MS Office and IE Exploits

buzban writes "Microsoft has issued this security bulletin regarding potential buffer/code exploits. It seems to have a potential effect on a lot of things, including Office v.X, Office:2001, IE for Mac OS and for Mac OS X, AppleScript, et al... I couldn't get the update from Apple just yet, but that might be my own screwup. ;)" Only the patch for MSIE on Mac OS X is in Software Update through Apple. All others must be downloaded from Microsoft. Update: 04/17 21:02 GMT by P : pumpkinhead writes in that ZDNet has a story with more details.

Friendly tip for the Internet Explorer update

[helixblue]

Not that I use IE except for testing, but I found that you only get prompted for the update if Internet Explorer is in /Applications.

I had moved it into /Applications/Internet on my machine.

Re:Friendly tip for the Internet Explorer update

[Spencerian]

I've just sent this same information to Macintouch.com, and I'll repeat it here:

Mac OS X is UNIX, and, like many versions of OS, doesn't expect you to tweak your system around like in Mac OS 9.

Don't do it. Leave ALL preinstalled Mac OS X applications exactly where they are. If you need to access them conveniently, place their icons in the Dock, the desktop, some folder, or use a third-party solution. Changing around the location (or probably name) of applications is the quick way of hosing a Mac OS X installation to the point where reinstallation is required.

When other UNIX users need to activate an app from another location, they use symlinks or other method. But their apps stay put. So should it be with Mac OS X. Leave stuff alone unless you are a UNIX admin and Mac OS X programmer employed by Apple (hmm..a subtle way of saying "don't.")

thanks!

[buzban]

i've done that same thing...one of the drawbacks of the drag-and-drop program installation i suppose.

thanks for the tip, though!

Mac OS X mitigates security hole impact

[rjamestaylor]

In the technical bulletien MS writes:

• On operating systems that enforce security on per-user basis, such as Mac OS X, the specific actions that an attacker's code can take would be limited to those allowed by the privileges of the user's account.

If you use the less-than-root privileged default user setup the impact of these remotely exploitable holes is mitigated. And you can thank the underlying UNIX system for that bit of goodness.

Re:Mac OS X mitigates security hole impact

[QuantumG]

Surely when you get asked to enter your root password (as you always do whenever you install new software) the attacker could jump to root. Guess the small amount of effort to trick/follow the user is more than any attacker would bother to do.

Re:Mac OS X mitigates security hole impact

[WalletBoy]

Surely when you get asked to enter your root password (as you always do whenever you install new software) the attacker could jump to root. Guess the small amount of effort to trick/follow the user is more than any attacker would bother to do.

Actually, you're usually not entering in the root password when the dialog comes up during a softwate install. Typically you enter in your password if you are the primary user and you are in the admin group. You can of course enter in the root username and password in that dialog if you wish but it is possible to install programs without being root. This way when grandma gets her new iMac, she when she creates an account for herself she is placed in the admin group by default (if it was the first account created on that machine) and she can install/remove programs to her heart's content without actually having root privileges.

Re:Mac OS X mitigates security hole impact

[QuantumG]

This is an even bigger security hole. I naturally assumed you had turned this off and ran IE as a user with reduced privileges. Obviously if IE is running with admin privs then all of this is defunct.

Software Update blurb...

[SpotBug]

... really made me laugh. They claim the update fixes all potential security issues in IE.

Re:Software Update blurb...

[felicity]

So the update reduces the installation to just an icon? Sweet. ;)

IE Needed

[ScumBiker]

I've deleted IE from my mac. Now I need it for testing and don't want to re-install the OS. Would someone post it to their iDrive and email me about it?

Re:IE Needed

[Spencerian]

IE for Mac OS X can now be downloaded from Microsoft's web site. (http://www.microsoft.com/mac)

Re:IE Needed

[Xenex]

You can't download IE for OS X at Apple's website, however you can use the application Pacifist. It can open an extract files from .pgk's.

It's documents explain how to extract single files from the OS X CD. Just grab IE, put it into /Applications, and then run Software Update to get the update.

Not really

[gidds]

IE, like many apps, is installed by the root user, so that all users will have access to it. But it runs under your own user ID. So you might be at risk from malicious code in the installer, but once installed, you have the power of Unix permissions to protect you from malicious code on the web etc.

Re:Not really

[QuantumG]

I know this, but what you are saying is that IE cant run code that can do anything damaging (because it isn't root) and what I'm saying is that is definitely the wrong attitude. What I think you are saying (correct me if I'm wrong) is that non-root remote exploits are not much of a threat. That is untrue. A remote exploit is bad no matter what the security level. Even a nobody-level remote exploit is bad because attackers can use your machine to bounce attacks to other systems (making it appear like your machine is doing the attacking). It only takes one local exploit (say, in all that proprietory code that Apple ships) to turn a non-root exploit into a root exploit. But let's say that your machine is locally secure (that is, if you were to give me a shell there would be no way for me to get root). Even then IE can run code that can follow your actions (a bad thing in itself) and when those actions involve elevation of privileges then it is possible to get root without any local exploit being necessary. So no, the fact that you dont run IE as root is not enough. Personally I think we should be able to control exactly what capabilities programs have. Running arbitary code from a foriegn source isn't one of them.

Re:Not really

[Myshkin5]

I think QuantumG still has a valid point. Practically every installer I run under OS X asks for my password. This is only slightly better than an OS (w2k) whose default configuration has everything running as an administrator. OS X installers that need system level access should simply tell me they don't have the right permissions then quit.

Re:Not really

[ZigMonty]

Practically every installer I run under OS X asks for my password. This is only slightly better than an OS (w2k) whose default configuration has everything running as an administrator. OS X installers that need system level access should simply tell me they don't have the right permissions then quit.

That doesn't sound like a very user friendly solution. You shouldn't be encouraging people to login into Mac OS X as root. And even if you did, the luser would just login into root to run the trojan. Making it annoying to install stuff as root shouldn't be considered security.

Also, Mac OS X installers that *don't* need root permissions shouldn't be installers, they should be drag-n-drop disk images, .sit archives, or .tar.gz archives. You should only use an installer if you need to put stuff in /System/ or any of the unix directories (/usr/local/bin/ etc). The reason why every installer you run needs a password is that they all *need* a password or they wouldn't use the installer. Of course I'm ignoring all the non-apple installers which aren't really installers, just glorified unarchivers.

Re:Not really

[thrig]

You cannot login to Mac OS X as root, unless you take the trouble to enable the root user (look under the Domain menu in the Netinfo Manager application). Otherwise, the first user setup has "Administrator" rights, along with any other user that you twiddle that checkbox for if using the Users preference pane to create new accounts. "Administrators" are simply folks in the admin group, which can modify large portions of the file system tree (/Applications comes to mind) due to the admin-group-write permissions Apple places all over the place.

Otherwise, the password being asked for is the login/pass for any user marked as Administrator, which does the equivalent of a sudo to root when something needs to write to normally unaccessible areas (e.g. to install Frameworks or the like).

Re:Not really

[ZigMonty]

I know that. My point was that Apple is discouraging the user from doing stuff as root whereas the parent seemed to be saying the opposite.

ms on a mac

[mkmiller]

What is the freakin point of using IE on a mac? Office I can understand, since all the sheep of the world use it. IE? WHY? WHY? WHY? Must be like the people waiting for that rpm of IE for the lastest release of Redhat.

Re:ms on a mac

[klez23]

the scrapbook rocks. that's why.

Sounds like a good business strategy!

[hysterion]

The company says versions of Internet Explorer prior to 5.1, of Outlook Express prior to 5.0.1, and of Office prior to Office 98 are no longer supported, have not been tested, and may or may not be subject to these vulnerabilities.

Method: Have dangerous flaws in your product, then inform the customer that you'll gladly fix them -- provided s/he buys a newer version first.

(Only works if you have monopoly on said product, though.)

What have we learned...

[finity]

don't use microsoft on an otherwise stable, secure system.