Another Office 2008 installer security flaw

Stephen Withers
Monday, 25 February 2008 11:03

Your IT - Home IT

An Office 2008 installer flaw opens the door to a privilege escalation exploit.

When the suite is remotely installed via Apple Remote Desktop or similar software, it provides someone with physical access to the computer to run an application from the Dock with root privileges.

The flaw affects Mac OS X 10.4.9 and later, but not any versions of Mac OS X 10.5.

It arises when the target computer is sitting at the login prompt. The installer is unable to install Dock icons in these circumstances, and uses a postflight script (a script that is executed after the main installation process) instead. That script opens the Dock with root privileges, which allows anyone sitting at the computer to use the Dock to open applications with root privileges.

Microsoft recommends the deletion of the postflight script from the installer before it is used remotely on systems running affected versions of Mac OS X.

Another possibility is to lock the target system's screen (possible with Apple Remote Desktop 3) during installation to prevent exploitation. Restarting the computer after installation is also necessary.

This is the second installer-related issue with Office 2008. It was previously revealed that the installer incorrectly sets user ID 502 as the owner of the software, which could result in a user without admin rights to modify Office program files.

Microsoft has described a manual fix for that issue, and is expected to correct the installer files some time in the future.