Microsoft confirms Office for Mac 2008 snafu
Potential security problem crops up after file-access assignments go awry
Computerworld - Office for Mac 2008 incorrectly assigns ownership of some files, Microsoft Corp. has confirmed, creating a potential security problem for businesses installing the new application suite.
Joel Bruner, a Chicago-based Mac consultant, was the first to notice the ownership snafu. "[Microsoft] moved to Apple's Package Maker (.pkg) installer files, good news for the enterprise, [but] unfortunately, they've created all the packages to install most all of the files with the owner set to 502."
In a shop where employees run with limited privileges -- a practice very common in companies -- and IT is the only user with full administrative rights, Office 2008's ownership assignment means that a user who wasn't supposed to have complete control over those files actually does. In other words, whomever is assigned user ID 502 has full read/write access to Office's files.
"So let's say, Mr. IT installs this on a user's machine where the first user is the admin (501) and the standard user is Joe User (502)," said Bruner in a post to his blog on Monday. "Well, when after [everything is] installed, it will give Joe User (502) ownership of these folders and their installed contents:
/Library/Automator/ (if it doesn't exist already)
/Applications/Microsoft Office 2008"
The screw-up could present a corporate security problem, at least internally, said Bruner, if that Mac's second, standard user -- user 502 -- decides to make changes to the folders and files by deleting some or moving others.
A Microsoft developer left a comment on Bruner's blog, confirming that the company knows about the problem. "The [Mac Business Unit] is aware of this issue," said Erik Schwiebert, a software design lead in the group.
Microsoft, however, did not immediately respond to queries about how it intends to correct the problem, and what users can do in the meantime.
Other commenters on Bruner's blog hesitated to blame only Microsoft, however. "The truth is that this is a long-standing flaw in Apple's Installer," argued someone identified as "Not Required." "Maybe Microsoft should have known better, but maybe Apple should also have improved their installer years ago. Apple clearly hasn't cared enough about smaller developers to make a fix, so hopefully Microsoft has a high-enough profile that something finally gets done."
In a follow-up post also on Monday, Bruner added that all the Office for Mac 2008 files owned by user 502 are also erroneously set as executable. "Now tell me does '/Microsoft Office 2008/Read Me.html' need to be executable for you to look at it?" asked Bruner. "Tick, tick, tick, *ding*! No. It does not."
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!