| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Jul 2003 18:54:50 +0100 From: Alaric B Snell <alaric@...ric-snell.com> To: Rizwan Jiwan <Rizwan.Jiwan@...GSTON.Hummingbird.com> Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Rizwan Jiwan wrote: > I wouldn't consider this a bug. It is like me writing a script that kills > any process named "ScreenSaverEngine". If I run it with my privileges it > should allow me to kill the process (assuming I own ScreenSaverEngine). > Escape Pod does what it is meant to. OS X does what it is meant to--that is > unless you are suggesting that the operating system not allow the user to > kill the screen saver process which is just stupid because I have had my > screen saver crash on me. Yes. But either way, it looks as if a side effect of Escape Pod is that it nullifies the security of the screen saver. It sounds like the real issue is that the screensaver - which is meant to lock the keyboard, mouse, and display device to prevent tampering by passers-by (who do not have the option of taking the machine home and mounting the disk in another machine et al). The flaw seems to be in that the OS is still passing keyboard events to the likes of Escape Pod when the screensaver has asked to lock the keyboard. Maybe it's the screen saver's fault, in that it's not properly locking the keyboard, but it's more likely to be that the code in the GUI that handles locking the console should disable 'hotkey' processing too. > > -Riz > ABS
Powered by blists - more mailing lists