mailing list archives
Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)
From: Mark Tinberg <mtinberg () securepipe com>
Date: Sat, 2 Aug 2003 03:42:37 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:
I discoverd another security issue with the Mac OS X screensaver.
If you have installed escapepod from Ambrosia Software and hit
crtl-alt-delete(==backspace) when the screensaver with password
protection is running, it kills the screensaver and the desktop is
open to anybody - so it has the same effect as the recently
I expected that there should be a forced logout, if the screensaver
dies... - but there is no such behavior...
I have allready reported this to product-security () apple com, but
as usual with no reply...
Tested on this System Configuration:
Mac OS X 10.2.6 with Security Update 2003-07-14
1GHZ PowerBook G4
escapepod 1.0.0d3 from http://www.ambrosiasw.com/utilities/
I'm surprised at all the confusion about this issue from the people on the
list. It seems to me that the responsibility for fixing this problem is
Apple's and that the correct course of action is for the screen lock
utility to block _ALL_ access to keyboard and mouse events for any other
process. When the screenlock is running, it should:
1) Always be on top of other windows. The window manager should not
allow windows to popup over the screensaver, and certainly not allow
2) All input should be bound to the screensaver process, no other other
process should be allowed keyboard/mouse input. Certainly all
hotkeys should be disabled
3) For extra points, in event of failure, system should immediately log
out the console user. It should fail closed if possible, rather than
give away console access in the event of an error.
There are probably a few other responsibilities that a screen lock has
that I can't think of at the moment, but the main thrust is that a screen
lock should enforce security policy within its realm of responsibility.
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
 Or really any HID or ADB device. It might be easier and safer to
just disable everything that isn't a keyboard.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
-----END PGP SIGNATURE-----
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Mark Tinberg (Aug 02)