Microsoft leaves Mac Office users in the lurch, says researcher
Microsoft yesterday told Mac Office users it doesn't yet have a fix for a PowerPoint bug that it patched for Windows customers.
"Security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time," the company's MS11-036 security bulletin said. "Microsoft will issue updates for these software when testing is complete, to ensure a high degree of quality for their release."
MS11-036 was part of May's two-update Patch Tuesday, and closed a pair of holes rated "important" in PowerPoint 2002, 2003 and 2007 on Windows. Only one of the two bugs affects Office for Mac 2004 and Office for Mac 2008.
The newest versions, Office 2010 on Windows and Office for Mac 2011, do not contain the vulnerabilities.
Tuesday was not the first time that Microsoft has released fixes for Office on Windows without corresponding patches for Mac users.
Last November, Microsoft patched four flaws in PowerPoint on the Windows platform, but omitted fixes for the same bugs in the presentation manager included with Office for Mac 2004 and Office for Mac 2008.
Microsoft released patches for Office for Mac 2008 five weeks later, but did not patch Office for Mac 2004 until mid-April 2011, five months after Windows users received their updates.
On Wednesday, a Microsoft's spokesman declined to spell out a timetable for May's missing Mac patch, saying only that the company is working on a fix.
According to MS11-036, attackers can hijack a Windows PC or Mac by convincing victims to open a malformed PowerPoint file, perhaps one attached to an email message or available for viewing and downloading from a malicious Web site.
In similar incidents in the past -- not only in November 2010 but also in May 2009 -- Microsoft has defended the decision to roll out an update minus Mac patches.
The company did the same today.
"Microsoft released a security update yesterday to protect the vast majority of customers who may potentially be at risk," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an email reply to questions Wednesday. "In instances where important updates are available ahead of other minor product bulletins, the company may release these protections in a staggered approach."
Security researchers chided Microsoft for what one described as leaving Mac users "in the lurch."
"The risk is that cybercriminals will reverse engineer the fix for the Windows version of PowerPoint, and use the information they discover to exploit the vulnerability on Mac versions," argued Graham Cluley, senior security technology consultant at U.K.-based antivirus vendor Sophos, in a post to a his company's blog. "Once again, Mac users are being left in the lurch and have to cross their fingers that malicious hackers don't attempt to exploit the vulnerability."
Sign up for Computerworld eNewsletters.