Microsoft Provides Easy OS X Security Hack
Nothing like an 11 year old to find a security hole in Apple’s OS X. Of course, it helps if he gets some assistance from Microsoft. Through MS Office, Microsoft gives you free range access to the applications on your system when running Simple Finder, unlike Apple, who doesn’t allow its applications to do that when you’re in Simple Finder. This reflects MS’s whole ethos of allowing users access to anything on computers, which is why Windows is so virus and spyware ridden.
Now, before you go buying anti-virus software or a new firewall, this is not a threat from the outside world; it is an internal security breach—internally to OS X that is. The “good news” is it’s only a concern for people intent on using OS X’s “Finder & System” Parental Controls.
Our own Aaron Wright recently wrote an excellent must read two-part piece on setting up and using Parental Controls to help protect your kids from the net nasties: Part 1 - Email, Part 2 - Surfing the web
Another aspect of the Parent Controls functionality of OS X, and one that has been in place since Panther, is the limitation of what applications a user can run or access. In Tiger it’s under the “Finder and System” settings of Parental Controls.
What do “Finder and System” controls do?
If you enable “Finder and System” controls for an account and enter the configuration screen you’ll be presented with two options: “Some Limits” and “Simple Finder.” “Simple Finder” generates a very limited Finder with limited access to folders—you don’t even see removable drives. “Some Limits” gives you full access but you can limit what applications and functions can be run. Well, that’s the theory.
OS X’s help on Parental Controls says (in part):
Restricting what users can do with the computer
If other people use your computer, you can restrict the access they have to the Mac OS X disk and applications you have installed.For example, you can prevent users from:
Using certain installed applications
Further, it’s help on “Limited Finder’ says:
Setting up a simplified interface
Simple Finder is a simplified and protected interface for inexperienced users, such as young children. Simple Finder also prevents settings from being accidentally modified or files from being accidentally deleted.Simple Finder provides the following features:
A control of the applications that the user can access.
Twice you, Mr & Mrs Parent, have been assured that “Finder and System” controls would stop your darling little Johnny from running any old application he wanted to. Problem is, you got complacent. You thought Microsoft on Macs would not be like Microsoft on PCs. You thought Microsoft would be security conscious on Macs. Pfft! Although, Apple did give them more than a little bit of help.
Apple left the back door open and Microsoft is beaconing for your kids to come on in and play with all those applications you don’t want them to.
Beating Parental Controls
It’s not a difficult process to circumvent and you only need a couple of tools for the job:
1 x Microsoft Office Suite (I’m using version v.X)
1 x 11 year old with experience in Microsoft Office Suite
1 x Limited account with access to Word, Excel or PowerPoint
If you don’t happen to have an 11 year old in the cupboard under your stairs, you’re in luck. But just in case, I’ll provide some general instructions.
Setup the account with either “Simple Finder”
or “Some Limits”. If it is using “Some Limits” this hack only works if you’ve got “Allow supporting programs” ticked in the “Some Limits” settings.
In the supposedly secure account:
- Launch Powerpoint.
- Create a custom slide action
- Select the “Run Program” option.
- In the subsequent Open dialog, navigate to the application you’d like to run and select it
- Run the slideshow, click on button you’ve created and viola, you’re flying.
You can also run applications from Word and Excel documents using the Insert Hyperlink function. You will have to manually type in the address of the application in the form file:///Applications/program.app where program.app is the application you want to run.
A clever young kid could easily set up a document with buttons all over it for applications he or she wanted to run.
Now, you’re probably wondering about other applications. I tried Pages, Keynote and The Print Shop 2. Pages and Keynote would launch Safari but rejected any hyperlink except an http one. Other attempts to access applications from within Pages and Keynote were prevented by access to applications being disabled. The Print Shop 2 doesn’t have any hyperlinking.
Here is what my Dock in the account with “Simple Finder” looks like a few minutes later. Bear in mind, PowerPoint is the only applicatiopn I’ve given this account access to. Excel was launched from PowerPoint’s Project Gallery, Pages from the PowerPoint hack and Safari from a hyperlink in Pages.
What’s to be done?
I’m not too concerned about every Mac-using-juvenile on the planet reading this piece and hacking their parents’ Macs. We’re too high-brow here at AM for the kids, with our elite writing and company jet, emblazoned with the Apple Matters logo (it makes it go faster). We’re just not on the same page. But hopefully someone from Apple will read this and remedy it. It’s not a fix that should wait until Leopard. And if Apple has known about this hack for a while (it also works in Panther) then that’s really poor. It’s a security issue and although not seemingly as threatening as hacks from the outside world, anyone who’s been involved in security knows that the biggest threat comes from within - especially from the fingers of inquisitive 11 year olds.
The big lesson in all of this though is, if you let Microsoft near a computer, it’ll find a way to bugger up its security.
Does anyone know any other applications that let you exploit this hole?
Footnote: Thanks to my 11yo, Isaiah, for showing he’s smarter than I’ll ever be. I’m sure if I gave him Boot Camp he’d have it running on a PPC Mac within a week (for the Aspergers and other literals among us - myself included - that’s a joke… it’d probably take him two weeks. Ok. I know. Running Boot Camp on PPC is impossible.)
Comments
Good thing I don’t use office on my iMac….
This has been an issue for me for some time. I work at a high school and manage 500+ computers with Workgroup Manager. WGM is used to lock access to applications and other parts of the OS. There is an option, just like with the parental controls, to allow access to applications not on the list of approved applications if another application needs them.
One example outside of MS Applications is when you click on an iTunes music store link it will open iTunes. We do not want the students to access iTunes because there home folder is store on a server and it is disruptive.
With WGM you have the power to allow applications or deny applications. If an application is denied it will not open from another program if it is requested. Since Parental Controls doesn’t deny access to the application it just isn’t allowing to be directly opened it opens.
One thing you can do is allow the supporting programs one at a time using the locate option and uncheck the option to allow supporting applications. It is a pain when it comes to MS Office. There are quite a few supporting applications for MS Office.
Another option is to place the applications you want to deny in a separate application folder that does not have read or write access for the managed user.
I don’t remember exactly as I helped someone set up an office computer to be shared by dozens so I discovered a workaround - a little kludgy but it seems to work. Basically, LIMITED FINDER only looks for apps in the APPLICATIONS folder of the main/admin user. So if you move Safari (or any other browser or internet app out of the Applications folder), I created a Apps folder on the desktop of the main/admin user. So now, hyperlinks won’t launch anything - doesn’t Sherlock also launch a browser or is a mini browser? So, double check that.
The real problem here is that the Parental controls in OS X are actually pretty bogus. If they really worked as they should, they would prevent the user from running other applications at a system level. What if the parent allows the kid to run Terminal? Then the kid can launch any application they want too. So is Terminal at fault, or is it the OS? It’s the OS, folks. If Apple had done it right, it wouldn’t matter if some alternate to the Finder application were installed or used, you still wouldn’t be able to run applications not on the list of allowed apps. So I think your article is rather misguided. Apple is to blame for this, folks.
sjonke, Quite true. Terminal could most certainly be run under Simple Finder. But I’m not sure how much damage a non-administrator user can do with Terminal, other than to their own files.
It was reasonable of me to apportion some of the blame on MS, and MS allowing applications to be run from Office apps does reek of MS’s lax attitude towards security, It just seems to be a prime example of all that’s wrong with MS’s approach to security, which still seems to be, “A user should be able to do what ever they like - give ‘em access to everything.”
MS should remove the functionality from MS Office on Macs, to run other applications. Why does someone want to launch a separate application from a PowerPoint? Or launch an app via the Hyperlink function in Excel and Word? Pages and Keynote don’t allow that and don’t provide access to applications.
Apple may have been incredibly naive with Simple Finder, never expecting that anyone would allow access to other apps as MS has done via Office.
But as I did say, the responsibilty is Apple’s to plug that hole. Somehow they need OS X to be able to distinguish different type of program calls. So Office can still launch it’s ancillary apps such as graphing, the equation editor, and the org chart.
If you think about it, it presents a serious security risk. Someone could write a malicious PowerPoint that on reaching a certain slide, could delete all your documents by passing a command thru Terminal.
Which means of course, in any login, not just one with Simple Finder.
MS Office presents a genuine security threat to all computer users with it’s ability to run other applications.
Another hole is that you can launch Safari from Apple Help even if Safari is not on the allowed application list. This is how my son showed me he does it: (Safari is not on the list of programs he can use BTW).
1. Open Apple Help
2. Click on any hyperlink that takes you to a website.
3. Safari launches. From there you have unrestricted access, other than whatever restrictions you put on Safari, to the internet.
4. Right-click on the Safari icon in the dock to launch on login.
The next time you log into the account, Safari launches automatically.
It appears that the limit on what apps you can launch is a Finder-only limitation, and as you’ve shown, it’s easily defeated. The OS will launch whatever application it is called upon to launch.
Why bother using PowerPoint when you can easily navigate to the Applications folder.
In Simple Finder, click a folder in the Dock.
Navigate to the root of your Startup disk and click the Applications folder. Pick an App.
How to navigate? Cmd-UpArrowkey until you’re there.
Nice one Combitron. This gets messier all the time! Apple need to plug this quick, but I suspect they won’t if it’s been a problem since Panther.
The problem of PowerPoint or Excel or Word is, they can carry a malicious payload - eg delete all your documents.
Of course, in Windows it’s even more dangerous, since so many users have full access to their system.
OK, it’s even worse that that. Keep in mind that many Widgets access the web, so simply bring up the Dashboard, type something in, say, a name in the Yellow Pages widget, and clicking on any resulting link…which launches Safari, even if it was locked out using parental controls [sigh].
Does anyone know what application I would have to choose in order to allow widgets to work when a managed user (parental controls) is enabled?
Good question, permuy. I hope you get an answer, coz it’s bugging me too. I tried allowing Dashboard but that didn’t work.
Does anyone know?
i came across this article while i was researching another “security hole” i found with Simple Finder.
when you type a backslash (”/”) into the address bar on Safari, it opens the system root. which, in turn, allows access to the full ‘Applications’ folder (among many other things).
combine this with what someone said above about Apple Help opening Safari even if it’s disabled, and the “Managed Account” setting on OS X is effectively useless. and having or not having Office installed has absolutely nothing to do with it.
i can’t have been the first one to figure this out?