MacBU today updated its IT Pros website to include information about a security exploit in its Office 2008 installer. The exploit can only be triggered when the following criteria are met:
- The Mac is running Mac OS X 10.4.9 or a later version of Tiger (Leopard does not have this vulnerability)
- An administrator remotely installs the Office Installer package using an application like Apple Remote Desktop
- The computer must sitting at the login window
Microsoft today added an Office 2008 Known Issues list for IT Pros, which includes the article Security issue in Office 2008 remote installation to Mac OS X v10.4 (Tiger). It details a problem earlier discussed on the MacEnterprise.org mailing list about a week ago and provides instructions for modifying the Office Installer package to remove the vulnerability.
Macintosh administrators often push application packages such as Office 2008 to computers via an application to save the time of visiting each computer and installing the software manually. During the push a user sitting in front of the computer may see the Dock appear because the Office Installer is adding its application icons to the Dock. Because the Office Installer is running as root that means all applications in the Dock are also running as root. A malicious user could then launch the Terminal application or other utility and gain control of the computer.
Office 2008 is the first version of Office to use Appleās Installer technology and this is the second security issue found with the installer package. However, the vulnerability lies with Mac OS X and was acknowledged by Apple as far back as 2006 in their knowledgebase article Remote Desktop: Installing a package on clients that are at a login window. Apple suggests locking the screen of the workstation prior to installing any applications with its Remote Desktop software and then rebooting the machine to close the vulnerability.
