Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

mac-excel98.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Giant Excel bug allows bypass of Mac security, saving files to hard drive unexpectedly.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Subject: [MM] Giant Excel security hole  
Date: Thu, 12 Nov 1998 16:09:22 -0500  
x-sender: [email protected]  
From: Steve Klein <[email protected]>  
To: "Mac Mgrs" <[email protected]>  
Mime-Version: 1.0  
Sender: [email protected]  
Status:  
  
Question (short version):  
Does anyone know of a way to protect my Macs from Excel's confused  
pathname bug?  
  
Question (long version):  
One of my students accidentally stumbled on an bug in Microsoft Excel.  
It probably affects every Mac running Excel, and allows users to bypass  
both FoolProof and At Ease security.  
  
The easiest way to describe the problem is to explain how to reproduce it.  
1) Mount a floppy disk on your desktop  
2) rename the floppy disk "Macintosh HD" (or whatever your hard drive is  
named)  
3) Use Microsoft excel and try to save a file on the floppy.  
  
The file gets saved on the hard drive. Excel is the only application  
I've seen that exhibits this behavior. Both Excel 4.0 and Excel 98.  
  
It gets worse. If you create a folder hierarchy on the floppy that  
mimics the hard drive, you can save files anywhere on the hard drive.  
  
It gets even worse. It lets you replace a file with the same name. It  
doesn't even prompt you with the "file already exists" dialog. For  
example, I just saved an Excel spreadsheet called Finder. I tried to  
save it in a folder called "System Folder" on an otherwise empty floppy  
disk called "Macintosh HD." It did exactly what you'd think it would do.  
  
(Fortunately, I had made a backup copy of my Finder before I started this  
experiment.)  
  
We have some Macs with FoolProof Security (v 3.1.1), and others with At  
Ease for Workgroups (v 5.x). Though both are set to prevent users from  
saving files to hard drives, this bug in Excel neatly sidesteps both  
programs.  
  
Any ideas? Now that two students know about it, it's only a matter of  
time until they all do.  
  
--  
Steve Klein  
Technology Support Specialist email: [email protected]  
Detroit Country Day School phone: 248 646-7717 Ext. 1119  
  
Subject: [MM] Giant Excel security hole (updated)  
Date: Thu, 12 Nov 1998 16:28:11 -0500  
x-sender: [email protected]  
From: Steve Klein <[email protected]>  
To: "Mac Mgrs" <[email protected]>  
Mime-Version: 1.0  
Sender: [email protected]  
Status:  
  
Although it might not have been clear from my earlier post, that Excel  
bug also affects users who don't use ANY security software. The bug  
affects EVERYONE running excel, not just users on "protected" Macs.  
  
--  
Steve Klein  
Technology Support Specialist email: [email protected]  
Detroit Country Day School phone: 248 646-7717 Ext. 1119  
  
  
-------------> Please post QUESTIONS and SUMMARIES only!! <---------------  
* Please Note the changed address of the MM website http://www.mac-mgrs.org  
To subscribe or unsubscribe: http://www.mac-mgrs.org/mm/subscriptions.html  
To mail questions and summaries to the list: mailto:[email protected]  
The List Mom (problems, issues, etc.): mailto:[email protected]  
  
This is how it was reported on Macintouch <http://www.macintouch.com>  
with some additional info on how this affects perr-to-peer networks:  
  
We verified yesterday a nasty Excel bug reported on the Mac Managers  
mailing list: If you have a hard disk and a floppy both with the same name,  
Excel will save a file onto the hard drive when you tell it to save to the  
floppy. Among other problems, this may succeed in bypassing disk security  
controls provided by such programs as At Ease for Workgroups and FoolProof  
Security. Incredibly, a MacInTouch reader reports that Microsoft has known  
about it for years:  
  
[from original report] "Excel is the only application I've seen that  
exhibits this behavior. Both Excel 4.0 and Excel 98. It gets worse. If you  
create a folder hierarchy on the floppy that mimics the hard drive, you can  
save files anywhere on the hard drive. It gets even worse. It lets you  
replace a file with the same name. It doesn't even prompt you with the  
"file already exists" dialog. For example, I just saved an Excel  
spreadsheet called Finder. I tried to save it in a folder called "System  
Folder" on an otherwise empty floppy disk called "Macintosh HD." It did  
exactly what you'd think it would do."  
  
[MacInTouch reader] "Odd behavior in Excel caused by two volumes with the  
same name has been seen for a number of versions, at least back to Excel  
4.0! This first showed itself to me when we had users who could not run  
macros or deal with external file references in spreadsheets under version  
4.0. It turned out they had all mounted each others drives with file  
sharing, and each had a NETWORK volume called "Macintosh HD" on their  
desktop. Since their hard disk was also named "Macintosh HD", Excel freaked  
out! This caused Excel no end of troubles. This was reported to Microsoft  
through our Select agreement back in 1994 or so...obviously they never  
fixed the bug."  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
excel security vulnerabilitybypass security systemsmacintosh hd confusionsave files improperlyfoolproof limitationsat ease issues.
22
.json
Report