Microsoft has released Office for Mac 2011 14.6.4, as well as security updates for Office 2016 for Mac. These security updates provide a fix for a critical memory corruption vulnerability, identified as CVE-2016-0198.
Software affected by the remote code vulnerability includes Microsoft Word for Mac 2011 and Microsoft Word 2016 for Mac. If desired, you can head over to Microsoft’s website for a full list of affected versions of Microsoft Office software, or visit this page MS support page (3155544).
Microsoft’s security bulletin (MS16-054) notes that the vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. Microsoft says:
“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Common Vulnerabilities and Exposures identifies the vulnerability as follows:
CVE-2016-0198 : Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability."
Microsoft addressed the vulnerability by correcting how Office handles objects in memory.
Office for Mac 2011 users should install the update at your earliest convenience. Mac users can update your software by using Microsoft’s AutoUpdate application, or by visiting the Microsoft Download Center to download and install Office 2011 14.6.4 (113.4 MB).
Office 2016 for Mac users can get the updates by using Microsoft AutoUpdate. To do this, open a Microsoft Office program, and then click Check for Updates on the Help menu.