Microsoft has issued Office 2016 version 15.17.0 updates to patch security vulnerabilities in its latest software, as well as Office 2011 14.6.0 to patch the earlier suite. Microsoft tackled “critical” vulnerabilities in the company’s flagship application software that can allow remote code execution.
Multiple remote code execution vulnerabilities exist in now outdated versions of Microsoft Office for Mac when the Office software fails to properly handle objects in memory. The most critical vulnerability, identified as CVE-2016-001, is present in all versions of Office from 2007 to 2016, for both Mac and Windows, according to Wolfgang Kandek writing for Qualys blog.
According to Microsoft’s security bulletin (MS16-004), the Office for Mac software affected includes: Microsoft Excel for Mac 2011, PowerPoint for Mac 2011, Word for Mac 2011, Excel 2016 for Mac, PowerPoint 2016 for Mac, and Word 2016 for Mac.
The vulnerabilities patched in these updates are described as follows:
The Microsoft security team further detailed the vulnerability attack scenarios, saying:
An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerabilities, a user must open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.
Microsoft’s Office for Mac updates address these vulnerabilities by correcting how Office handles objects in memory.
All Microsoft Office for Mac users should install these updates immediately. Mac users can update your software by using Microsoft’s AutoUpdate application, or by visiting the Microsoft Download Center:
Microsoft Office for Mac 2011 14.6.0 Update (113.4 MB)
Microsoft Office 2016 for Mac 15.17.0 Update (MS15-131)
