MS Office and IE Exploits

← Back to Stories (view on slashdot.org)

Posted by pudge on Wednesday April 17, 2002 @01:19AM from the um-damn dept.

buzban writes "Microsoft has issued this security bulletin regarding potential buffer/code exploits. It seems to have a potential effect on a lot of things, including Office v.X, Office:2001, IE for Mac OS and for Mac OS X, AppleScript, et al... I couldn't get the update from Apple just yet, but that might be my own screwup. ;)" Only the patch for MSIE on Mac OS X is in Software Update through Apple. All others must be downloaded from Microsoft. Update: 04/17 21:02 GMT by P : pumpkinhead writes in that ZDNet has a story with more details.

31 comments

Min score:

Reason:

Sort:

Friendly tip for the Internet Explorer update by helixblue · 2002-04-17 01:31 · Score: 4, Informative

Not that I use IE except for testing, but I found that you only get prompted for the update if Internet Explorer is in /Applications.

I had moved it into /Applications/Internet on my machine.
1. Re:Friendly tip for the Internet Explorer update by Spencerian · 2002-04-17 04:33 · Score: 3, Informative
  
  I've just sent this same information to Macintouch.com, and I'll repeat it here:
  
  Mac OS X is UNIX, and, like many versions of OS, doesn't expect you to tweak your system around like in Mac OS 9.
  
  Don't do it. Leave ALL preinstalled Mac OS X applications exactly where they are. If you need to access them conveniently, place their icons in the Dock, the desktop, some folder, or use a third-party solution. Changing around the location (or probably name) of applications is the quick way of hosing a Mac OS X installation to the point where reinstallation is required.
  
  When other UNIX users need to activate an app from another location, they use symlinks or other method. But their apps stay put. So should it be with Mac OS X. Leave stuff alone unless you are a UNIX admin and Mac OS X programmer employed by Apple (hmm..a subtle way of saying "don't.")
  
  --
  Vos teneo officium eram periculosus ut vos recipero is.
wow.... by Anonymous Coward · 2002-04-17 01:33 · Score: 0

got to work an hour ago, saw the back button troubles, and now this.

i guess it's an exploitin' type of day around here!

any guesses as to what'll be next?
thanks! by buzban · 2002-04-17 01:40 · Score: 1

i've done that same thing...one of the drawbacks of the drag-and-drop program installation i suppose.
thanks for the tip, though!
Mac OS X mitigates security hole impact by rjamestaylor · 2002-04-17 02:10 · Score: 2, Informative
In the technical bulletien MS writes:
- On operating systems that enforce security on per-user basis, such as Mac OS X, the specific actions that an attacker's code can take would be limited to those allowed by the privileges of the user's account.
If you use the less-than-root privileged default user setup the impact of these remotely exploitable holes is mitigated. And you can thank the underlying UNIX system for that bit of goodness.
--
-- @rjamestaylor on Ello
1. Re:Mac OS X mitigates security hole impact by QuantumG · 2002-04-17 02:45 · Score: 3, Interesting
  
  Surely when you get asked to enter your root password (as you always do whenever you install new software) the attacker could jump to root. Guess the small amount of effort to trick/follow the user is more than any attacker would bother to do.
  
  --
  How we know is more important than what we know.
2. Re:Mac OS X mitigates security hole impact by WalletBoy · 2002-04-17 06:43 · Score: 1
  
  Surely when you get asked to enter your root password (as you always do whenever you install new software) the attacker could jump to root. Guess the small amount of effort to trick/follow the user is more than any attacker would bother to do.
  Actually, you're usually not entering in the root password when the dialog comes up during a softwate install. Typically you enter in your password if you are the primary user and you are in the admin group. You can of course enter in the root username and password in that dialog if you wish but it is possible to install programs without being root. This way when grandma gets her new iMac, she when she creates an account for herself she is placed in the admin group by default (if it was the first account created on that machine) and she can install/remove programs to her heart's content without actually having root privileges.
3. Re:Mac OS X mitigates security hole impact by QuantumG · 2002-04-17 21:18 · Score: 1
  
  This is an even bigger security hole. I naturally assumed you had turned this off and ran IE as a user with reduced privileges. Obviously if IE is running with admin privs then all of this is defunct.
  
  --
  How we know is more important than what we know.
Software Update blurb... by SpotBug · 2002-04-17 02:21 · Score: 2, Funny

... really made me laugh. They claim the update fixes all potential security issues in IE.

--
cygnuhchur
1. Re:Software Update blurb... by felicity · 2002-04-17 02:56 · Score: 1
  
  So the update reduces the installation to just an icon? Sweet. ;)
IE Needed by ScumBiker · 2002-04-17 02:22 · Score: 1, Offtopic

I've deleted IE from my mac. Now I need it for testing and don't want to re-install the OS. Would someone post it to their iDrive and email me about it?

--
--- Think of it as evolution in action ---
1. Re:IE Needed by Spencerian · 2002-04-17 04:27 · Score: 2
  
  IE for Mac OS X can now be downloaded from Microsoft's web site. (http://www.microsoft.com/mac)
  
  --
  Vos teneo officium eram periculosus ut vos recipero is.
2. Re:IE Needed by Xenex · 2002-04-17 12:05 · Score: 2
  
  You can't download IE for OS X at Apple's website, however you can use the application Pacifist. It can open an extract files from .pgk's.
  
  It's documents explain how to extract single files from the OS X CD. Just grab IE, put it into /Applications, and then run Software Update to get the update.
Not really by gidds · 2002-04-17 03:11 · Score: 1

IE, like many apps, is installed by the root user, so that all users will have access to it. But it runs under your own user ID. So you might be at risk from malicious code in the installer, but once installed, you have the power of Unix permissions to protect you from malicious code on the web etc.

--
Ceterum censeo subscriptionem esse delendam.
1. Re:Not really by QuantumG · 2002-04-17 03:22 · Score: 3, Insightful
  
  I know this, but what you are saying is that IE cant run code that can do anything damaging (because it isn't root) and what I'm saying is that is definitely the wrong attitude. What I think you are saying (correct me if I'm wrong) is that non-root remote exploits are not much of a threat. That is untrue. A remote exploit is bad no matter what the security level. Even a nobody-level remote exploit is bad because attackers can use your machine to bounce attacks to other systems (making it appear like your machine is doing the attacking). It only takes one local exploit (say, in all that proprietory code that Apple ships) to turn a non-root exploit into a root exploit. But let's say that your machine is locally secure (that is, if you were to give me a shell there would be no way for me to get root). Even then IE can run code that can follow your actions (a bad thing in itself) and when those actions involve elevation of privileges then it is possible to get root without any local exploit being necessary. So no, the fact that you dont run IE as root is not enough. Personally I think we should be able to control exactly what capabilities programs have. Running arbitary code from a foriegn source isn't one of them.
  
  --
  How we know is more important than what we know.
2. Re:Not really by Myshkin5 · 2002-04-17 03:28 · Score: 1
  
  I think QuantumG still has a valid point. Practically every installer I run under OS X asks for my password. This is only slightly better than an OS (w2k) whose default configuration has everything running as an administrator. OS X installers that need system level access should simply tell me they don't have the right permissions then quit.
3. Re:Not really by ZigMonty · 2002-04-17 04:02 · Score: 2
  
  Practically every installer I run under OS X asks for my password. This is only slightly better than an OS (w2k) whose default configuration has everything running as an administrator. OS X installers that need system level access should simply tell me they don't have the right permissions then quit.
  
  That doesn't sound like a very user friendly solution. You shouldn't be encouraging people to login into Mac OS X as root. And even if you did, the luser would just login into root to run the trojan. Making it annoying to install stuff as root shouldn't be considered security.
  Also, Mac OS X installers that *don't* need root permissions shouldn't be installers, they should be drag-n-drop disk images, .sit archives, or .tar.gz archives. You should only use an installer if you need to put stuff in /System/ or any of the unix directories (/usr/local/bin/ etc). The reason why every installer you run needs a password is that they all *need* a password or they wouldn't use the installer. Of course I'm ignoring all the non-apple installers which aren't really installers, just glorified unarchivers.
4. Re:Not really by thrig · 2002-04-17 04:58 · Score: 2
  
  You cannot login to Mac OS X as root, unless you take the trouble to enable the root user (look under the Domain menu in the Netinfo Manager application). Otherwise, the first user setup has "Administrator" rights, along with any other user that you twiddle that checkbox for if using the Users preference pane to create new accounts. "Administrators" are simply folks in the admin group, which can modify large portions of the file system tree (/Applications comes to mind) due to the admin-group-write permissions Apple places all over the place.
  
  Otherwise, the password being asked for is the login/pass for any user marked as Administrator, which does the equivalent of a sudo to root when something needs to write to normally unaccessible areas (e.g. to install Frameworks or the like).
5. Re:Not really by ZigMonty · 2002-04-17 23:16 · Score: 2
  
  I know that. My point was that Apple is discouraging the user from doing stuff as root whereas the parent seemed to be saying the opposite.
Netscape-- more compatible with M$ by Betaman · 2002-04-17 03:30 · Score: 0, Offtopic

This is sad... I downloaded IE 5.1.4 for OS9 with IE 5.1 and the file I downloaded was only 512k, but IE said it was completed. I tried re-downloading, and it just used the cache file and kept getting the same 512k file. So I deleted the cache file and it still somehow downloaded just the 512k file. I opened up Netscape and it downloaded just fine. It's so sad it's not even funny.
ms on a mac by mkmiller · 2002-04-17 06:09 · Score: 1

What is the freakin point of using IE on a mac? Office I can understand, since all the sheep of the world use it. IE? WHY? WHY? WHY? Must be like the people waiting for that rpm of IE for the lastest release of Redhat.
1. Re:ms on a mac by klez23 · 2002-04-17 08:35 · Score: 1
  
  the scrapbook rocks. that's why.
2. Re:ms on a mac by Anonymous Coward · 2002-04-17 10:59 · Score: 0
  
  and because IE for Mac != IE for Windows. IE on the Mac, while not rock solid, is a great, fairly zippy browser, and supports just about everything all those retarded DHTML/CSS-enabled sites can throw out.
3. Re:ms on a mac by Anonymous Coward · 2002-04-17 11:18 · Score: 0
  
  To paraphrase :
  
  "Mozilla Mozilla Mozilla Mozilla Mozilla Mozilla..."
  
  "I...Love...This...Company YEAHHHH!"
Sounds like a good business strategy! by hysterion · 2002-04-17 08:51 · Score: 2

The company says versions of Internet Explorer prior to 5.1, of Outlook Express prior to 5.0.1, and of Office prior to Office 98 are no longer supported, have not been tested, and may or may not be subject to these vulnerabilities.

Method: Have dangerous flaws in your product, then inform the customer that you'll gladly fix them -- provided s/he buys a newer version first.

(Only works if you have monopoly on said product, though.)

--
Timeo idiotikOS et dona ferentes
1. Re:Sounds like a good business strategy! by Anonymous Coward · 2002-04-17 15:16 · Score: 0
  
  That is more the rule than an exception in the software industry - monopoly or not.
What have we learned... by finity · 2002-04-17 13:33 · Score: 1

don't use microsoft on an otherwise stable, secure system.
Bust a gut laughing by Anonymous Coward · 2002-04-18 08:24 · Score: 0

If I really gave a darn i would be on the floor rolling with laughter at the pain and anguish a microsoft product has brought to another group of people.

But then I realize that all software has security problems. ALL

Not that I am a microsoft apologist. Just statin' the facts.

But still it is so damn funny.

Trustworthy Computing

hahahahahahahahahahahahahahahahhahahahahHAHAH

HA
screw ya bill