Microsoft confirms Office for Mac 2008 snafu
Potential security problem crops up after file-access assignments go awry
Computerworld - Office for Mac 2008 incorrectly assigns ownership of some files, Microsoft Corp. has confirmed, creating a potential security problem for businesses installing the new application suite.
Joel Bruner, a Chicago-based Mac consultant, was the first to notice the ownership snafu. "[Microsoft] moved to Apple's Package Maker (.pkg) installer files, good news for the enterprise, [but] unfortunately, they've created all the packages to install most all of the files with the owner set to 502."
In a shop where employees run with limited privileges -- a practice very common in companies -- and IT is the only user with full administrative rights, Office 2008's ownership assignment means that a user who wasn't supposed to have complete control over those files actually does. In other words, whomever is assigned user ID 502 has full read/write access to Office's files.
"So let's say, Mr. IT installs this on a user's machine where the first user is the admin (501) and the standard user is Joe User (502)," said Bruner in a post to his blog on Monday. "Well, when after [everything is] installed, it will give Joe User (502) ownership of these folders and their installed contents:
/Library/Automator/ (if it doesn't exist already)
/Applications/Microsoft Office 2008"
The screw-up could present a corporate security problem, at least internally, said Bruner, if that Mac's second, standard user -- user 502 -- decides to make changes to the folders and files by deleting some or moving others.
A Microsoft developer left a comment on Bruner's blog, confirming that the company knows about the problem. "The [Mac Business Unit] is aware of this issue," said Erik Schwiebert, a software design lead in the group.
Microsoft, however, did not immediately respond to queries about how it intends to correct the problem, and what users can do in the meantime.
Other commenters on Bruner's blog hesitated to blame only Microsoft, however. "The truth is that this is a long-standing flaw in Apple's Installer," argued someone identified as "Not Required." "Maybe Microsoft should have known better, but maybe Apple should also have improved their installer years ago. Apple clearly hasn't cared enough about smaller developers to make a fix, so hopefully Microsoft has a high-enough profile that something finally gets done."
In a follow-up post also on Monday, Bruner added that all the Office for Mac 2008 files owned by user 502 are also erroneously set as executable. "Now tell me does '/Microsoft Office 2008/Read Me.html' need to be executable for you to look at it?" asked Bruner. "Tick, tick, tick, *ding*! No. It does not."
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts