MS Office 11.3.4 update

Microsoft today released Microsoft Office 2004 for Mac 11.3.4 Update, fixing two critical security flaws that could allow remote code execution, including an "critical" zero-day exploit in its Office applications for both Windows and Mac as well as a Word vulnerability reported last December. The update also improves the Junk E-mail Filter in Microsoft Entourage 2004 for Mac with a more current definition of which e-mail messages are considered junk e-mail, according to the release notes. The Excel zero-day attack exploits a flaw Excel spreadsheet component of the business software suite and is rated as "extremely critical" by security firm Secunia; Microsoft also cautioned users against opening any malicious Office file, indicating it may affect other components as well.

Microsoft said that the new, free update contains several improvements to enhance security and stability, including fixes for vulnerabilities that an attacker can use "to overwrite the contents of your computer's memory with malicious code." It requires the Microsoft Office 2004 for Mac 11.3.3 Update released last month as well as Mac OS X 10.2.8 (Jaguar) or a later.

In addition, as part of its monthly security update cycle, Microsoft today unveiled a dozen security updates that patched 20 vulnerabilities, including one found in every security product of its consumer and enterprise lines. More half of the patches were labeled as "critical" by the company. Some of the affected software is also either bundled with or able to run on the new Windows Vista operating system. The updates include patches for variety of Microsoft Office versions, including six patches for Word, and one each for PowerPoint and Excel.

The update includes a fix for a critical bug in the malware scanning engine used by Windows OneCare, Windows Defender and the Forefront Security and Antigen products. The vulnerability could allow a malicious user to hijack a "protected" PC due to a problem with parsing PDF files: a maliciously created PDF could be sent via email to gain control of the machine without any interaction from users. Although Microsoft claims the scanning engine bug has not been exploited, many analysts believe the flaw to be the most critical addressed by the slew of patches.

by MacNN Staff