Microsoft told Mac Office users it doesn’t yet have a fix for a PowerPoint bug that it patched for Windows customers.
“Security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time,” the company’s MS11-036 security bulletin said. “Microsoft will issue updates for these software when testing is complete, to ensure a high degree of quality for their release.”
MS11-036 was part of May’s two-update Patch Tuesday, and closed a pair of holes rated “important” in PowerPoint 2002, 2003 and 2007 on Windows. Only one of the two bugs affects Office for Mac 2004 and Office for Mac 2008.
The newest versions, Office 2010 on Windows and Office for Mac 2011, do not contain the vulnerabilities.
Tuesday was not the first time that Microsoft has released fixes for Office on Windows without corresponding patches for Mac users.
Last November, Microsoft patched four flaws in PowerPoint on the Windows platform, but omitted fixes for the same bugs in the presentation manager included with Office for Mac 2004 and Office for Mac 2008.
Microsoft released patches for Office for Mac 2008 five weeks later, but did not patch Office for Mac 2004 until mid-April 2011, five months after Windows users received their updates.
On Wednesday, a Microsoft spokesman declined to spell out a timetable for May’s missing Mac patch, saying only that the company is working on a fix.
According to MS11-036, attackers can hijack a Windows PC or Mac by convincing victims to open a malformed PowerPoint file, perhaps one attached to an email message or available for viewing and downloading from a malicious Web site.
In similar incidents in the past—not only in November 2010 but also in May 2009—Microsoft has defended the decision to roll out an update minus Mac patches.
Last November, Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said it was a matter of priorities. “Normally, we release updates for all affected products at the same time, [but] in cases where the vast majority of our customers are at potential risk and we can provide protections, we may decide to release updates for those products, if ready, ahead of products where the risk is very low,” Bryant said at the time.
Bryant was not available for comment about this latest decision.
Security researchers chided Microsoft for what one described as leaving Mac users “in the lurch.”
“The risk is that cybercriminals will reverse engineer the fix for the Windows version of PowerPoint, and use the information they discover to exploit the vulnerability on Mac versions,” argued Graham Cluley, senior security technology consultant at U.K.-based antivirus vendor Sophos, in a post to a his company’s blog. “Once again, Mac users are being left in the lurch and have to cross their fingers that malicious hackers don’t attempt to exploit the vulnerability.”
Andrew Storms, director of security operations at nCircle Security, disagreed.
“I do think it’s unfortunate that the older Mac versions aren’t getting the fix at the same rate as the other versions [but] I don’t see a huge risk at the moment,” said Storms. “I really don’t see a ton of attackers suddenly changing direction to go after the older Mac Office products.”