Mac Office vulnerable, Microsoft warns

C|Net News ^ | February 7, 2002, 7:05 AM PT | Joe Wilcox

[TexRef]

Users of Microsoft Office on the Macintosh may find that their product serial number is a tool for hackers.

Microsoft issued a security warning Wednesday saying that programmers with malicious intent could use Mac Office v. X's product identifier to shut down one or more copies of the application running on a network or connected to the Internet.

Although the Redmond, Wash.-based software titan characterized the security threat as low, the timing and unusual nature of the problem--an exploit involving an anti-piracy mechanism--could give it another black eye. The company has taken a drubbing recently from analysts and customers for security glitches involving the Excel and PowerPoint applications, secure digital content, the Windows XP operating system, and the Internet Explorer browser, among other products.

Those problems have prompted Microsoft to go beyond simply issuing warnings and patches. Last month, Chairman Bill Gates sent an e-mail to the company's 47,000 employees, urging them to make security a top priority. The company has even stopped product development for a month to conduct security education and a review of products.

Office v. X, Microsoft's flagship product for Apple Computer's Macintosh, was released in November. With the new version, Microsoft introduced an anti-piracy mechanism that checks for duplicate serial numbers running on a network. The mechanism will not allow two copies of the product with the same serial number to run simultaneously on the same network.

In the security notice, Microsoft described the problem as a "flaw" in the product identification checker, which "doesn't correctly handle a particular type of malformed announcement." When that happens, the feature fails, shutting down Mac Office.

"An attacker could use this vulnerability to cause other users' Office applications to fail, with the loss of any unsaved data," Microsoft's security notice warned. "An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines."

Companies using standard firewall procedures could prevent problems from the outside, although malicious code could still get through by other means, such as an improperly configured wireless network.

Microsoft emphasized that hackers could not create, delete or modify Office documents, although unsaved data would be lost during an unexpected shutdown. The company has issued a security patch to correct the problem.

The vulnerability does not affect Office XP, which uses a different anti-piracy mechanism. Rather than check for serial numbers, Office XP uses a product activation feature. A person must activate the product, which essentially "locks" the software to the particular hardware configuration.

[TexRef]

Just wait until all Micro$oft's software has these sorts of product registrations built in... When the "I love you, too." virus hits, it will not only send an email to your closest 500 friends, it will disable your software.

Nice.

[D-fendr]

A basic non-MS Office suite at a low cost has to be coming soon. It would solve so many problems.

[Mixer]

Index

[Mixer]

BUMP!

[NovemberCharlie]

I use Appleworks myself, and have never had a problem.

[Ragin1]

Allready done. StarOffice.

[First_Salute]

Very much appreciate this alert.

[SamAdams76]

They've existed for years. Problem is, the file formats aren't recognized by MS Office and that is what the whole word uses. So unless you are just running a word processor/spreadsheet program for your own personal use, you need MS Office.

[First_Salute]

Major bump for AppleWorks.

[Ragin1]

http://www.sun.com/software/star/staroffice/

[toupsie]

Well, well, well. Microsoft has been so stung by the insecurity of Windows XP that they are now trying to cause problems with MacOS X. Funny how all MacOS X security issues deal mainly with Microsoft products. :)

This is really a smal security issue. You can't steal data or compromise the MacOS X system with this. The most that can happen is that someone can cause Microsoft Office to quit unexpectedly. The only thing you would lose is the data in memory when the app quits. If you use the ipfw to block the M$ Office ports, this would never happen in the first place.

This problem has to do 100% with Microsoft Office's anti-piracy system which scans local nets for another copy running with the same serial number.

[SoCal Pubbie]

As I Mac user that does not use Word I have the need from time to time to send a Word file for the reasons already stated- everyone uses it. Is there a way to do this wthout having to buy Word?

[Djarum]

Try Rich Text Format or MacLink Plus.

[js1138]

Isn't blaming Microsoft for hackers just a bit like blaiming NY for building tall buildings?

I mean, has the "blame the victim" culture snuck into conservatism like a virus in the night?

Are women blamed for their rape because they wear makeup? Are the victims of terrorists blamed because they are rich Americans? Are makers of armored vests blamed because they don't protect your head?

Just curious.

[B Knotts]

Nope. StarOffice reads and writes MS Office files just fine.

The only one I've had any problem with in StarOffice 6 beta is .pps (slideshow). Hopefully that will be fixed in StarOffice 6 final.

[B Knotts]

Admittedly, StarOffice does not have a Mac version at this time.

[asformeandformyhouse]

Mac Office vulnerable, Microsoft warns

Something about the pot, the kettle and the color black comes to mind.

[Ramius]

Oh, good. Another wintel-bashing thread. This should be productive.

[D-fendr]

I'm trying Appleworks out. Just coverted a basci Word and Excel file successfully. I don't have high hopes for complex ones. And, of course, there needs to be a PC version…

[D-fendr]

StarOffice could have been it, but it's still clumsy to use, and Sun is trying to do with it what MS did with Office, use it to make you a customer of their OS.

We need something separate from the OS maker and something that is easy to use and converts MS files well (at least until it kills Office :)