Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Office and IE Exploits

Posted by pudge on from the um-damn dept.

buzban writes "Microsoft has issued this security bulletin regarding potential buffer/code exploits. It seems to have a potential effect on a lot of things, including Office v.X, Office:2001, IE for Mac OS and for Mac OS X, AppleScript, et al... I couldn't get the update from Apple just yet, but that might be my own screwup. ;)" Only the patch for MSIE on Mac OS X is in Software Update through Apple. All others must be downloaded from Microsoft. Update: 04/17 21:02 GMT by P : pumpkinhead writes in that ZDNet has a story with more details.

12 of 31 comments (clear)

  1. Friendly tip for the Internet Explorer update by helixblue · · Score: 4, Informative

    Not that I use IE except for testing, but I found that you only get prompted for the update if Internet Explorer is in /Applications.

    I had moved it into /Applications/Internet on my machine.

    1. Re:Friendly tip for the Internet Explorer update by Spencerian · · Score: 3, Informative

      I've just sent this same information to Macintouch.com, and I'll repeat it here:

      Mac OS X is UNIX, and, like many versions of OS, doesn't expect you to tweak your system around like in Mac OS 9.

      Don't do it. Leave ALL preinstalled Mac OS X applications exactly where they are. If you need to access them conveniently, place their icons in the Dock, the desktop, some folder, or use a third-party solution. Changing around the location (or probably name) of applications is the quick way of hosing a Mac OS X installation to the point where reinstallation is required.

      When other UNIX users need to activate an app from another location, they use symlinks or other method. But their apps stay put. So should it be with Mac OS X. Leave stuff alone unless you are a UNIX admin and Mac OS X programmer employed by Apple (hmm..a subtle way of saying "don't.")

      --
      Vos teneo officium eram periculosus ut vos recipero is.
  2. Mac OS X mitigates security hole impact by rjamestaylor · · Score: 2, Informative
    In the technical bulletien MS writes:
    • On operating systems that enforce security on per-user basis, such as Mac OS X, the specific actions that an attacker's code can take would be limited to those allowed by the privileges of the user's account.
    If you use the less-than-root privileged default user setup the impact of these remotely exploitable holes is mitigated. And you can thank the underlying UNIX system for that bit of goodness.
    --
    -- @rjamestaylor on Ello
    1. Re:Mac OS X mitigates security hole impact by QuantumG · · Score: 3, Interesting

      Surely when you get asked to enter your root password (as you always do whenever you install new software) the attacker could jump to root. Guess the small amount of effort to trick/follow the user is more than any attacker would bother to do.

      --
      How we know is more important than what we know.
  3. Software Update blurb... by SpotBug · · Score: 2, Funny


    ... really made me laugh. They claim the update fixes all potential security issues in IE.

    --
    cygnuhchur
  4. Re:Not really by QuantumG · · Score: 3, Insightful

    I know this, but what you are saying is that IE cant run code that can do anything damaging (because it isn't root) and what I'm saying is that is definitely the wrong attitude. What I think you are saying (correct me if I'm wrong) is that non-root remote exploits are not much of a threat. That is untrue. A remote exploit is bad no matter what the security level. Even a nobody-level remote exploit is bad because attackers can use your machine to bounce attacks to other systems (making it appear like your machine is doing the attacking). It only takes one local exploit (say, in all that proprietory code that Apple ships) to turn a non-root exploit into a root exploit. But let's say that your machine is locally secure (that is, if you were to give me a shell there would be no way for me to get root). Even then IE can run code that can follow your actions (a bad thing in itself) and when those actions involve elevation of privileges then it is possible to get root without any local exploit being necessary. So no, the fact that you dont run IE as root is not enough. Personally I think we should be able to control exactly what capabilities programs have. Running arbitary code from a foriegn source isn't one of them.

    --
    How we know is more important than what we know.
  5. Re:Not really by ZigMonty · · Score: 2

    Practically every installer I run under OS X asks for my password. This is only slightly better than an OS (w2k) whose default configuration has everything running as an administrator. OS X installers that need system level access should simply tell me they don't have the right permissions then quit.

    That doesn't sound like a very user friendly solution. You shouldn't be encouraging people to login into Mac OS X as root. And even if you did, the luser would just login into root to run the trojan. Making it annoying to install stuff as root shouldn't be considered security.

    Also, Mac OS X installers that *don't* need root permissions shouldn't be installers, they should be drag-n-drop disk images, .sit archives, or .tar.gz archives. You should only use an installer if you need to put stuff in /System/ or any of the unix directories (/usr/local/bin/ etc). The reason why every installer you run needs a password is that they all *need* a password or they wouldn't use the installer. Of course I'm ignoring all the non-apple installers which aren't really installers, just glorified unarchivers.

  6. Re:IE Needed by Spencerian · · Score: 2

    IE for Mac OS X can now be downloaded from Microsoft's web site. (http://www.microsoft.com/mac)

    --
    Vos teneo officium eram periculosus ut vos recipero is.
  7. Re:Not really by thrig · · Score: 2

    You cannot login to Mac OS X as root, unless you take the trouble to enable the root user (look under the Domain menu in the Netinfo Manager application). Otherwise, the first user setup has "Administrator" rights, along with any other user that you twiddle that checkbox for if using the Users preference pane to create new accounts. "Administrators" are simply folks in the admin group, which can modify large portions of the file system tree (/Applications comes to mind) due to the admin-group-write permissions Apple places all over the place.

    Otherwise, the password being asked for is the login/pass for any user marked as Administrator, which does the equivalent of a sudo to root when something needs to write to normally unaccessible areas (e.g. to install Frameworks or the like).

  8. Sounds like a good business strategy! by hysterion · · Score: 2

    The company says versions of Internet Explorer prior to 5.1, of Outlook Express prior to 5.0.1, and of Office prior to Office 98 are no longer supported, have not been tested, and may or may not be subject to these vulnerabilities.

    Method: Have dangerous flaws in your product, then inform the customer that you'll gladly fix them -- provided s/he buys a newer version first.

    (Only works if you have monopoly on said product, though.)

    --
    Timeo idiotikOS et dona ferentes
  9. Re:IE Needed by Xenex · · Score: 2

    You can't download IE for OS X at Apple's website, however you can use the application Pacifist. It can open an extract files from .pgk's.

    It's documents explain how to extract single files from the OS X CD. Just grab IE, put it into /Applications, and then run Software Update to get the update.

  10. Re:Not really by ZigMonty · · Score: 2

    I know that. My point was that Apple is discouraging the user from doing stuff as root whereas the parent seemed to be saying the opposite.