Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)
From: Mark Tinberg <mtinberg () securepipe com>
Date: Sat, 2 Aug 2003 03:42:37 -0500 (CDT)

Hash: SHA1

On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:

I discoverd another security issue with the Mac OS X screensaver.
If you have installed escapepod from Ambrosia Software and hit
crtl-alt-delete(==backspace) when the screensaver with password
protection is running, it kills the screensaver and the desktop is
open to anybody - so it has the same effect as the recently
emerged password-exploit.
I expected that there should be a forced logout, if the screensaver
dies... - but there is no such behavior...

I have allready reported this to product-security () apple com, but
as usual with no reply...

Tested on this System Configuration:

Mac OS X 10.2.6 with Security Update 2003-07-14
1GHZ PowerBook G4
escapepod 1.0.0d3 from http://www.ambrosiasw.com/utilities/

I'm surprised at all the confusion about this issue from the people on the
list.  It seems to me that the responsibility for fixing this problem is
Apple's and that the correct course of action is for the screen lock
utility to block _ALL_ access to keyboard and mouse events for any other
process.  When the screenlock is running, it should:

1)  Always be on top of other windows.  The window manager should not
    allow windows to popup over the screensaver, and certainly not allow
    them input
2)  All input should be bound to the screensaver process, no other other
    process should be allowed keyboard/mouse[0] input.  Certainly all
    hotkeys should be disabled
3)  For extra points, in event of failure, system should immediately log
    out the console user.  It should fail closed if possible, rather than
    give away console access in the event of an error.

There are probably a few other responsibilities that a screen lock has
that I can't think of at the moment, but the main thrust is that a screen
lock should enforce security policy within its realm of responsibility.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67

[0]  Or really any HID or ADB device.  It might be easier and safer to
     just disable everything that isn't a keyboard.
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/


  By Date           By Thread  

Current thread:
  • Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Mark Tinberg (Aug 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]