Macs exposed to zero-day flaw after Microsoft Office update

A screenshot of Microsoft Excel running on a Mac.
(Image credit: PixieMe/Shutterstock)

Microsoft has pushed out its latest round of Patch Tuesday updates, fixing 55 security flaws in Windows, including two that are actively being exploited in the wild by hackers. 

But if you're on a Mac, you may be up the creek, because one of those two zero-days also works on older versions of Office for Mac, and there's no patch for those yet.

"The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC [Long Term Servicing Channel, an enterprise version] for Mac 2021 are not immediately available," reads Microsoft's security advisory for this flaw, catalogued as CVE-2021-42292. "The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information."

This flaw is defined as a "Microsoft Excel Security Feature Bypass Vulnerability" that requires local access to exploit. That usually means the attacker has to be seated at the machine, but Microsoft notes that local access can also be achieved by remotely breaking into the machine, or by "tricking a legitimate user into opening a malicious document."

Microsoft didn't say who exactly was exploiting the flaw, who they are targeting or how exactly the exploit works, other than that the Office Preview Pane, the thumbnail that you'll see if you click once on a file in File Explorer, "is not an attack vector."

But the flaw has been patched in older Windows versions of Microsoft Office, including Office 2013, Office 2016, Office 2019, Office LTSC 2021 and Microsoft 365. Regular consumer versions of Office 2021 for Mac or PC, released just last month, weren't listed as vulnerable by Microsoft's advisory.

There seem to be two related flaws that have not yet been exploited in the wild, although now that the secret's out it may just be a matter of time. 

CVE-2021-40442 is an Excel remote code execution (RCE) flaw, and its patch is also not available for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. CVE-2021-42296 is a Word RCE flaw and affects only enterprise versions of Office.

How to protect yourself from this exploit

If you're using Microsoft Office 2019 or LTSC 2021 on a Mac, don't open any Excel files that come from sources you don't know, including links to Excel files posted online, until Microsoft pushes out a patch for Macs as well.

The other zero-day flaw being currently exploited has to do with Microsoft Exchange Server, software that companies running Microsoft email systems use. Four other flaws being fixed had been previously disclosed but not exploited; two involving the optional 3D Viewer software, the other two involving the always troublesome Remote Desktop Protocol.

As always, you'll want to install Microsoft security patches in a timely manner. As hinted above, malicious hackers quickly try to figure out the vulnerabilities Microsoft discloses every month so that they can attack machines that haven't installed the patches yet.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
How to disable the Windows key
Microsoft patches over 160 security flaws including 3 active zero days — update your PC right now
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
Apple iPhone 16 held in the hand.
iOS 18.3.1 — update your iPhone right now to fix critical zero-day vulnerability
Latest in Software
and image of the Google Chrome logo on a laptop
Google Chrome just updated its rules to stop future Honey scandals: here's what's changed
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps glitch is purging Timeline data — what we know
Mac Studio on a desk hooked up to a Studio DIsplay
Mac Studio M3 Ultra: 3 reasons to buy and 2 reasons to skip
Gboard app logo on mobile phone resting on a keyboard
Google Gboard redesign has already angered users — and I can see why
Waze app on iPhone in car
Forget Google Maps — Waze just got a huge upgrade that will help millions of drivers
How to tell if you've been blocked on WhatsApp
WhatsApp and Messenger were down — updates on the quick outage
Latest in News
Chromecast with Google TV connected to display
Google finally pushes out full Chromecast fix for users who factory reset — here’s what to do
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Switch 2 console and logo
Nintendo Switch 2 rumor just tipped possible release date — and it's much sooner than we thought
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
(L-R) Mark Eydelshteyn as Vanya and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's the 3 you need to stream right now