[ISN] Security flaw in Microsoft Office for Mac

From: InfoSec News (isnat_private)
Date: Wed Apr 17 2002 - 00:28:11 PDT

  • Next message: InfoSec News: "Re: [ISN] Cracks in the Firewall"

    By Robert Lemos 
    Staff Writer, CNET News.com
    April 16, 2002, 5:15 PM PT
    Microsoft acknowledged on Tuesday that its popular Office applications
    for the Macintosh have a critical security flaw that leaves users'
    systems open to attack by worms and online vandals.
    The software slip-up happens because the Microsoft applications
    incorrectly handle the input to a certain HTML (Hypertext Markup
    Language) feature. By formatting a link in a particular manner, an
    attacker can cause a program to crash a Macintosh or run arbitrary
    commands. The link could appear on a Web page or in an HTML-enabled
    Known as a buffer overflow, such a problem is relatively easy to take
    advantage of, said Matt Conover, a member of w00w00, one of two
    security groups that is credited with bringing the problem to
    Microsoft's attention.
    "In all cases, writing shellcode (a program) to exploit this problem
    is simple," Conover wrote in an e-mail discussing the security bug.
    The flaw affects all Office programs but is only considered a critical
    issue on Internet Explorer for Mac OS 8, 9 and X, Outlook Express
    5.0.2 and Entourage 2001 and v. X. Microsoft's advisory and links to
    the patches for the problem can be found on the software giant's Web
    The holes were originally found by Josha Bronson of AngryPacket
    Security in early January. After Microsoft failed to respond to his
    attempts to contact them, security group w00w00 took up the cause in
    February and got the company to listen, Conover said. It took
    Microsoft almost three months to fix the problem and release the patch
    to the public, Conover said.
    "We originally gave them a deadline of two weeks, until we discovered
    that this affected Entourage," Conover said. "When Microsoft
    determined this affected most of their Office suite on Mac OS, we felt
    it was appropriate to give them time to fix it."
    A failure on Microsoft's part to respond immediately to a potential
    security problem would run counter to its highly touted "Trustworthy
    Computing" initiative. In mid-January, Chairman Bill Gates exhorted
    employees to take security and privacy more seriously and make it the
    priority at the company.
    Microsoft put a different spin on the delays. "Josha sent us an
    initial report and sent it to the wrong alias," said Christopher Budd,
    security program manager for the company. "In the
    information-gathering stage, we had some misunderstanding about what
    was expected of whom."
    Budd stressed that a three-month response time should be
    understandable, considering the amount of work the software giant had
    to do. "This is the most complex patch that I've seen us deliver in a
    while in terms of the number of patches that we had to do and the
    number of products," he said. "If you look at the number of products
    we are addressing, we have 11, each that localizes in 12 languages.  
    That's 110 or so patches that we had to do."
    In any event, a second bug, considered less serious, is also detailed
    in the Microsoft advisory and could allow an attacker to run an
    AppleScript on the user's computer, providing the script is already
    present on the machine and the attacker knows the path to it.
    The problems come two months after Microsoft revealed that the product
    serial numbers on its Office products could be used by hackers to shut
    down the programs.
    The problems don't affect Microsoft's products for Windows PCs.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 03:48:04 PDT