Freaks Macintosh Archives - Macintosh Excel98 security Issue

Origionally Orianted from HHN "Macintosh Excel98 security bug allows any user to bypass hard disk security controls and write and overwrite HD files. Root compromise."
Subject: [MM] Giant Excel security hole
Date: Thu, 12 Nov 1998 16:09:22 -0500
x-sender: klein@mail.dcds.edu From: Steve Klein
To: "Mac Mgrs"
Mime-Version: 1.0
Sender: owner-mac-mgrs@CERF.net
Status:

Question (short version):
Does anyone know of a way to protect my Macs from Excel's confused
pathname bug?

Question (long version):
One of my students accidentally stumbled on an bug in Microsoft Excel.
It probably affects every Mac running Excel, and allows users to bypass
both FoolProof and At Ease security.

The easiest way to describe the problem is to explain how to reproduce it.
1) Mount a floppy disk on your desktop
2) rename the floppy disk "Macintosh HD" (or whatever your hard drive is
named)
3) Use Microsoft excel and try to save a file on the floppy.

The file gets saved on the hard drive. Excel is the only application
I've seen that exhibits this behavior. Both Excel 4.0 and Excel 98.

It gets worse. If you create a folder hierarchy on the floppy that
mimics the hard drive, you can save files anywhere on the hard drive.

It gets even worse. It lets you replace a file with the same name. It
doesn't even prompt you with the "file already exists" dialog. For
example, I just saved an Excel spreadsheet called Finder. I tried to
save it in a folder called "System Folder" on an otherwise empty floppy
disk called "Macintosh HD." It did exactly what you'd think it would do.

(Fortunately, I had made a backup copy of my Finder before I started this
experiment.)

We have some Macs with FoolProof Security (v 3.1.1), and others with At
Ease for Workgroups (v 5.x). Though both are set to prevent users from
saving files to hard drives, this bug in Excel neatly sidesteps both
programs.

Any ideas? Now that two students know about it, it's only a matter of
time until they all do.

--
Steve Klein
Technology Support Specialist email: klein@dcds.edu
Detroit Country Day School phone: 248 646-7717 Ext. 1119

Subject: [MM] Giant Excel security hole (updated)
Date: Thu, 12 Nov 1998 16:28:11 -0500
x-sender: klein@mail.dcds.edu
From: Steve Klein
To: "Mac Mgrs"
Mime-Version: 1.0
Sender: owner-mac-mgrs@CERF.net
Status:

Although it might not have been clear from my earlier post, that Excel
bug also affects users who don't use ANY security software. The bug
affects EVERYONE running excel, not just users on "protected" Macs.

--
Steve Klein
Technology Support Specialist email: klein@dcds.edu
Detroit Country Day School phone: 248 646-7717 Ext. 1119

-------------> Please post QUESTIONS and SUMMARIES only!! <---------------
* Please Note the changed address of the MM website http://www.mac-mgrs.org
To subscribe or unsubscribe: http://www.mac-mgrs.org/mm/subscriptions.html
To mail questions and summaries to the list: mailto:mac-mgrs@lists.cerf.net
The List Mom (problems, issues, etc.): mailto:owner-mac-mgrs@lists.cerf.net

This is how it was reported on Macintouch
with some additional info on how this affects perr-to-peer networks:

We verified yesterday a nasty Excel bug reported on the Mac Managers
mailing list: If you have a hard disk and a floppy both with the same name,
Excel will save a file onto the hard drive when you tell it to save to the
floppy. Among other problems, this may succeed in bypassing disk security
controls provided by such programs as At Ease for Workgroups and FoolProof
Security. Incredibly, a MacInTouch reader reports that Microsoft has known
about it for years:

[from original report] "Excel is the only application I've seen that
exhibits this behavior. Both Excel 4.0 and Excel 98. It gets worse. If you
create a folder hierarchy on the floppy that mimics the hard drive, you can
save files anywhere on the hard drive. It gets even worse. It lets you
replace a file with the same name. It doesn't even prompt you with the
"file already exists" dialog. For example, I just saved an Excel
spreadsheet called Finder. I tried to save it in a folder called "System
Folder" on an otherwise empty floppy disk called "Macintosh HD." It did
exactly what you'd think it would do."

[MacInTouch reader] "Odd behavior in Excel caused by two volumes with the
same name has been seen for a number of versions, at least back to Excel
4.0! This first showed itself to me when we had users who could not run
macros or deal with external file references in spreadsheets under version
4.0. It turned out they had all mounted each others drives with file
sharing, and each had a NETWORK volume called "Macintosh HD" on their
desktop. Since their hard disk was also named "Macintosh HD", Excel freaked
out! This caused Excel no end of troubles. This was reported to Microsoft
through our Select agreement back in 1994 or so...obviously they never
fixed the bug."