Security flaw in Microsoft Office for Mac

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-884364.html

By Robert Lemos 
Staff Writer, CNET News.com
April 16, 2002, 5:15 PM PT

Microsoft acknowledged on Tuesday that its popular Office applications
for the Macintosh have a critical security flaw that leaves users'
systems open to attack by worms and online vandals.

The software slip-up happens because the Microsoft applications
incorrectly handle the input to a certain HTML (Hypertext Markup
Language) feature. By formatting a link in a particular manner, an
attacker can cause a program to crash a Macintosh or run arbitrary
commands. The link could appear on a Web page or in an HTML-enabled
e-mail.

Known as a buffer overflow, such a problem is relatively easy to take
advantage of, said Matt Conover, a member of w00w00, one of two
security groups that is credited with bringing the problem to
Microsoft's attention.

"In all cases, writing shellcode (a program) to exploit this problem
is simple," Conover wrote in an e-mail discussing the security bug.

The flaw affects all Office programs but is only considered a critical
issue on Internet Explorer for Mac OS 8, 9 and X, Outlook Express
5.0.2 and Entourage 2001 and v. X. Microsoft's advisory and links to
the patches for the problem can be found on the software giant's Web
site.

The holes were originally found by Josha Bronson of AngryPacket
Security in early January. After Microsoft failed to respond to his
attempts to contact them, security group w00w00 took up the cause in
February and got the company to listen, Conover said. It took
Microsoft almost three months to fix the problem and release the patch
to the public, Conover said.

"We originally gave them a deadline of two weeks, until we discovered
that this affected Entourage," Conover said. "When Microsoft
determined this affected most of their Office suite on Mac OS, we felt
it was appropriate to give them time to fix it."

A failure on Microsoft's part to respond immediately to a potential
security problem would run counter to its highly touted "Trustworthy
Computing" initiative. In mid-January, Chairman Bill Gates exhorted
employees to take security and privacy more seriously and make it the
priority at the company.

Microsoft put a different spin on the delays. "Josha sent us an
initial report and sent it to the wrong alias," said Christopher Budd,
security program manager for the company. "In the
information-gathering stage, we had some misunderstanding about what
was expected of whom."

Budd stressed that a three-month response time should be
understandable, considering the amount of work the software giant had
to do. "This is the most complex patch that I've seen us deliver in a
while in terms of the number of patches that we had to do and the
number of products," he said. "If you look at the number of products
we are addressing, we have 11, each that localizes in 12 languages.  
That's 110 or so patches that we had to do."

In any event, a second bug, considered less serious, is also detailed
in the Microsoft advisory and could allow an attacker to run an
AppleScript on the user's computer, providing the script is already
present on the machine and the attacker knows the path to it.

The problems come two months after Microsoft revealed that the product
serial numbers on its Office products could be used by hackers to shut
down the programs.

The problems don't affect Microsoft's products for Windows PCs.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.