Microsoft Office for Mac 14.5.7 Update Patches Remote Code Execution Flaws
Posted on by Derek Erwin
Microsoft has released Office for Mac 14.5.7 as an update that patches two remote code execution flaws affecting Microsoft Excel for Mac 2011.
“The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative rights,” says the Microsoft security team.
The vulnerabilities patched in this update are described as follows:
- CVE-2015-2555 : Use-after-free vulnerability in Microsoft Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Excel for Mac 2011, Excel 2016 for Mac, and Excel Services on SharePoint Server 2010 SP2 and 2013 SP1 allows remote attackers to execute arbitrary code via a crafted calculatedColumnFormula object in an Office document, aka “Microsoft Office Memory Corruption Vulnerability.”
- CVE-2015-2558 : Use-after-free vulnerability in Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Excel for Mac 2011, Excel 2016 for Mac, Excel Viewer, Office Compatibility Pack SP3, and Excel Services on SharePoint Server 2007 SP3, 2010 SP2, and 2013 SP1 allows remote attackers to execute arbitrary code via a long fileVersion element in an Office document, aka “Microsoft Office Memory Corruption Vulnerability.”
The Microsoft security team addressed the vulnerabilities by correcting how Office handles objects in memory.
The Office for Mac 2011 14.5.7 update can be obtained by using the Microsoft AutoUpdate for Mac, or you can visit the Microsoft Download Center to download the Office for Mac 14.5.7 update (113.4 MB).