Subject: [MM] Giant Excel security hole Date: Thu, 12 Nov 1998 16:09:22 -0500 x-sender: klein@mail.dcds.edu From: Steve Klein To: "Mac Mgrs" Mime-Version: 1.0 Sender: owner-mac-mgrs@CERF.net Status: Question (short version): Does anyone know of a way to protect my Macs from Excel's confused pathname bug? Question (long version): One of my students accidentally stumbled on an bug in Microsoft Excel. It probably affects every Mac running Excel, and allows users to bypass both FoolProof and At Ease security. The easiest way to describe the problem is to explain how to reproduce it. 1) Mount a floppy disk on your desktop 2) rename the floppy disk "Macintosh HD" (or whatever your hard drive is named) 3) Use Microsoft excel and try to save a file on the floppy. The file gets saved on the hard drive. Excel is the only application I've seen that exhibits this behavior. Both Excel 4.0 and Excel 98. It gets worse. If you create a folder hierarchy on the floppy that mimics the hard drive, you can save files anywhere on the hard drive. It gets even worse. It lets you replace a file with the same name. It doesn't even prompt you with the "file already exists" dialog. For example, I just saved an Excel spreadsheet called Finder. I tried to save it in a folder called "System Folder" on an otherwise empty floppy disk called "Macintosh HD." It did exactly what you'd think it would do. (Fortunately, I had made a backup copy of my Finder before I started this experiment.) We have some Macs with FoolProof Security (v 3.1.1), and others with At Ease for Workgroups (v 5.x). Though both are set to prevent users from saving files to hard drives, this bug in Excel neatly sidesteps both programs. Any ideas? Now that two students know about it, it's only a matter of time until they all do. -- Steve Klein Technology Support Specialist email: klein@dcds.edu Detroit Country Day School phone: 248 646-7717 Ext. 1119 Subject: [MM] Giant Excel security hole (updated) Date: Thu, 12 Nov 1998 16:28:11 -0500 x-sender: klein@mail.dcds.edu From: Steve Klein To: "Mac Mgrs" Mime-Version: 1.0 Sender: owner-mac-mgrs@CERF.net Status: Although it might not have been clear from my earlier post, that Excel bug also affects users who don't use ANY security software. The bug affects EVERYONE running excel, not just users on "protected" Macs. -- Steve Klein Technology Support Specialist email: klein@dcds.edu Detroit Country Day School phone: 248 646-7717 Ext. 1119 -------------> Please post QUESTIONS and SUMMARIES only!! <--------------- * Please Note the changed address of the MM website http://www.mac-mgrs.org To subscribe or unsubscribe: http://www.mac-mgrs.org/mm/subscriptions.html To mail questions and summaries to the list: mailto:mac-mgrs@lists.cerf.net The List Mom (problems, issues, etc.): mailto:owner-mac-mgrs@lists.cerf.net This is how it was reported on Macintouch with some additional info on how this affects perr-to-peer networks: We verified yesterday a nasty Excel bug reported on the Mac Managers mailing list: If you have a hard disk and a floppy both with the same name, Excel will save a file onto the hard drive when you tell it to save to the floppy. Among other problems, this may succeed in bypassing disk security controls provided by such programs as At Ease for Workgroups and FoolProof Security. Incredibly, a MacInTouch reader reports that Microsoft has known about it for years: [from original report] "Excel is the only application I've seen that exhibits this behavior. Both Excel 4.0 and Excel 98. It gets worse. If you create a folder hierarchy on the floppy that mimics the hard drive, you can save files anywhere on the hard drive. It gets even worse. It lets you replace a file with the same name. It doesn't even prompt you with the "file already exists" dialog. For example, I just saved an Excel spreadsheet called Finder. I tried to save it in a folder called "System Folder" on an otherwise empty floppy disk called "Macintosh HD." It did exactly what you'd think it would do." [MacInTouch reader] "Odd behavior in Excel caused by two volumes with the same name has been seen for a number of versions, at least back to Excel 4.0! This first showed itself to me when we had users who could not run macros or deal with external file references in spreadsheets under version 4.0. It turned out they had all mounted each others drives with file sharing, and each had a NETWORK volume called "Macintosh HD" on their desktop. Since their hard disk was also named "Macintosh HD", Excel freaked out! This caused Excel no end of troubles. This was reported to Microsoft through our Select agreement back in 1994 or so...obviously they never fixed the bug."