Silverlight: the next plugin Apple will be blocking

Shhh… Silverlight’s been updated for Mac

So by shear accident, I was in Windows 7 via Boot Camp today. I decided to run updates and actually look at what was being updated. I noticed there was a new Silverlight update, 5.1.20125.0, speak of the devil, in my XProtect Plugin Checker post, not long ago, I speculate when Silverlight will be blocked by Apple because of a security update. Security bulletin MS13-022 explains the critical nature of this for Windows and Mac, if you want to see an MS engineer tell you it’s Priority 1 this month you can visit the Microsoft March 2013 security update page. You’ll need Silverlight to watch the video, but don’t worry it won’t give you prompt you to update. Neither does Netflix. Apparently Microsoft haven’t pulled the trigger to alert users with old Silverlight plugins! Are they waiting for this 14.9MB package to replicate around the world to all the Akamai distribution servers or something? I think it’s done now.

Whither Thou Goest Check for Updates (or Preferences for that matter)?

So I decided to double check my auto-update settings in Silverlight. Would you like to check your Silverlight Preferences? The easy way is to Control-Click/Right-Click on Silverlight content and select About Silverlight from the menu. But take a real world example: you are at a site that won’t load it’s Silverlight content because the caches need cleaning! (This really happened to someone I had to support remotely via email).

Let’s go spelunking!
Opening Silverlight Preferences the hard way:

Navigate to /Library/Internet Plug-Ins
Control-Click on Silverlight.plugin and Show Package Contents
Navigate into Contents/Resources
Double click Silverlight

Or type this in at Terminal:

open /Library/Internet\ Plug-Ins/Silverlight.plugin/Contents/Resources/Silverlight\

I ended up making a .command file to do this, zipped it up, and emailed it so the user could simply empty the Silverlight caches and get back to work (if this was for real work or Netflix I’m not sure…) but regardless, a Preference Pane would be kinda nice MS Silverlight dev folks! All it has to do, at bare minimum, is open this very same app inside the plugin bundle (so we don’t have to dig for it). That’s what the Oracle Java 7 prefPane does. I digress here’s my settings:


Yep that’s set…
OK so Microsoft doesn’t think this Priority 1 update needs updating yet on the Mac?

For fun, in the same folder you can run to see this:


Clicking Install now launches the URL: which will automatically start downloading the newest version of Silverlight.

Exploring the XProtect Factor

Now, I though to myself, if Microsoft doesn’t start getting people to update, I think I know what Apple’s gonna do… but they haven’t done it yet. So I did. I edited my XProtect.meta.plist and blocked Silverlight myself:


Just wedged it right in there with TextWrangler! Now, what happens when I visit a Silverlight page in Safari?

Blocked @ Netflix

Boom, blocked. Aha! This mechanism is quite extensible to whatever plugin Apple deems insecure. Interestingly though, this warning will appear only once in Safari.

Blocked Small

After that your Silverlight content will simply not load and you won’t be told why. The bundle name and version are set under the PreviouslyAnnouncedBlockedPlugins key in and that’s it. Clicking OK in a hurry without reading the message might leave you scratching your head, while repeatedly clicking reload at Netlflix.

Safari Warning XML

Taking a peek at my XProtectPluginChecker I see it’s able to compare the installed version to the values XProtect.meta.plist has. My script is working dynamically, as planned, yay! (I fixed a couple bugs the first few days after posting so re-download if you were an early bird user)

XProtectPluginChecker-silverlightBlockedSo while you may not be seeing this yet I have a strong feeling you will… and when you do XProtectPluginChecker will let you know.

System Administrator Bonus

Say, Mac SysAdmins, wanna disable Silverlight on all your deployed Macs right now? Why? Maybe you want to turn it off right away and worry about installing the update later? BTW this does not block the plugin in Firefox (they have their own mechanism), Safari only.

sudo /usr/libexec/PlistBuddy -x -c "add dict" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
sudo /usr/libexec/PlistBuddy -x -c "add string 5.1.20125.0" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

That’ll get your XProtect.meta.plist PluginBlacklist dictionary looking something like this (version vary between 10.6 and 10.7/10.8 machines):

XProtectXML Viola, your Silverlight don’t work no more. :] Now go update it!



Office 2008 out of context

So… who’s running Office 2008 and hasn’t seen CGBitmapContextGetData: invalid context popping up in their system.log? I’ve seen it plenty: on Tiger, Leopard, ppc, and i386 systems (18MB worth on one heavy Powerpoint users’!) What’s puzzling is why MS hasn’t fixed it (do you want us to go over to iWork or what?!)

Anyway, lots of chatter on the net and no solutions except to hope either Apple or MS fix it… and I hope they do, we are rolling 2008 out at work (finally) and it’s stupefying to see this memory leaking bug is just spewing out garbage into logs at astonishing rate (inserting one movie gave me 22 messages!)

Anyway here’s some samples of what is happening when this error occurs
1 WrapContext
1 GetDeviceCaps
1 CGBitmapContextGetData
1 CGPostError
1 CGPostErrorWithArguments
1 asl_vlog$LDBL128
1 asl_send
1 gethostname
1 __sysctl
1 __sysctl

Seems that after calling GetDeviceCaps, which I can find Windows CE references to on the web, it then calls CGBitmapContextGetData and fails and the logging ensues… so MS if you guys are reading, please fix the info that GetDeviceCaps is either giving or getting so we can get some work done, thanks!

More traces:

3 WrapContext
3 GetDeviceCaps
3 CGBitmapContextGetData
3 CGPostError
3 CGPostErrorWithArguments
2 asl_vlog$LDBL128
2 asl_send
2 notify_get_state
2 _notify_server_get_state
2 mach_msg
2 mach_msg_trap
2 mach_msg_trap

1 0x46af14
1 0x4515b8
1 0x451500
1 0xb12e0
1 MsoFillCGDc
1 WrapContext
1 GetDeviceCaps
1 CGBitmapContextGetData
1 CGPostError
1 CGPostErrorWithArguments
1 asl_vlog$LDBL128
1 asl_free
1 free
1 szone_size
1 szone_size

2 0x605b54
2 0x4515b8
2 0x451500
2 0xb12e0
2 MsoFillCGDc
2 WrapContext
2 GetDeviceCaps
2 CGBitmapContextGetData
2 CGPostError
2 CGPostErrorWithArguments
2 asl_vlog$LDBL128
2 asl_send
1 asl_format_message
1 _asl_append_string
1 __memcpy
1 __memcpy
1 gethostname
1 __sysctl
1 __sysctl


2 0x4515b8
2 0x451500
2 0xb12e0
2 MsoFillCGDc
2 WrapContext
2 GetDeviceCaps
2 CGBitmapContextGetData
2 CGPostError
2 CGPostErrorWithArguments
2 asl_vlog$LDBL128
2 asl_send
1 asl_format_message
1 _asl_append_string
1 __memcpy
1 __memcpy
1 gethostname
1 __sysctl
1 __sysctl

Office 2008 fonts

A postscript to fonts (hehe), I wanted to mention how Office 2008 will replace your Apple supplied fonts with Microsoft fonts, placing them in /Library/Fonts Disabled. Well I like my Apple fonts just fine thank you, so for posterity here’s a list of the fonts that get bumped:

Tiger and Leopard Conflicts:

Andale Mono
Arial Black
Arial Narrow
Arial Rounded Bold
Brush Script
Comic Sans MS
Times New Roman
Trebuchet MS

Leopard Only Conflicts:

Wingdings 2
Wingdings 3

Also, just so you know there is set of fonts that Microsoft calls it’s ClearType Font Collection these fonts can be found on Vista and Windows Office 2007 (and Office 2008) they are:

Calibri Bold Italic.ttf
Calibri Bold.ttf
Calibri Italic.ttf
Cambria Bold Italic.ttf
Cambria Bold.ttf
Cambria Italic.ttf
Candara Bold Italic.ttf
Candara Bold.ttf
Candara Italic.ttf
Consolas Bold Italic.ttf
Consolas Bold.ttf
Consolas Italic.ttf
Constantia Bold Italic.ttf
Constantia Bold.ttf
Constantia Italic.ttf
Corbel Bold Italic.ttf
Corbel Bold.ttf
Corbel Italic.ttf

All named C, like when parents name all there kids by the same letter, which is a bizarre practice I’ve never understood. I have yet to do more testing, but in an attempt to find out what the bare minimum fonts required are this seems like a good place to start.

And what the hey, here’s the rest of the Office 2008 fonts minus the conflicts and the ClearType Collection:

Abadi MT Condensed Extra Bold
Abadi MT Condensed Light
Baskerville Old Face
Bauhaus 93
Bell MT
Bernard MT Condensed
Book Antiqua
Bookman Old Style
Bookshelf Symbol 7.ttf
Britannic Bold
Calisto MT
Century Gothic
Century Schoolbook
Cooper Black
Copperplate Gothic Bold
Copperplate Gothic Light
Curlz MT
Edwardian Script ITC
Engravers MT
Footlight Light
Franklin Gothic Book Italic.ttf
Franklin Gothic Book.ttf
Franklin Gothic Medium Italic.ttf
Franklin Gothic Medium.ttf
Gill Sans MT Bold Italic.ttf
Gill Sans MT Bold.ttf
Gill Sans MT Italic.ttf
Gill Sans MT.ttf
Gill Sans Ultra Bold
Gloucester MT Extra Condensed
Goudy Old Style
Imprint MT Shadow
Lucida Blackletter
Lucida Bright
Lucida Calligraphy
Lucida Console.ttf
Lucida Fax
Lucida Handwriting
Lucida Sans
Lucida Sans Typewriter
Lucida Sans Unicode.ttf
Matura Script Capitals
Meiryo Bold Italic.ttf
Meiryo Bold.ttf
Meiryo Italic.ttf
Modern No. 20
Monotype Corsiva
Monotype Sorts
MS Gothic.ttf
MS Mincho.ttf
MS PGothic.ttf
MS PMincho.ttf
MS Reference Sans Serif.ttf
MS Reference Specialty.ttf
MT Extra
News Gothic MT
Perpetua Bold Italic.ttf
Perpetua Bold.ttf
Perpetua Italic.ttf
Perpetua Titling MT
Rockwell Extra Bold
Tw Cen MT Bold Italic.ttf
Tw Cen MT Bold.ttf
Tw Cen MT Italic.ttf
Tw Cen MT.ttf
Wide Latin

order abilify online
accutane withdrawal
aciphex online pharmacy
buy actonel without prescription
price of actos
order aleve online
buy allegra online
order alli
altace with no prescription
purchase antibiotics
arimidex canada
ashwagandha canada
astelin cost
atacand online
atarax rx
generic augmentin
avandia mg
price of avapro
purchase avodart
bactrim tablets
order benadryl online
cheapest benicar
biaxin online pharmacy
no prescription buspar
cardizem online
celebrex overnight
cephalexin drugs
cialis canada
cipro cost
cla discounted
cheap clarinex
claritin online
buying clomid
clonidine overnight
colchicine information
coreg with no prescription
online coumadin
cozaar vs
buy crestor without a prescription
cymbalta mg
cytotec no prescription
order depakote
price of diclofenac
differin medication
diflucan mg
diovan overnight no rx
doxycycline delivery
flomax product
buy glucophage without prescription
hair loss
cheapest hoodia
lamictal no prescription
lamisil canada
prices lasix
levaquin vs
no prescription levitra
buy lexapro without a prescription
cost of lipitor
prices lisinopril
melatonin tablets
micardis tablets
order mobic online
motrin coupon
neurontin withdrawl
nexium order online shipping
purchase nizoral online
nolvadex tablets
omnicef no prescription
cost of paxil
penis extender product
plan b online
cost of plavix
pravachol vs
prednisone medication
order premarin
purchase prevacid online
prometrium delivery
propecia delivery
provera withdrawal
order prozac online
generic reglan
rimonabant no rx
buy risperdal without prescription
cheap rogaine no prescription
seroquel pills
singulair cost
cheap skelaxin
generic stop smoking
strattera tablets
discount stress relief
synthroid coupon
buy topamax online
price of toradol
tramadol pills
tricor order online shipping
trileptal vs
ultracet no prescription
valtrex online pharmacy
cheapest viagra
voltaren tablet
price of vytorin
weight loss drugs
zantac canada
buy zetia online
zestoretic medication
buy zithromax without prescription
no prescription zoloft
order zovirax online
cheap zyban
zyprexa overnight no rx
purchase zyrtec online
cheap zyvox no prescription

Office 2008 12.01 Update almost does it

So the Office 2008 12.01 updater came out, it’s got a whole lot of packages for each app and component with postflight scripts written in Python to clean up all the permissions:

Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: setting ownership/permissions
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: fixing setuid flags
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: clearing ACLs
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: sanitizing receipts

Doing an ls -lRFG in /Applications/Microsoft Office 2008 won’t leave you seeing red, they’ve cleaned that all up quite nicely.

Anyway, call me picky, but it forgets just one thing, the /Library/Fonts/Microsoft folder, it leaves that and its contents owned by 502 and they’re all marked executable. (Fonts don’t really need to be executable.) And as paranoid as it is — it’s still not quite right. So after you’ve put your tinfoil hat on, run 12.01, you can do this to finish it up:

#take away all users’ execute permissions
chmod a-x /Library/Fonts/Microsoft/*
#recursively own all fonts as root and admin group
sudo chown -R root:admin /Library/Fonts/Microsoft

Update: Or you can go into the update using Show Package Contents then navigate to Contents/Packages and run Office2008_en_fonts_12.0.1.incremental.pkg again, that’ll do the trick.

Office 2008 for the ‘executive’

Last night, while groggily honing in on the Office 2008 installer package UID problems, I missed another glaringly obvious defect: All the files are set executable, yes those files owned by 502 are also set executable. Take a look again at the lsbom dump you’ll see this everywhere: 100775. For the first two: the 10 means it’s a file, 40 is a directory. The last three (775) are significant: 7 is 4+2+1 (4:read, 2:write, 1:execute) and 5 is… that’s right: 4+1, read and execute privileges.

Now tell me does… /Microsoft Office 2008/Read Me.html need to be executable for you to look at it? Tick, tick, tick, *ding*! No. It does not let’s do another!
Does this god awful GIF bullet? /Microsoft Office 2008/Office/Media/Clipart/Bullets.localized/Red Swirl No. But it is.
Ok. One more: /Microsoft Office 2008/Office/Media/Sounds/Yeehaw? Yeah, you’re getting it. No.

The only things that needs execute privileges are directories (that’s application bundles too) and executables such as: Microsoft Word

And can you remove this execute bit in Finder? No. You have 3 choices, Read & Write, Read Only, and No Access, flip through them all and the x will still be there. You’ll need to chmod it from the terminal, but be careful, not all of them… or just give chmod -R ugo-x * a whirl, then slowly go through and chmod go+x the executables one by one and see if it still works, might be faster than the inverse… but I haven’t tested anything yet, that’s for work tommorrow… and the next day… in the mean time…

Try this: ls -lFGR /Applications/Microsoft\ Office\ 2008

You’ll be seeing red. :D

BTW: Just in case, the media I am using is Part No: X13-64625-03, I hope MS can fix this and re-press this for Volume License customers — my day job! And speaking of just in case, thanks ‘justincase’ of the Clix forums for pointing out the glaringly obvious.

Office 2008, 502, and you

So… I got a free copy of Office 2008 Digital Media Edition for free at MacWorld 2008! W00t! All because IDG double booked a room and the session I wanted got bumped until later. I instead went to see what’s new at the “Office2008:Form Meet Function” session, cute sounding eh? Within the first minute or two, to ensure our rapt attention I’m sure, our lady MC told us that we were all going to receive a free copy of Office 2008. Except, without the same flair as Oprah (she should have tried stretching it out: “You’re all getting Awwwwwww-Fiiiiiiiiiiiiiiiiice!!!”) Oh well, it still felt nice to win something, especially something as pricey as the Digital Media Edition which runs $467 at CDW! I got back yesterday and after debating whether I’d sell this bad boy or install it, I went with carnal knowledge of the beast.

First things first: They’ve moved to Apple’s Package Maker (.pkg) installer files, good news for the enterprise rollouts? Well, unfortunately they’ve created all the packages to install most all of the files with the owner set to 502.

So let’s say, Mr. IT installs this on a user’s machine where the first user is the admin (501) and the standard user is Joes User (502), well, when after all’s installed, it will give Joe User (502) ownership of these folders and their installed contents:

/Library/Automator/ (if it doesn’t exist already)
/Library/Application Support/Microsoft
/Applications/Microsoft Office 2008

Hmmm, that’s not good now is it? Because A) Joe User will find a way to screw it up and B) those are security holes IT does not want to have. Oh, if only they’d taken a peek at p. 1060 of Cocoa Programming, which basically says, if you let root own the file but the person installing isn’t root, it will assign that user’s id to the installed files, that’s how it should be. Instead if UID 502 doesn’t exist on your system when you install it will still assign that UID as the file’s owner anyway. D’oh!

I think I feel a chown’ing script (or an Iceberg repackaging) coming on and an uninstaller script too. “But, there’s an Uninstaller!”, you say? Yes there is and it does a lovely job of moving the Microsoft Office 2008 folder to the Trash, but it kinda misses the Application Support folder, the fonts folder (and moving the disabled fonts back), and all 97 automator actions… tsk tsk. Still, it was free!

Morning Update: It was late, I was tired (and sick), and I totally didn’t think of this one: “Fix Permissions”. If you do get your ownership fixed on all those files, make sure to delete all the Office2008* files from your /Library/Receipts folder, lest you reverse it all with one click of “Fix Permissions” in Disk Utility. And no, you can’t use awk, sed, or some other readily apparent way to modify the bom files… that’s someting for the MOAB crew ;)