Comments on: Mac OS X Mail parental controls vulnerability

By: Vera Schafer

Vera Schafer — Sat, 11 Sep 2010 17:23:56 +0000

Yesterday I created a profile for my 6th grader granddaughter and authorized a few emails of family members. Then I asked my daughter to reply using her work email (which was not included in my list) and it simply got delivered. No hacking or anything. It simply went through! It’s so disappointing because I really want to use this type of communication as an added tool to encourage/improve her reading/writing skills…

By: Mark Abajian

Mark Abajian — Fri, 10 Sep 2010 01:14:57 +0000

Thank you for pursuing this with Apple. I’ve been disappointed in their “Parental Controls” for several years now.

Another major failing is that parental controls set for OS X Mail do not propagate to the MobileMe online mail client. If my child reads his/her mail on me.com using their MobileMe “Family Pack” sub-account, the parental controls set in OS X are bypassed.

By: Dominik Hoffmann

Dominik Hoffmann — Wed, 08 Sep 2010 17:52:58 +0000

I, too have found this particular functionality of Parental Controls to be buggy.

I disagree with the poster who says that we should just educate our children about the dangers of going online. First, we don’t want to broach subjects we couldn’t appropriately discuss at their level of maturity. Second, in their preteen years many children don’t possess the technical expertise to bypass security measures (e.g., my children wouldn’t have a clue about how to install Thunderbird as an alternative to Mail). Third, they might not have the experience to distinguish what is harmless from what is dangerous.

By: Plaats hier software gerelateerd nieuws! - Page 24

Plaats hier software gerelateerd nieuws! - Page 24 — Tue, 07 Sep 2010 17:54:26 +0000

[...] CVE ID aan toekennen en geeft ook geen tijdlijn voor een mogelijke patch. Inmiddels is er op het blog van Kamens een discussie uitgebroken of het hier wel om een beveiligingslek gaat. "Ik maak er [...]

By: jik

jik — Tue, 07 Sep 2010 14:15:18 +0000

@RichieB: I agree with pretty much everything you wrote. However, my major complaint is that if you’re going to offer a security-related feature, it’s your responsibility and obligation to make it secure. Where Apple failed unacceptably was in implementing a laughably insecure “security” feature.

By: RichieB

RichieB — Tue, 07 Sep 2010 11:44:00 +0000

I agree with Apple that if an individual already knows the child and parent E-mail addresses. the risk posed by circumventing the parental controls is medium at best. However, the approval process seems flawed (does it rely on SMTP headers?) and should be fixed.

Parents however should realize that these type of parental controls are (and always will be) weak. Instead of limiting your children’s online experience, educate them about the dangers of communicating with strangers (in general, not only online) and disclosing private information. This way they will become more responsible netizens that will be able to take care of themselves online.

By: David

David — Mon, 06 Sep 2010 21:26:17 +0000

Good luck with this. Unfortunately I found the whole Parental
Controls system to be buggy and cumbersome to the point where it was useless, so had to remove it from my son’s account. I think it will be a while before it’s deemed worthy of a rewrite.

By: jik

jik — Fri, 03 Sep 2010 22:37:56 +0000

I respectfully disagree.

The parental controls impose a security restriction, i.e., a restriction on the entities with whom a user is allowed to exchange email. This vulnerability allows that restriction to be bypassed, which is to my mind makes it applicable to both the second and third points you listed.

I’m making a big deal out of it because it is a big deal. Parents are led by Apple to believe that the parental controls will prevent their children from being able to correspond with strangers on the Internet, which is a huge safety concern, when in fact that they will not.

By: Commonsensicus

Commonsensicus — Fri, 03 Sep 2010 22:25:52 +0000

You shouldn’t refer to this bug as a “vulnerability” or an “exploit”. All it allows you to do is send email to someone whose email address you already know. That’s not terribly surprising, really. Now, if this bug allowed the attacker to actually execute code on the victim’s machine, you could call it an “exploit”; but just being able to hold an email conversation with the victim isn’t a bad thing.

For CVE, a vulnerability is a state in a computing system (or set of systems) that either:

* allows an attacker to execute commands as another user
* allows an attacker to access data that is contrary to the specified access restrictions for that data
* allows an attacker to pose as another entity
* allows an attacker to conduct a denial of service

This is pretty clear from MITRE’s website, which you seem to be fond of, so it’s surprising that you’re making a big deal about it.

By: Sabahattin Gucukoglu

Sabahattin Gucukoglu — Wed, 01 Sep 2010 16:58:09 +0000

“You may be right, but I’m doing my best to try all other potential channels before resorting to that.”

Join the club, mate. And I hope your will is stronger than mine. My issue got a CVE but still (after nearly a year) isn’t fixed. I’m not clear whether Apple motivated the CVE, or full-disclosure/bugtraq.

Cheers,
Sabahattin