Microsoft – brunerd

Silverlight: the next plugin Apple will be blocking

March 15, 2013March 15, 2013 brunerd 4 Comments

Shhh… Silverlight’s been updated for Mac

So by shear accident, I was in Windows 7 via Boot Camp today. I decided to run updates and actually look at what was being updated. I noticed there was a new Silverlight update, 5.1.20125.0, speak of the devil, in my XProtect Plugin Checker post, not long ago, I speculate when Silverlight will be blocked by Apple because of a security update. Security bulletin MS13-022 explains the critical nature of this for Windows and Mac, if you want to see an MS engineer tell you it’s Priority 1 this month you can visit the Microsoft March 2013 security update page. You’ll need Silverlight to watch the video, but don’t worry it won’t give you prompt you to update. Neither does Netflix. Apparently Microsoft haven’t pulled the trigger to alert users with old Silverlight plugins! Are they waiting for this 14.9MB package to replicate around the world to all the Akamai distribution servers or something? I think it’s done now.

Whither Thou Goest Check for Updates (or Preferences for that matter)?

So I decided to double check my auto-update settings in Silverlight. Would you like to check your Silverlight Preferences? The easy way is to Control-Click/Right-Click on Silverlight content and select About Silverlight from the menu. But take a real world example: you are at a site that won’t load it’s Silverlight content because the caches need cleaning! (This really happened to someone I had to support remotely via email).

Let’s go spelunking!
Opening Silverlight Preferences the hard way:

Navigate to /Library/Internet Plug-Ins
Control-Click on Silverlight.plugin and Show Package Contents
Navigate into Contents/Resources
Double click Silverlight Preferences.app

Or type this in at Terminal:

open /Library/Internet\ Plug-Ins/Silverlight.plugin/Contents/Resources/Silverlight\ Preferences.app

I ended up making a .command file to do this, zipped it up, and emailed it so the user could simply empty the Silverlight caches and get back to work (if this was for real work or Netflix I’m not sure…) but regardless, a Preference Pane would be kinda nice MS Silverlight dev folks! All it has to do, at bare minimum, is open this very same app inside the plugin bundle (so we don’t have to dig for it). That’s what the Oracle Java 7 prefPane does. I digress here’s my settings:

Yep that’s set…
OK so Microsoft doesn’t think this Priority 1 update needs updating yet on the Mac?

For fun, in the same folder you can run UpdatePrompt.app to see this:

Clicking Install now launches the URL: http://go2.microsoft.com/fwlink/?LinkId=116053 which will automatically start downloading the newest version of Silverlight.

Exploring the XProtect Factor

Now, I though to myself, if Microsoft doesn’t start getting people to update, I think I know what Apple’s gonna do… but they haven’t done it yet. So I did. I edited my XProtect.meta.plist and blocked Silverlight myself:

Just wedged it right in there with TextWrangler! Now, what happens when I visit a Silverlight page in Safari?

Boom, blocked. Aha! This mechanism is quite extensible to whatever plugin Apple deems insecure. Interestingly though, this warning will appear only once in Safari.

After that your Silverlight content will simply not load and you won’t be told why. The bundle name and version are set under the PreviouslyAnnouncedBlockedPlugins key in com.apple.Safari.plist and that’s it. Clicking OK in a hurry without reading the message might leave you scratching your head, while repeatedly clicking reload at Netlflix.

Taking a peek at my XProtectPluginChecker I see it’s able to compare the installed version to the values XProtect.meta.plist has. My script is working dynamically, as planned, yay! (I fixed a couple bugs the first few days after posting so re-download if you were an early bird user)

So while you may not be seeing this yet I have a strong feeling you will… and when you do XProtectPluginChecker will let you know.

System Administrator Bonus

Say, Mac SysAdmins, wanna disable Silverlight on all your deployed Macs right now? Why? Maybe you want to turn it off right away and worry about installing the update later? BTW this does not block the plugin in Firefox (they have their own mechanism), Safari only.

sudo /usr/libexec/PlistBuddy -x -c "add :PlugInBlacklist:10:com.microsoft.SilverlightPlugin dict" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

sudo /usr/libexec/PlistBuddy -x -c "add :PlugInBlacklist:10:com.microsoft.SilverlightPlugin:MinimumPlugInBundleVersion string 5.1.20125.0" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

That’ll get your XProtect.meta.plist PluginBlacklist dictionary looking something like this (version vary between 10.6 and 10.7/10.8 machines):

Viola, your Silverlight don’t work no more. :] Now go update it!

Office 2008 out of context

May 4, 2009May 4, 2009 brunerd 1 Comment

So… who’s running Office 2008 and hasn’t seen CGBitmapContextGetData: invalid context popping up in their system.log? I’ve seen it plenty: on Tiger, Leopard, ppc, and i386 systems (18MB worth on one heavy Powerpoint users’!) What’s puzzling is why MS hasn’t fixed it (do you want us to go over to iWork or what?!)

Anyway, lots of chatter on the net and no solutions except to hope either Apple or MS fix it… and I hope they do, we are rolling 2008 out at work (finally) and it’s stupefying to see this memory leaking bug is just spewing out garbage into logs at astonishing rate (inserting one movie gave me 22 messages!)

Anyway here’s some samples of what is happening when this error occurs
1 WrapContext 1 GetDeviceCaps 1 CGBitmapContextGetData 1 CGPostError 1 CGPostErrorWithArguments 1 asl_vlog$LDBL128 1 asl_send 1 gethostname 1 __sysctl 1 __sysctl

Seems that after calling GetDeviceCaps, which I can find Windows CE references to on the web, it then calls CGBitmapContextGetData and fails and the logging ensues… so MS if you guys are reading, please fix the info that GetDeviceCaps is either giving or getting so we can get some work done, thanks!

More traces:
3 WrapContext 3 GetDeviceCaps 3 CGBitmapContextGetData 3 CGPostError 3 CGPostErrorWithArguments 2 asl_vlog$LDBL128 2 asl_send 2 notify_get_state 2 _notify_server_get_state 2 mach_msg 2 mach_msg_trap 2 mach_msg_trap

1 0x46af14 1 0x4515b8 1 0x451500 1 0xb12e0 1 MsoFillCGDc 1 WrapContext 1 GetDeviceCaps 1 CGBitmapContextGetData 1 CGPostError 1 CGPostErrorWithArguments 1 asl_vlog$LDBL128 1 asl_free 1 free 1 szone_size 1 szone_size

2 0x605b54 2 0x4515b8 2 0x451500 2 0xb12e0 2 MsoFillCGDc 2 WrapContext 2 GetDeviceCaps 2 CGBitmapContextGetData 2 CGPostError 2 CGPostErrorWithArguments 2 asl_vlog$LDBL128 2 asl_send 1 asl_format_message 1 _asl_append_string 1 __memcpy 1 __memcpy 1 gethostname 1 __sysctl 1 __sysctl

2 0x4515b8 2 0x451500 2 0xb12e0 2 MsoFillCGDc 2 WrapContext 2 GetDeviceCaps 2 CGBitmapContextGetData 2 CGPostError 2 CGPostErrorWithArguments 2 asl_vlog$LDBL128 2 asl_send 1 asl_format_message 1 _asl_append_string 1 __memcpy 1 __memcpy 1 gethostname 1 __sysctl 1 __sysctl

Office 2008 fonts

March 12, 2008November 24, 2008 brunerd

A postscript to fonts (hehe), I wanted to mention how Office 2008 will replace your Apple supplied fonts with Microsoft fonts, placing them in /Library/Fonts Disabled. Well I like my Apple fonts just fine thank you, so for posterity here’s a list of the fonts that get bumped:

Tiger and Leopard Conflicts:

Andale Mono
Arial
Arial Black
Arial Narrow
Arial Rounded Bold
Brush Script
Comic Sans MS
Georgia
Impact
Times New Roman
Trebuchet MS
Verdana

Leopard Only Conflicts:

Tahoma
Wingdings 2
Wingdings 3

Also, just so you know there is set of fonts that Microsoft calls it’s ClearType Font Collection these fonts can be found on Vista and Windows Office 2007 (and Office 2008) they are:

Calibri Bold Italic.ttf
Calibri Bold.ttf
Calibri Italic.ttf
Calibri.ttf
Cambria Bold Italic.ttf
Cambria Bold.ttf
Cambria Italic.ttf
Cambria.ttf
Candara Bold Italic.ttf
Candara Bold.ttf
Candara Italic.ttf
Candara.ttf
Consolas Bold Italic.ttf
Consolas Bold.ttf
Consolas Italic.ttf
Consolas.ttf
Constantia Bold Italic.ttf
Constantia Bold.ttf
Constantia Italic.ttf
Constantia.ttf
Corbel Bold Italic.ttf
Corbel Bold.ttf
Corbel Italic.ttf
Corbel.ttf

All named C, like when parents name all there kids by the same letter, which is a bizarre practice I’ve never understood. I have yet to do more testing, but in an attempt to find out what the bare minimum fonts required are this seems like a good place to start.

And what the hey, here’s the rest of the Office 2008 fonts minus the conflicts and the ClearType Collection:

Abadi MT Condensed Extra Bold
Abadi MT Condensed Light
Baskerville Old Face
Batang.ttf
Bauhaus 93
Bell MT
Bernard MT Condensed
Book Antiqua
Bookman Old Style
Bookshelf Symbol 7.ttf
Braggadocio
Britannic Bold
Calisto MT
Century
Century Gothic
Century Schoolbook
Colonna
Cooper Black
Copperplate Gothic Bold
Copperplate Gothic Light
Curlz MT
Desdemona
Edwardian Script ITC
Engravers MT
Eurostile
Footlight Light
Franklin Gothic Book Italic.ttf
Franklin Gothic Book.ttf
Franklin Gothic Medium Italic.ttf
Franklin Gothic Medium.ttf
Garamond
Gill Sans MT Bold Italic.ttf
Gill Sans MT Bold.ttf
Gill Sans MT Italic.ttf
Gill Sans MT.ttf
Gill Sans Ultra Bold
Gloucester MT Extra Condensed
Goudy Old Style
Gulim.ttf
Haettenschweiler
Harrington
Imprint MT Shadow
Kino
Lucida Blackletter
Lucida Bright
Lucida Calligraphy
Lucida Console.ttf
Lucida Fax
Lucida Handwriting
Lucida Sans
Lucida Sans Typewriter
Lucida Sans Unicode.ttf
Marlett.ttf
Matura Script Capitals
Meiryo Bold Italic.ttf
Meiryo Bold.ttf
Meiryo Italic.ttf
Meiryo.ttf
Mistral
Modern No. 20
Monotype Corsiva
Monotype Sorts
MS Gothic.ttf
MS Mincho.ttf
MS PGothic.ttf
MS PMincho.ttf
MS Reference Sans Serif.ttf
MS Reference Specialty.ttf
MT Extra
News Gothic MT
Onyx
Perpetua Bold Italic.ttf
Perpetua Bold.ttf
Perpetua Italic.ttf
Perpetua Titling MT
Perpetua.ttf
Playbill
PMingLiU.ttf
Rockwell
Rockwell Extra Bold
SimSun.ttf
Stencil
Tw Cen MT Bold Italic.ttf
Tw Cen MT Bold.ttf
Tw Cen MT Italic.ttf
Tw Cen MT.ttf
Wide Latin
Wingdings

Office 2008 12.01 Update almost does it

March 12, 2008March 13, 2008 brunerd

So the Office 2008 12.01 updater came out, it’s got a whole lot of packages for each app and component with postflight scripts written in Python to clean up all the permissions:

Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: setting ownership/permissions
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: fixing setuid flags
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: clearing ACLs
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: sanitizing receipts

Doing an ls -lRFG in /Applications/Microsoft Office 2008 won’t leave you seeing red, they’ve cleaned that all up quite nicely.

Anyway, call me picky, but it forgets just one thing, the /Library/Fonts/Microsoft folder, it leaves that and its contents owned by 502 and they’re all marked executable. (Fonts don’t really need to be executable.) And as paranoid as it is — it’s still not quite right. So after you’ve put your tinfoil hat on, run 12.01, you can do this to finish it up:

#take away all users’ execute permissions
chmod a-x /Library/Fonts/Microsoft/*
#recursively own all fonts as root and admin group
sudo chown -R root:admin /Library/Fonts/Microsoft

Update: Or you can go into the update using Show Package Contents then navigate to Contents/Packages and run Office2008_en_fonts_12.0.1.incremental.pkg again, that’ll do the trick.

Office 2008 for the ‘executive’

January 21, 2008January 24, 2008 brunerd 11 Comments

Last night, while groggily honing in on the Office 2008 installer package UID problems, I missed another glaringly obvious defect: All the files are set executable, yes those files owned by 502 are also set executable. Take a look again at the lsbom dump you’ll see this everywhere: 100775. For the first two: the 10 means it’s a file, 40 is a directory. The last three (775) are significant: 7 is 4+2+1 (4:read, 2:write, 1:execute) and 5 is… that’s right: 4+1, read and execute privileges.

Now tell me does… /Microsoft Office 2008/Read Me.html need to be executable for you to look at it? Tick, tick, tick, *ding*! No. It does not let’s do another!
Does this god awful GIF bullet? /Microsoft Office 2008/Office/Media/Clipart/Bullets.localized/Red Swirl No. But it is.
Ok. One more: /Microsoft Office 2008/Office/Media/Sounds/Yeehaw? Yeah, you’re getting it. No.

The only things that needs execute privileges are directories (that’s application bundles too) and executables such as: Microsoft Word.app/Contents/MacOS/Microsoft Word

And can you remove this execute bit in Finder? No. You have 3 choices, Read & Write, Read Only, and No Access, flip through them all and the x will still be there. You’ll need to chmod it from the terminal, but be careful, not all of them… or just give chmod -R ugo-x * a whirl, then slowly go through and chmod go+x the executables one by one and see if it still works, might be faster than the inverse… but I haven’t tested anything yet, that’s for work tommorrow… and the next day… in the mean time…

Try this: ls -lFGR /Applications/Microsoft\ Office\ 2008

You’ll be seeing red. :D

BTW: Just in case, the media I am using is Part No: X13-64625-03, I hope MS can fix this and re-press this for Volume License customers — my day job! And speaking of just in case, thanks ‘justincase’ of the Clix forums for pointing out the glaringly obvious.

Office 2008, 502, and you

January 21, 2008January 10, 2011 brunerd 33 Comments

So… I got a free copy of Office 2008 Digital Media Edition for free at MacWorld 2008! W00t! All because IDG double booked a room and the session I wanted got bumped until later. I instead went to see what’s new at the “Office2008:Form Meet Function” session, cute sounding eh? Within the first minute or two, to ensure our rapt attention I’m sure, our lady MC told us that we were all going to receive a free copy of Office 2008. Except, without the same flair as Oprah (she should have tried stretching it out: “You’re all getting Awwwwwww-Fiiiiiiiiiiiiiiiiice!!!”) Oh well, it still felt nice to win something, especially something as pricey as the Digital Media Edition which runs $467 at CDW! I got back yesterday and after debating whether I’d sell this bad boy or install it, I went with carnal knowledge of the beast.

First things first: They’ve moved to Apple’s Package Maker (.pkg) installer files, good news for the enterprise rollouts? Well, unfortunately they’ve created all the packages to install most all of the files with the owner set to 502.

So let’s say, Mr. IT installs this on a user’s machine where the first user is the admin (501) and the standard user is Joes User (502), well, when after all’s installed, it will give Joe User (502) ownership of these folders and their installed contents:

/Library/Automator/ (if it doesn’t exist already)
/Library/Fonts/Microsoft
/Library/Application Support/Microsoft
/Applications/Microsoft Office 2008

Hmmm, that’s not good now is it? Because A) Joe User will find a way to screw it up and B) those are security holes IT does not want to have. Oh, if only they’d taken a peek at p. 1060 of Cocoa Programming, which basically says, if you let root own the file but the person installing isn’t root, it will assign that user’s id to the installed files, that’s how it should be. Instead if UID 502 doesn’t exist on your system when you install it will still assign that UID as the file’s owner anyway. D’oh!

I think I feel a chown’ing script (or an Iceberg repackaging) coming on and an uninstaller script too. “But, there’s an Uninstaller!”, you say? Yes there is and it does a lovely job of moving the Microsoft Office 2008 folder to the Trash, but it kinda misses the Application Support folder, the fonts folder (and moving the disabled fonts back), and all 97 automator actions… tsk tsk. Still, it was free!

Morning Update: It was late, I was tired (and sick), and I totally didn’t think of this one: “Fix Permissions”. If you do get your ownership fixed on all those files, make sure to delete all the Office2008* files from your /Library/Receipts folder, lest you reverse it all with one click of “Fix Permissions” in Disk Utility. And no, you can’t use awk, sed, or some other readily apparent way to modify the bom files… that’s someting for the MOAB crew ;)