Windows News
Microsoft has confirmed a critical remote code execution (RCE) vulnerability in Excel, tracked as CVE-2026-44818, but updates remain unavailable for Mac users running Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft 365 for Mac. The gap leaves thousands of enterprise and consumer Mac systems exposed to potential attacks, even as Windows patches have reportedly been shipped. The company has not disclosed a timeline, stating only that customers will be notified when fixes are ready.
Security teams now face a familiar dilemma: wait indefinitely for official patches or implement disruptive workarounds that could hamper productivity. The delay reopens debates about Microsoft’s commitment to platform parity in security responses—especially as threat actors increasingly target cross-platform productivity suites.
What CVE-2026-44818 entails
CVE-2026-44818 is a remote code execution vulnerability in Microsoft Excel, the spreadsheet application within the Office suite. According to Microsoft’s advisory—details of which remain sparse—the flaw can be exploited by convincing a user to open a specially crafted Excel file. Successful exploitation could allow an attacker to execute arbitrary code with the same privileges as the logged-in user, potentially leading to full system compromise.
The vulnerability’s CVSS score has not been publicly posted yet, but the “remote code execution” classification signals high severity. Historical patterns suggest that such Excel flaws often stem from memory corruption issues, improper input handling, or malicious macro payloads. Whether this bug requires user interaction or can be triggered through preview panes remains unclear, although Excel RCEs typically rely on social engineering.
Administrators should assume the worst: weaponization in targeted phishing campaigns. Given Excel’s prevalence in finance, healthcare, and government sectors, delayed patches can translate into extended risk windows during which organized crime groups and nation-state actors might develop exploits.
Which versions are affected—and which are not
Microsoft’s statement explicitly lists three Mac products without updates:
- Microsoft Office LTSC for Mac 2021
- Microsoft Office LTSC for Mac 2024
- Microsoft 365 for Mac (the subscription version)
Notably missing from the delay list are Excel on Windows, Excel for the web, and Excel for iOS/Android. This disparity suggests that the underlying vulnerability might be platform-specific—perhaps tied to macOS features like sandboxing behaviors or Intel/Apple Silicon binary differences. It’s also possible that the Windows fix was straightforward while the Mac patch requires additional engineering to avoid regression with Apple’s stringent notarization and code-signing requirements.
For Mac administrators, the exposure depends on the product channel. Organizations running LTSC (Long-Term Servicing Channel) versions typically have slower update cadences by design, but the lack of any available patch for the subscription-based Microsoft 365 suite is unusual. Microsoft 365 apps are normally updated automatically through the Microsoft AutoUpdate (MAU) mechanism, meaning this delay likely reflects a build integration problem rather than a servicing channel limitation.
The security community has noted that Microsoft often rolls out Windows patches first, with Mac updates following days or weeks later. In this case, the gap has already generated enough concern for Microsoft to publish an advisory acknowledging the delay—an implicit admission that the Mac fix is not imminent.
Microsoft’s official response and communication
In a brief statement, Microsoft said updates for CVE-2026-44818 are “not currently available” for the listed Mac versions and that “customers will be notified through the standard update channels when the fix is released.” The company refrained from providing an expected release date, a move that frustrates IT departments trying to schedule change windows.
This communication pattern matches past incidents: Microsoft prioritizes transparency when a patch gap might attract media scrutiny, but stops short of committing to firm timelines. For instance, similar delays occurred with Excel vulnerabilities CVE-2021-42292 (November 2021) and CVE-2023-33137 (June 2023), where Mac updates lagged by two to four weeks.
The advisory does not mention whether the vulnerability is being actively exploited in the wild. In the absence of a detection note, organizations must assume that proof-of-concept code could emerge quickly once more details are published. Microsoft typically coordinates disclosure with the researcher who reported the bug, but the CVE listing itself might include enough technical breadcrumbs for reverse engineering.
Admins should monitor Microsoft’s Security Updates Guide and the Office release notes for Mac. These pages will be updated first when the patch ships. Third-party trackers like NVD (National Vulnerability Database) will also propagate the CVE details, but only after Microsoft’s official publication.
Immediate risk assessment for Mac-centric organizations
For shops running Mac-based Excel, the risk calculation is straightforward but painful. The vulnerability allows RCE, which could lead to ransomware deployment, data exfiltration, or lateral movement within corporate networks. The attack surface includes any user who opens Excel files from untrusted sources—including attachments and links in phishing emails, shared documents in collaboration tools, or even files dropped via malicious macros.
Three factors make this delay particularly dangerous:
- Attack chaining potential – Excel RCEs often serve as initial access vectors. Once an attacker gains code execution, they can drop secondary payloads that bypass macOS security controls like Gatekeeper and TCC (Transparency, Consent, and Control).
- Prevalence of Excel files – .xlsx and .xlsm formats are ubiquitous in business communication. Users are conditioned to open spreadsheets from colleagues, making detection harder.
- Lack of endpoint detection for Mac – Many enterprises still rely on signature-based antivirus on macOS, which struggles with never-before-seen exploitation techniques. Advanced EDR tools often have limited telemetry for Mac Office processes.
Organizations with high-value data or strict compliance requirements (HIPAA, PCI-DSS, GDPR) face additional regulatory pressure. Auditors may fault delayed patch application, even if the delay lies with Microsoft.
Workarounds and mitigation strategies
Until official patches arrive, Mac admins have several mitigation options—each with trade-offs.
Block potentially malicious file types at the email gateway
Aggressively filter email attachments containing Excel files with macros (.xlsm, .xlsb, and older .xls formats). Use mail flow rules to quarantine such attachments or convert them to static PDFs where feasible. Since CVE-2026-44818 is file-based, cutting off the delivery vector drastically reduces exposure.
Disable Excel macros entirely
On managed Macs, use configuration profiles to set the VBAWarnings key to disable all macros without notification. This can be done via a mobileconfig profile with the following setting:
<key>VBAWarnings</key>
<integer>3</integer>
Value 3 corresponds to “Disable all macros without notification.” Some line-of-business spreadsheets rely on VBA, so test this change on a pilot group first.
Enforce Protected View for files from the internet
Excel on Mac respects the com.apple.quarantine attribute set by browsers and email clients. Ensure that Office automatically opens internet-origin files in Protected View, which strips active content. This can be controlled through group policy or MDM settings:
- Domain:
com.microsoft.office - Key:
DisableProtectedViewForAttachments=false - Key:
DisableProtectedViewForInternetFiles=false
Use File Quarantine and XProtect
Leverage macOS’s built-in malware detection. XProtect may receive update signatures for the exploit if Microsoft shares indicators. Ensure automatic security updates are enabled in System Settings. Additionally, consider deploying a custom LaunchAgent that triggers a warning when Excel opens a file with a suspicious filename pattern (e.g., “invoice”, “statement”, “new order”).
Isolate high-risk users
Segment users who frequently open external Excel files—such as finance teams, accountants, and sales staff—into a separate VLAN or virtual desktop environment where exploitation would be contained. Consider proxying their traffic and applying additional inspection layers.
Deploy temporary DLP rules
Create Data Loss Prevention (DLP) policies that monitor and block large data transfers from devices running Excel. This won’t stop the initial RCE but can limit data exfiltration if an endpoint is compromised.
Harden Microsoft AutoUpdate settings
While AutoUpdate cannot fetch a patch that doesn’t exist, ensure it’s configured to check daily for updates. On critical systems, manually run msupdate via command line to force a check. An available patch might be delivered outside regular patch cycles.
Monitoring for exploitation attempts
Even without a patch, defenders can look for signs of weaponization. Key indicators include:
- Excel spawning unexpected child processes (e.g.,
/bin/sh,curl,python) - Network connections to rare or newly registered domains immediately after opening a spreadsheet
- The creation of suspicious files in ~/Library/LaunchAgents/ or /tmp/
- Macro execution alerts from Microsoft Defender for Endpoint or third-party EDR
Set up alerting rules: any time Excel launches cmd (on Windows) or /bin/bash (on macOS), generate a high-priority incident. While false positives may occur, they’re manageable in a heightened threat posture.
Log centralization via security information and event management (SIEM) tools like Splunk, Microsoft Sentinel, or Elastic can correlate Excel events across the fleet. Create a dashboard tracking all Office application crashes and suspicious file opens.
The broader landscape of Office for Mac security
This isn’t the first time Mac Office users have been left behind. A 2022 analysis by security researcher Patrick Wardle found that multiple high-severity Office vulnerabilities were patched on Windows months before Mac equivalents shipped. In one case, CVE-2022-21840 (a remote code execution in Outlook) took 48 days longer for the Mac fix.
Microsoft’s official line is that the Mac and Windows codebases are separate, requiring independent security updates developed by different teams. However, threat actors don’t distinguish between platforms. The Pwn2Own contest regularly demonstrates that Mac Office is a viable target, and exploit kits like Atomic Stealer have incorporated Office lures for macOS.
Enterprise adoption of Macs has risen sharply, driven by user preference and Apple’s M-series performance. Forrester reports that 23% of enterprise endpoints now run macOS. These machines often handle sensitive data with weaker endpoint controls than their Windows counterparts—making a one-month patch gap a significant organizational risk.
Security leaders should pressure Microsoft to adopt more rigorous SLAs for cross-platform vulnerability remediation. The Cybersecurity and Infrastructure Security Agency (CISA) has not yet issued a binding operational directive for this CVE, but history suggests that critical Microsoft RCEs eventually make the list.
What admins should communicate to users
User awareness can buy time while waiting for patches. Send a brief, non-alarmist communication:
“We are aware of a security issue affecting Excel on Mac computers. Microsoft is preparing an update. Until then, please avoid opening Excel files from unknown senders or unexpected attachments, even if they appear to come from a colleague. If you receive a file you’re unsure about, forward it to IT before opening.”
Avoid over-sharing technical details that could assist attackers. Emphasize the temporary nature of the workaround and that productivity should not be severely impacted.
What to expect when the patch arrives
Based on Microsoft’s typical Office for Mac release process, the fix will likely arrive through Microsoft AutoUpdate as a version bump—no macOS reboot required. Organizations using MDM to defer updates should be prepared to override deferral policies to expedite deployment.
The update might bundle other security fixes, so reviewing the full release notes will be critical to assess any ancillary risks (e.g., known compatibility issues with Excel add-ins). Testing should focus on:
- VBA macro compatibility
- Third-party plugins (Bloomberg, Thomson Reuters, SAP Analyzer)
- File opening performance for large datasets
- Interaction with macOS’s latest version (Apple frequently releases point updates that break Office authentication)
Preparing for the next delay
This incident underscores a systemic issue. Forward-thinking organizations should:
- Inventory all Office installations by platform and version. Centralize this data in a CMDB that feeds into patch management tools.
- Negotiate security clauses in Microsoft licensing agreements. Request committed timelines for cross-platform vulnerability fix parity.
- Evaluate native alternatives. For some workflows, Apple’s Numbers or browser-based Google Sheets might suffice, though they lack Excel’s full feature set.
- Invest in Mac-specific EDR solutions. Products like Jamf Protect, CrowdStrike Falcon for macOS, or Microsoft Defender for Endpoint can provide behavioral detection even without a signature.
- Run quarterly tabletop exercises simulating a zero-day Excel exploit on Mac endpoints, refining incident response processes.
The bottom line
CVE-2026-44818 is a critical Excel vulnerability with a missing Mac patch. While the exact severity awaits more details, the risk is clear enough that administrators must act now. Implement workarounds like macro blocking, Protected View enforcement, and email filtering. Monitor endpoints for suspicious Excel behavior. Communicate with users. And pressure Microsoft—through official support channels, TAMs, and industry groups—to deliver the fix faster.
The gap will close, but the window of exposure is entirely under the attacker’s control until Microsoft ships the update.