Microsoft patches 'critical' Office flaw

Microsoft has finally admitted that the Mac version of Office has a critical security flaw and has released a patch.

The problem, discovered by Josha Bronson at AngryPacket Security in January, happens because Office incorrectly handles an HTML feature.

By using a link on a web page or in an HTML-enabled email, an attacker could cause a program to crash a Macintosh or run arbitrary commands.

All Mac Office programs are affected by the bug, but Microsoft admitted that it is critical on Internet Explorer for Mac OS 8, 9 and X, Outlook Express 5.0.2 and Entourage 2001 and v. X.

The software giant failed to respond to Bronson's warnings about the flaw and he approached security group w00w00. The group got Microsoft to listen, but it took three months to release a patch.

w00w00 said that a failure by Microsoft to respond immediately to a potential security problem ran counter to its highly touted 'Trustworthy Computing' initiative.

But Microsoft blamed the delay on Bronson for sending his report to the wrong person in the company.

A spokesman also said that a three-month response time was understandable, as there was a huge amount of work that had to be done to fix the bug.

"This is the most complex patch that I've seen us deliver in a while in terms of the number of patches that we had to do and the number of products," he explained.

"If you look at the number of products we are addressing we have 11, each of which localises in 12 languages. That's 110 or so patches that we had to do."

Microsoft's advisory and patches can be found on the software giant's website here.