Microsoft has pushed out its latest round of Patch Tuesday updates, fixing 55 security flaws in Windows, including two that are actively being exploited in the wild by hackers.
But if you're on a Mac, you may be up the creek, because one of those two zero-days also works on older versions of Office for Mac, and there's no patch for those yet.
- 'You' search engine promises better privacy, but something's a bit off
- The best MacBook you can buy right now
- Plus: Apple just backtracked on iPhone 13 repairs that break Face ID
"The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC [Long Term Servicing Channel, an enterprise version] for Mac 2021 are not immediately available," reads Microsoft's security advisory for this flaw, catalogued as CVE-2021-42292 (opens in new tab). "The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information."
This flaw is defined as a "Microsoft Excel Security Feature Bypass Vulnerability" that requires local access to exploit. That usually means the attacker has to be seated at the machine, but Microsoft notes that local access can also be achieved by remotely breaking into the machine, or by "tricking a legitimate user into opening a malicious document."
Microsoft didn't say who exactly was exploiting the flaw, who they are targeting or how exactly the exploit works, other than that the Office Preview Pane, the thumbnail that you'll see if you click once on a file in File Explorer, "is not an attack vector."
But the flaw has been patched in older Windows versions of Microsoft Office, including Office 2013, Office 2016, Office 2019, Office LTSC 2021 and Microsoft 365. Regular consumer versions of Office 2021 for Mac or PC, released just last month, weren't listed as vulnerable by Microsoft's advisory.
There seem to be two related flaws that have not yet been exploited in the wild, although now that the secret's out it may just be a matter of time.
CVE-2021-40442 (opens in new tab) is an Excel remote code execution (RCE) flaw, and its patch is also not available for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. CVE-2021-42296 (opens in new tab) is a Word RCE flaw and affects only enterprise versions of Office.
How to protect yourself from this exploit
If you're using Microsoft Office 2019 or LTSC 2021 on a Mac, don't open any Excel files that come from sources you don't know, including links to Excel files posted online, until Microsoft pushes out a patch for Macs as well.
The other zero-day flaw being currently exploited has to do with Microsoft Exchange Server, software that companies running Microsoft email systems use. Four other flaws being fixed had been previously disclosed but not exploited; two involving the optional 3D Viewer software, the other two involving the always troublesome Remote Desktop Protocol.
As always, you'll want to install Microsoft security patches in a timely manner. As hinted above, malicious hackers quickly try to figure out the vulnerabilities Microsoft discloses every month so that they can attack machines that haven't installed the patches yet.