Microsoft Sidesteps Office for Mac on Patch Tuesday

On this month's Patch Tuesday Microsoft has released two security bulletins to resolve security flaws in Windows and Office, but left the suite's Mac version vulnerable.

In total, this month's patches resolved three vulnerabilities, one in the Windows Internet Name Service (WINS) and two in Microsoft PowerPoint.

The WINS flaw, identified as CVE-2011-1248 and covered in security bulletin MS11-035, allows potential attackers to execute code remotely on a system running the vulnerable service by sending a maliciously crafted packet to it.

The vulnerability is rated as critical and was reported privately to Microsoft by security researcher Luigi Auriemma through TippingPoint's Zero Day Initiative program.

It affects all versions of Windows Server 2003, 2008 and 2008 R2, with the exception of Windows Server 2008 R2 for Itanium-based systems.

The two PowerPoint vulnerabilities (CVE-2011-1269 and CVE-2011-1270) are covered by security bulletin MS11-036 and allow attackers to execute arbitrary code by tricking victims into opening specially crafted files.

Microsoft Office XP, 2003 and 2007, as well as Microsoft Office 2004 and 2008 for Mac are affected. The vulnerability is rated as important because users of Office 2003 and 2007 who also have the Office File Validation component installed, are protected from the exploits.

However, it seems that Mac owners who use the 2004 or 2008 versions of Office will have to remain unprotected for now, because there are no patches available for these versions at this time.

"The risk is that cybercriminals will reverse engineer the fix for the Windows version of PowerPoint, and use the information they discover to exploit the vulnerability on Apple Mac versions," says Graham Cluley, senior technology consultant at Sophos.

"Once again, Mac users are being left in the lurch and have to cross their fingers that malicious hackers don't attempt to exploit the vulnerability," the security expert concludes.