Microsoft leaves Mac Office users in the lurch, says researcher

Again omits a Mac PowerPoint patch that it provided Windows customers

Microsoft yesterday told Mac Office users it doesn't yet have a fix for a PowerPoint bug that it patched for Windows customers.

"Security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time," the company's MS11-036 security bulletin said. "Microsoft will issue updates for these software when testing is complete, to ensure a high degree of quality for their release."

MS11-036 was part of May's two-update Patch Tuesday, and closed a pair of holes rated "important" in PowerPoint 2002, 2003 and 2007 on Windows. Only one of the two bugs affects Office for Mac 2004 and Office for Mac 2008.

The newest versions, Office 2010 on Windows and Office for Mac 2011, do not contain the vulnerabilities.

Tuesday was not the first time that Microsoft has released fixes for Office on Windows without corresponding patches for Mac users.

Last November, Microsoft patched four flaws in PowerPoint on the Windows platform, but omitted fixes for the same bugs in the presentation manager included with Office for Mac 2004 and Office for Mac 2008.

Microsoft released patches for Office for Mac 2008 five weeks later, but did not patch Office for Mac 2004 until mid-April 2011, five months after Windows users received their updates.

On Wednesday, a Microsoft's spokesman declined to spell out a timetable for May's missing Mac patch, saying only that the company is working on a fix.

According to MS11-036, attackers can hijack a Windows PC or Mac by convincing victims to open a malformed PowerPoint file, perhaps one attached to an email message or available for viewing and downloading from a malicious Web site.

In similar incidents in the past -- not only in November 2010 but also in May 2009 -- Microsoft has defended the decision to roll out an update minus Mac patches.

Last November, Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said it was a matter of priorities. "Normally, we release updates for all affected products at the same time, [but] in cases where the vast majority of our customers are at potential risk and we can provide protections, we may decide to release updates for those products, if ready, ahead of products where the risk is very low," Bryant said at the time.

Bryant was not available for comment today about May's decision.

Security researchers chided Microsoft for what one described as leaving Mac users "in the lurch."

"The risk is that cybercriminals will reverse engineer the fix for the Windows version of PowerPoint, and use the information they discover to exploit the vulnerability on Mac versions," argued Graham Cluley, senior security technology consultant at U.K.-based antivirus vendor Sophos, in a post to a his company's blog. "Once again, Mac users are being left in the lurch and have to cross their fingers that malicious hackers don't attempt to exploit the vulnerability."

Andrew Storms, director of security operations at nCircle Security, disagreed.

"I do think it's unfortunate that the older Mac versions aren't getting the fix at the same rate as the other versions [but] I don't see a huge risk at the moment," said Storms. "I really don't see a ton of attackers suddenly changing direction to go after the older Mac Office products."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mac OSMicrosoftsecuritysoftwareMalware and Vulnerabilitiesoperating systems

More about Andrew Corporation (Australia)AppleMicrosoftnCircleSophosTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts