April 16, 2002 5:15 PM PDT
Security flaw in Microsoft Office for Mac
The software slip-up happens because the Microsoft applications incorrectly handle the input to a certain HTML (Hypertext Markup Language) feature. By formatting a link in a particular manner, an attacker can cause a program to crash a Macintosh or run arbitrary commands. The link could appear on a Web page or in an HTML-enabled e-mail.
Known as a buffer overflow, such a problem is relatively easy to take advantage of, said Matt Conover, a member of w00w00, one of two security groups that is credited with bringing the problem to Microsoft's attention.
"In all cases, writing shellcode (a program) to exploit this problem is simple," Conover wrote in an e-mail discussing the security bug.
The flaw affects all Office programs but is only considered a critical issue on Internet Explorer for Mac OS 8, 9 and X, Outlook Express 5.0.2 and Entourage 2001 and v. X. Microsoft's advisory and links to the patches for the problem can be found on the software giant's Web site.
The holes were originally found by Josha Bronson of AngryPacket Security in early January. After Microsoft failed to respond to his attempts to contact them, security group w00w00 took up the cause in February and got the company to listen, Conover said. It took Microsoft almost three months to fix the problem and release the patch to the public, Conover said.
"We originally gave them a deadline of two weeks, until we discovered that this affected Entourage," Conover said. "When Microsoft determined this affected most of their Office suite on Mac OS, we felt it was appropriate to give them time to fix it."
A failure on Microsoft's part to respond immediately to a potential security problem would run counter to its highly touted "Trustworthy Computing" initiative. In mid-January, Chairman Bill Gates exhorted employees to take security and privacy more seriously and make it the priority at the company.
Microsoft put a different spin on the delays. "Josha sent us an initial report and sent it to the wrong alias," said Christopher Budd, security program manager for the company. "In the information-gathering stage, we had some misunderstanding about what was expected of whom."
Budd stressed that a three-month response time should be understandable, considering the amount of work the software giant had to do. "This is the most complex patch that I've seen us deliver in a while in terms of the number of patches that we had to do and the number of products," he said. "If you look at the number of products we are addressing, we have 11, each that localizes in 12 languages. That's 110 or so patches that we had to do."
In any event, a second bug, considered less serious, is also detailed in the Microsoft advisory and could allow an attacker to run an AppleScript on the user's computer, providing the script is already present on the machine and the attacker knows the path to it.
The problems come two months after Microsoft revealed that the product serial numbers on its Office products could be used by hackers to shut down the programs.
The problems don't affect Microsoft's products for Windows PCs.