Microsoft confirms Office for Mac 2008 snafu
Potential security problem crops up after file-access assignments go awry
Computerworld - Office for Mac 2008 incorrectly assigns ownership of some files, Microsoft Corp. has confirmed, creating a potential security problem for businesses installing the new application suite.
Joel Bruner, a Chicago-based Mac consultant, was the first to notice the ownership snafu. "[Microsoft] moved to Apple's Package Maker (.pkg) installer files, good news for the enterprise, [but] unfortunately, they've created all the packages to install most all of the files with the owner set to 502."
In a shop where employees run with limited privileges -- a practice very common in companies -- and IT is the only user with full administrative rights, Office 2008's ownership assignment means that a user who wasn't supposed to have complete control over those files actually does. In other words, whomever is assigned user ID 502 has full read/write access to Office's files.
"So let's say, Mr. IT installs this on a user's machine where the first user is the admin (501) and the standard user is Joe User (502)," said Bruner in a post to his blog on Monday. "Well, when after [everything is] installed, it will give Joe User (502) ownership of these folders and their installed contents:
/Library/Automator/ (if it doesn't exist already)
/Applications/Microsoft Office 2008"
The screw-up could present a corporate security problem, at least internally, said Bruner, if that Mac's second, standard user -- user 502 -- decides to make changes to the folders and files by deleting some or moving others.
A Microsoft developer left a comment on Bruner's blog, confirming that the company knows about the problem. "The [Mac Business Unit] is aware of this issue," said Erik Schwiebert, a software design lead in the group.
Microsoft, however, did not immediately respond to queries about how it intends to correct the problem, and what users can do in the meantime.
Other commenters on Bruner's blog hesitated to blame only Microsoft, however. "The truth is that this is a long-standing flaw in Apple's Installer," argued someone identified as "Not Required." "Maybe Microsoft should have known better, but maybe Apple should also have improved their installer years ago. Apple clearly hasn't cared enough about smaller developers to make a fix, so hopefully Microsoft has a high-enough profile that something finally gets done."
In a follow-up post also on Monday, Bruner added that all the Office for Mac 2008 files owned by user 502 are also erroneously set as executable. "Now tell me does '/Microsoft Office 2008/Read Me.html' need to be executable for you to look at it?" asked Bruner. "Tick, tick, tick, *ding*! No. It does not."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts