MS Office and IE Exploits

buzban writes "Microsoft has issued this security bulletin regarding potential buffer/code exploits. It seems to have a potential effect on a lot of things, including Office v.X, Office:2001, IE for Mac OS and for Mac OS X, AppleScript, et al... I couldn't get the update from Apple just yet, but that might be my own screwup. ;)" Only the patch for MSIE on Mac OS X is in Software Update through Apple. All others must be downloaded from Microsoft. Update: 04/17 21:02 GMT by P : pumpkinhead writes in that ZDNet has a story with more details.

Friendly tip for the Internet Explorer update

[helixblue]

Not that I use IE except for testing, but I found that you only get prompted for the update if Internet Explorer is in /Applications.

I had moved it into /Applications/Internet on my machine.

Re:Friendly tip for the Internet Explorer update

[Spencerian]

I've just sent this same information to Macintouch.com, and I'll repeat it here:

Mac OS X is UNIX, and, like many versions of OS, doesn't expect you to tweak your system around like in Mac OS 9.

Don't do it. Leave ALL preinstalled Mac OS X applications exactly where they are. If you need to access them conveniently, place their icons in the Dock, the desktop, some folder, or use a third-party solution. Changing around the location (or probably name) of applications is the quick way of hosing a Mac OS X installation to the point where reinstallation is required.

When other UNIX users need to activate an app from another location, they use symlinks or other method. But their apps stay put. So should it be with Mac OS X. Leave stuff alone unless you are a UNIX admin and Mac OS X programmer employed by Apple (hmm..a subtle way of saying "don't.")

Re:Mac OS X mitigates security hole impact

[QuantumG]

Surely when you get asked to enter your root password (as you always do whenever you install new software) the attacker could jump to root. Guess the small amount of effort to trick/follow the user is more than any attacker would bother to do.

Re:Not really

[QuantumG]

I know this, but what you are saying is that IE cant run code that can do anything damaging (because it isn't root) and what I'm saying is that is definitely the wrong attitude. What I think you are saying (correct me if I'm wrong) is that non-root remote exploits are not much of a threat. That is untrue. A remote exploit is bad no matter what the security level. Even a nobody-level remote exploit is bad because attackers can use your machine to bounce attacks to other systems (making it appear like your machine is doing the attacking). It only takes one local exploit (say, in all that proprietory code that Apple ships) to turn a non-root exploit into a root exploit. But let's say that your machine is locally secure (that is, if you were to give me a shell there would be no way for me to get root). Even then IE can run code that can follow your actions (a bad thing in itself) and when those actions involve elevation of privileges then it is possible to get root without any local exploit being necessary. So no, the fact that you dont run IE as root is not enough. Personally I think we should be able to control exactly what capabilities programs have. Running arbitary code from a foriegn source isn't one of them.