consider updating to the latest Office for Mac 2011, there have been reports of a bug in it that can “render the Outlook email software useless.” According to discussions among the Apple community, upon updating your Microsoft software, “the main [Outlook] email window is missing and emails cannot be sent/received.”
At MacInTouch, a user by the name Graham Needham recommended to not install the update until Microsoft issues a new, fixed update. If you have already updated, he said:
If you have already installed and have a (Time Machine) backup you can simply delete the newly updated Microsoft Office 2011 folder in your Applications folder and restore the whole Microsoft Office 2011 folder back to your Applications folder. This will restore v14.4.9 (or the latest version you backed up) and everything will work again until Microsoft issues a fixed update.
This is what they call a pickle of a situation.
If you’re feeling lucky — or do not use Outlook for email — Mac users can apply these updates by using Microsoft’s AutoUpdate application, or you can visit the Microsoft Download Center to get the Microsoft Office for Mac 2011 14.5.0 Update (113.6 MB).
Editor’s note: May 22, Update
Microsoft has quietly released Office for Mac 2011 14.5.1 with fixes for the Outlook bug.
The Microsoft support page made note of the issues the 14.5.1 update fixes, saying:
This update fixes an issue that causes the main window not to open in Outlook for Mac 2011.
Furthermore, the update includes all of the security fixes for vulnerabilities resolved in the Office for Mac 14.5.0 update.
Apparently Microsoft is not yet pushing the update to Macs, instead, users are required to find the update and download it directly from the Official Microsoft Download Center. As of writing, using the Microsoft AutoUpdate to check for software updates still asks users to install the botched Office 2011 14.5.0 update, which is odd, to say the least.
To get the latest Microsoft security updates we encourage all Mac users to install the Office for Mac 2011 14.5.1 Update (113.6 MB).
[Thanks to The Mac Security Blog reader “Ken Fitzpatrick” for the heads up.]