Macs exposed to zero-day flaw after Microsoft Office update

A screenshot of Microsoft Excel running on a Mac.
(Image credit: PixieMe/Shutterstock)

Microsoft has pushed out its latest round of Patch Tuesday updates, fixing 55 security flaws in Windows, including two that are actively being exploited in the wild by hackers. 

But if you're on a Mac, you may be up the creek, because one of those two zero-days also works on older versions of Office for Mac, and there's no patch for those yet.

"The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC [Long Term Servicing Channel, an enterprise version] for Mac 2021 are not immediately available," reads Microsoft's security advisory for this flaw, catalogued as CVE-2021-42292. "The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information."

This flaw is defined as a "Microsoft Excel Security Feature Bypass Vulnerability" that requires local access to exploit. That usually means the attacker has to be seated at the machine, but Microsoft notes that local access can also be achieved by remotely breaking into the machine, or by "tricking a legitimate user into opening a malicious document."

Microsoft didn't say who exactly was exploiting the flaw, who they are targeting or how exactly the exploit works, other than that the Office Preview Pane, the thumbnail that you'll see if you click once on a file in File Explorer, "is not an attack vector."

But the flaw has been patched in older Windows versions of Microsoft Office, including Office 2013, Office 2016, Office 2019, Office LTSC 2021 and Microsoft 365. Regular consumer versions of Office 2021 for Mac or PC, released just last month, weren't listed as vulnerable by Microsoft's advisory.

There seem to be two related flaws that have not yet been exploited in the wild, although now that the secret's out it may just be a matter of time. 

CVE-2021-40442 is an Excel remote code execution (RCE) flaw, and its patch is also not available for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. CVE-2021-42296 is a Word RCE flaw and affects only enterprise versions of Office.

How to protect yourself from this exploit

If you're using Microsoft Office 2019 or LTSC 2021 on a Mac, don't open any Excel files that come from sources you don't know, including links to Excel files posted online, until Microsoft pushes out a patch for Macs as well.

The other zero-day flaw being currently exploited has to do with Microsoft Exchange Server, software that companies running Microsoft email systems use. Four other flaws being fixed had been previously disclosed but not exploited; two involving the optional 3D Viewer software, the other two involving the always troublesome Remote Desktop Protocol.

As always, you'll want to install Microsoft security patches in a timely manner. As hinted above, malicious hackers quickly try to figure out the vulnerabilities Microsoft discloses every month so that they can attack machines that haven't installed the patches yet.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.