Vigil@nce - Microsoft Office for Mac: privilege elevation via permissions
July 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
Permissions on some directories of Microsoft Office for Mac allow
a local attacker to store a Trojan Horse, in order to execute code
with privileges of users who log in later, and open Office.
Severity: 2/4
Creation date: 10/07/2012
IMPACTED PRODUCTS
– Microsoft Office
– Microsoft Office Excel
– Microsoft Office Outlook
– Microsoft Office PowerPoint
– Microsoft Office Word
DESCRIPTION OF THE VULNERABILITY
During the installation of Microsoft Office for Mac, the following
directories are created:
/Library/Internet\ Plug-Ins/SharePointWebKitPlugin.webplugin/
/Library/Internet\ Plug-Ins/SharePointBrowserPlugin.plugin/
/Library/Fonts/Microsoft/
/Library/Automator/
/Applications/Microsoft\ Office\ 2011/
However, some of these directories or sub-directories are publicly
writable by all local users (Unix permission other:write).
Permissions on some directories of Microsoft Office for Mac
therefore allow a local attacker to store a Trojan Horse, in order
to execute code with privileges of users who log in later, and
open Office.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Microsoft-Office-for-Mac-privilege-elevation-via-permissions-11760