Microsoft has released an update for Office for Mac 2011, providing fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code. The Office for Mac 2011 14.3.8 update resolves two flaws that could allow remote code execution if a user opens a specifically crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software.
The security update applies to all supported editions of Microsoft Excel 2003, Microsoft Excel 2007, Microsoft Excel 2010, Microsoft Excel 2013, Microsoft Excel 2013 RT, and Microsoft Office for Mac 2011; it also applies to supported versions of Microsoft Excel Viewer and Microsoft Office Compatibility Pack.
For all affected versions of Microsoft software, remote code execution vulnerabilities exist in the way that Microsoft Excel parses content in Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system, gaining the same user rights as the current user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
“Users whose accounts are not configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft noted in its security bulletin (MS13-085).
The following vulnerability information describes the flaws resolved in this update:
- CVE-2013-3889 : Microsoft Excel 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office for Mac 2011; Excel Viewer; Office Compatibility Pack SP3; and Excel Services and Word Automation Services in SharePoint Server 2013 allow remote attackers to execute arbitrary code via a crafted Office document, aka “Microsoft Excel Memory Corruption Vulnerability.”
- CVE-2013-3890 : Microsoft Excel 2007 SP3, Excel Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code via a crafted Office document, aka “Microsoft Excel Memory Corruption Vulnerability.”
We strongly encourage all users running Office for Mac 2011 apply these updates as soon as possible. Office users can update your software using Microsoft’s AutoUpdate application, or you can visit Microsoft’s Download Center to get the 113.4 MB Office 2011 14.3.8 update for Mac.