This vulnerability is a classic buffer overflow bug, said Andrew Storms, director of security operations at security vendor Tripwire, via email. "It's unfortunate that even the most recent version of the Mac Office product still contains such a well understood vulnerability. This probably should have been caught during Microsoft's development processes before release."
"It's disappointing to see that Mac users of Microsoft software get the short end of the stick when it comes to security," said Tyler Reguly, technical manager of security research at Tripwire, via email. "You have to wonder how a vulnerability that only affects Office 2003 is also in Office for Mac 2011. As a Mac user, I find this advisory very disconcerting."
Even though later versions of Office for the Windows platform are not affected by this vulnerability, Office 2003 is still used by a lot of people, which makes this a serious vulnerability, Kandek said.
Another security bulletin released Tuesday, MS13-049, addresses a denial-of-service vulnerability in the Windows TCP/IP driver that affects all versions of Windows except for Windows XP and Windows Server 2003. An attacker could exploit this vulnerability by sending specially crafted packets to a targeted system which could cause it to stop responding.
"Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter," Microsoft said in the security bulletin.
"Network admins will want to carefully review and prioritize MS13-049, a network based denial of service bug," Storms said. "Unfortunately, newer versions of Windows can be exploited by the bug via a remote attack surface -- diminishing the long-standing thought that newer software is more secure."
Another security bulletin, MS13-048, addresses a vulnerability in the Windows kernel that affects only 32-bit versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 8. In order to exploit this vulnerability an attacker would need to have access to the system in order to execute a specially crafted application or would need to trick a local user to execute it.
"This vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system," Microsoft said in the security bulletin.
The last security bulletin, MS13-050, addresses a vulnerability in the Windows Print Spooler service that could allow an attacker authenticated as a local user to elevate his privilege when deleting a printer connection. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the system with system privileges, Microsoft said.
Microsoft also issued a separate update accompanied by a security advisory as part of its efforts to improve cryptography and digital certificate handling in Windows. This update improves the Certificate Trust List (CTL) functionality in Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012 and Windows RT.