MS Office and IE Exploits

buzban writes "Microsoft has issued this security bulletin regarding potential buffer/code exploits. It seems to have a potential effect on a lot of things, including Office v.X, Office:2001, IE for Mac OS and for Mac OS X, AppleScript, et al... I couldn't get the update from Apple just yet, but that might be my own screwup. ;)" Only the patch for MSIE on Mac OS X is in Software Update through Apple. All others must be downloaded from Microsoft. Update: 04/17 21:02 GMT by P : pumpkinhead writes in that ZDNet has a story with more details.

Re:Not really

[QuantumG]

I know this, but what you are saying is that IE cant run code that can do anything damaging (because it isn't root) and what I'm saying is that is definitely the wrong attitude. What I think you are saying (correct me if I'm wrong) is that non-root remote exploits are not much of a threat. That is untrue. A remote exploit is bad no matter what the security level. Even a nobody-level remote exploit is bad because attackers can use your machine to bounce attacks to other systems (making it appear like your machine is doing the attacking). It only takes one local exploit (say, in all that proprietory code that Apple ships) to turn a non-root exploit into a root exploit. But let's say that your machine is locally secure (that is, if you were to give me a shell there would be no way for me to get root). Even then IE can run code that can follow your actions (a bad thing in itself) and when those actions involve elevation of privileges then it is possible to get root without any local exploit being necessary. So no, the fact that you dont run IE as root is not enough. Personally I think we should be able to control exactly what capabilities programs have. Running arbitary code from a foriegn source isn't one of them.