MS Word security hole plugged

Microsoft has released Microsoft Word for Mac Security Update for Word 98 and 2001. The update fixes the previously reported issue whereby a macro embedded in a template could be triggered by importing a Rich Text Format (RTF) file which contained a link back to the macro. The ReadMe file states:

"The update addresses a vulnerability that could allow malicious code to run in a Rich Text Format (RTF) document without warning. Under normal circumstances, you see a warning in Word 98 or Word 2001 when you open a document attached to a template containing macros. However, it is possible for an RTF document to be linked to a template containing macros in such a way that a macro can run with no warning issued. This could cause damage to data or allow unauthorized retrieval of data from your system when you visit a Web site or open an e-mail message.

This security update prevents macros from opening without a security warning. After you have installed the update, you will be warned before you open an RTF document that contains a template or macro.

• The vulnerability affects Microsoft Word 98 Macintosh Edition and Microsoft Word 2001 for the Mac
• The vulnerability only affects Word. Other Office products are not affected.
• The vulnerability does not occur when opening Word documents, only when opening RTF documents that are linked to a template."

Download and Installation issues

The update patches the Word application itself, and we updated our copy of Word 2001 without a hitch. However, several users report trouble updating Word 98. After some early confusion, it now appears that there are two separate updaters, one for each version. Here are the download links: Word 98 and Word 2001.

Important installation notes from the ReadMe:

• If you are using Word 2001, you must first run Office 2001 for Mac Service Release 1. If your version number is 9.0.1 (3122), then you are already using the Service Release (the About window will also say "Service Release 1"). If your version number is 9.0 (2510), run the Office 2001 Service Release 1 updater first.
• If you are using Word 98, you must first run Combined Updater for Office 98. If your version number is 8.0 (5730) then you are already using the Service Release. If your version number is 8.0 (4926), you need to run the Combined Updater for Office 98 first.
• Do not install while running Mac OS X. Boot into 9.1 first.

The above two updates are not newly released. But they must be installed before you can run the new security patch.

Update: Several users report that their version numbers do not agree with the numbers stated in the ReadMe file. We suspect that there are more combinations of updaters than are accounted for in the ReadMe. Also, the original link (in the ReadMe) for the Office 98 Combined updater appears to be incorrect. The above link should now work.