Microsoft has released Office 2011 14.6.3, in addition to security updates for Microsoft Office 2016 for Mac, to remedy serious security flaws that “allow remote code execution if a user opens a specially crafted Office file.”
These updates include fixes for vulnerabilities that an attacker can use to overwrite the contents of your Mac’s memory with malicious code.
The software updates address vulnerabilities that affect Microsoft Word for Mac 2011 and Microsoft Word 2016 for Mac. For a complete list of affected versions of Microsoft software, you can visit the related MS support page (3148775).
The Office for Mac vulnerabilities patched with these updates are described as follows:
In Office for Mac 2011
Microsoft Office Memory Corruption Vulnerability – CVE-2016-0139 : Microsoft Excel 2010 SP2, Word for Mac 2011, and Excel Viewer allow remote attackers to execute arbitrary code via a crafted Office document.
In Office for Mac 2016
Microsoft Office Memory Corruption Vulnerability – CVE-2016-0122 : Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Word 2016 for Mac, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to execute arbitrary code via a crafted Office document.
Microsoft addressed the vulnerabilities by correcting how Office handles objects in memory.
According to Microsoft’s security bulletin (MS16-042), the above vulnerabilities exist in its software “when the Office software fails to properly hand objects in memory.” While no exploit exists in the wild for the patched flaws, the company clarified what could happen if successfully exploited, saying:
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system, [and] then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft also outlined the scenarios in which an attacker could exploit the flaws:
Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.
Office for Mac 2011 users should install the update as soon as possible. Mac users can update your software by using Microsoft’s AutoUpdate application, or by visiting the Microsoft Download Center to download and install Office 2011 14.6.3 (113.4 MB).
Office 2016 for Mac users can get the updates by using Microsoft AutoUpdate. To do this, open a Microsoft Office program, and then click Check for Updates on the Help menu. The updates are also available from the Microsoft Download Center.