Macs exposed to zero-day flaw after Microsoft Office update

Macs exposed to zero-day flaw after Microsoft Part update

A screenshot of Microsoft Excel running on a Mac.

(Epitome credit: PixieMe/Shutterstock)

Microsoft has pushed out its latest round of Patch Tuesday updates, fixing 55 security flaws in Windows, including 2 that are actively beingness exploited in the wild by hackers.

But if you're on a Mac, you may be up the creek, considering one of those ii zero-days also works on older versions of Office for Mac, and there'south no patch for those yet.

'Y'all' search engine promises better privacy, but something's a bit off
The all-time MacBook yous tin can buy right at present
Plus: Apple just backtracked on iPhone 13 repairs that break Face ID

"The security update for Microsoft Function 2019 for Mac and Microsoft Office LTSC [Long Term Servicing Channel, an enterprise version] for Mac 2021 are not immediately available," reads Microsoft's security advisory for this flaw, catalogued as CVE-2021-42292. "The updates will be released every bit shortly equally possible, and when they are available, customers will exist notified via a revision to this CVE information."

This flaw is divers equally a "Microsoft Excel Security Feature Featherbed Vulnerability" that requires local access to exploit. That unremarkably means the assailant has to be seated at the machine, but Microsoft notes that local access can besides exist achieved past remotely breaking into the machine, or by "tricking a legitimate user into opening a malicious document."

Microsoft didn't say who exactly was exploiting the flaw, who they are targeting or how exactly the exploit works, other than that the Office Preview Pane, the thumbnail that you'll see if you lot click once on a file in File Explorer, "is not an set on vector."

But the flaw has been patched in older Windows versions of Microsoft Office, including Function 2013, Role 2016, Office 2019, Office LTSC 2021 and Microsoft 365. Regular consumer versions of Office 2021 for Mac or PC, released only last month, weren't listed equally vulnerable by Microsoft's advisory.

There seem to be two related flaws that accept not all the same been exploited in the wild, although now that the secret's out it may just be a affair of time.

CVE-2021-40442 is an Excel remote code execution (RCE) flaw, and its patch is also not bachelor for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. CVE-2021-42296 is a Word RCE flaw and affects only enterprise versions of Office.

How to protect yourself from this exploit

If you're using Microsoft Role 2019 or LTSC 2021 on a Mac, don't open any Excel files that come up from sources y'all don't know, including links to Excel files posted online, until Microsoft pushes out a patch for Macs equally well.

The other nil-day flaw being currently exploited has to do with Microsoft Exchange Server, software that companies running Microsoft email systems use. Four other flaws being fixed had been previously disclosed but not exploited; two involving the optional 3D Viewer software, the other two involving the ever troublesome Remote Desktop Protocol.

As always, you'll want to install Microsoft security patches in a timely manner. As hinted to a higher place, malicious hackers chop-chop endeavour to effigy out the vulnerabilities Microsoft discloses every month so that they can assault machines that oasis't installed the patches yet.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You tin can follow his rants on Twitter at @snd_wagenseil.