What You Can Do
Although Office 2008 is the first major Microsoft product to use Apple's Installer system, security experts were surprised by these mistakes. "It's not good and a clear violation of Microsoft's standards," said analyst Rich Mogull, who writes about security issues for Securosis and TidBITS as well as Macworld. "This should not have occurred considering how rigid [Microsoft's] Security Development Life Cycle is. By potentially allowing a non-privileged user to change system-wide files, it could allow an attacker to cross trust boundaries and execute code in another user's context."
Mogull notes, however, that the security implications are, for now, theoretical rather than immediate: "The combination of the two issues is problematic, but it's one of those issues we need to bring to light, not panic about quite yet."
For its part, Microsoft takes the two issues seriously, says Geoff Price, product unit manager for the company's Macintosh Business Unit.
"The Mac BU team is aware of reports regarding Office 2008 installing to a folder that potentially allows a local non-Admin user access to program files," Price said. "This issue should only affect machines that have a second local user account enabled; other scenarios should not be affected."
Microsoft also acknowledged the second issue. The company will be providing a free, downloadable update that fixes both issues; in addition, future pressings of the Office 2008 installation disc will include an updated installation package that installs all files with the proper attributes. (A release date for the update wasn't available at the time of publication; we'll update this story once we get that information.)
In the meantime, Price provided a fix for the file-ownership issue:
- While logged in to an admin account, type the following command, as one line, and then press return: sudo chmod -R a-st "/Applications/Microsoft Office 2008" "/Library/Fonts/Microsoft" "/Library/Application Support/Microsoft" "/Library/Automator" (If you don't have the Special Media Edition of Office 2008, omit "/Library/Automator".)
- Enter your account password when prompted.
- Type the following command, as one line, and then press return: sudo chown -h -R root:admin "/Applications/Microsoft Office 2008" "/Library/Fonts/Microsoft" "/Library/Application Support/Microsoft" "/Library/Automator" (If you don't have the Special Media Edition of Office 2008, omit "/Library/Automator".)
- Enter your account password if prompted.
This procedure properly assigns ownership of all Office 2008 components to the system. Unfortunately, there's no simple fix for the issue of all Office 2008 files being executable. Because some files do indeed need to be executable, you can't modify all the files en masse. Users will have to wait for the update from Microsoft to address this issue.
If you're especially concerned about security and you decide to uninstall Office 2008, note that the included Uninstall utility doesn't fully remove all components. It apparently moves only the Microsoft Office 2008 folder (in /Applications) to the Trash, leaving /Library/Fonts/Microsoft, /Library/Application Support/Microsoft, and all of Office's included Automator actions in place.
(Updated 1/27/2008 8:15 pm - Microsoft has provided an updated set of Terminal commands [above] for fixing the permissions issue. The company recommends these instructions even for users who were able to run the original commands successfully.)
Ad Choices