Microsoft confirms Office for Mac 2008 snafu
Potential security problem crops up after file-access assignments go awry
Computerworld - Office for Mac 2008 incorrectly assigns ownership of some files, Microsoft Corp. has confirmed, creating a potential security problem for businesses installing the new application suite.
Joel Bruner, a Chicago-based Mac consultant, was the first to notice the ownership snafu. "[Microsoft] moved to Apple's Package Maker (.pkg) installer files, good news for the enterprise, [but] unfortunately, they've created all the packages to install most all of the files with the owner set to 502."
In a shop where employees run with limited privileges -- a practice very common in companies -- and IT is the only user with full administrative rights, Office 2008's ownership assignment means that a user who wasn't supposed to have complete control over those files actually does. In other words, whomever is assigned user ID 502 has full read/write access to Office's files.
"So let's say, Mr. IT installs this on a user's machine where the first user is the admin (501) and the standard user is Joe User (502)," said Bruner in a post to his blog on Monday. "Well, when after [everything is] installed, it will give Joe User (502) ownership of these folders and their installed contents:
/Library/Automator/ (if it doesn't exist already)
/Applications/Microsoft Office 2008"
The screw-up could present a corporate security problem, at least internally, said Bruner, if that Mac's second, standard user -- user 502 -- decides to make changes to the folders and files by deleting some or moving others.
A Microsoft developer left a comment on Bruner's blog, confirming that the company knows about the problem. "The [Mac Business Unit] is aware of this issue," said Erik Schwiebert, a software design lead in the group.
Microsoft, however, did not immediately respond to queries about how it intends to correct the problem, and what users can do in the meantime.
Other commenters on Bruner's blog hesitated to blame only Microsoft, however. "The truth is that this is a long-standing flaw in Apple's Installer," argued someone identified as "Not Required." "Maybe Microsoft should have known better, but maybe Apple should also have improved their installer years ago. Apple clearly hasn't cared enough about smaller developers to make a fix, so hopefully Microsoft has a high-enough profile that something finally gets done."
In a follow-up post also on Monday, Bruner added that all the Office for Mac 2008 files owned by user 502 are also erroneously set as executable. "Now tell me does '/Microsoft Office 2008/Read Me.html' need to be executable for you to look at it?" asked Bruner. "Tick, tick, tick, *ding*! No. It does not."
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!