14 DAY TRIAL // It's the month of security bugs, and after Meltdown and Spectre fiasco last week, Microsoft has its very own vulnerabilities to address, including a major flaw in Office for Mac.
Also known as Mailsploit, the vulnerability exists in Microsoft Outlook for Mac as part of the 2016 edition of the productivity suite for Apple systems. It's documented in CVE-2018-0819.
Microsoft says this vulnerability has been publicly disclosed, adding that it's not currently being exploited and exploitation is less likely. This doesn't mean that users and IT admins should delay patching, however, as a successful attack could allow malicious actors to send spoofed emails and launch more complex attacks like phishing.
"A spoofing vulnerability exists when Microsoft Outlook for MAC does not properly handle the encoding and display of email addresses. This improper handling and display may cause antivirus or antispam scanning to not work as intended," Microsoft explains.
"To exploit the vulnerability, an attacker could send a specially crafted email attachment to a user in an attempt to launch a social engineering attack, such as phishing. The security update addresses the vulnerability by correcting how Outlook for MAC displays encoded email addresses."
How to update
Oddly enough, Microsoft hasn't updated the release notes for Office 2016 for Mac to state that security updates for this vulnerability are available, and the manual download link for the security patch leads to the same page last updated on December 12, 2017.
On the other hand, Microsoft Office for Mac users who want to deploy the latest patches can use the Microsoft AutoUpdate engine in Office by going to Help > Check for Updates. For this vulnerability, you need to launch this feature from Microsoft Outlook.
The vulnerability does not affect Microsoft Office on other platforms or older versions of the productivity suite, though various tweaks and improvements for the software are also part of this month's Patch Tuesday rollout.