| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Jul 2003 15:08:14 -0400 From: "Gavin Hanover" <ghanover@...ntipress.com> To: "mns" <mns@...lab.com>, <bugtraq@...urityfocus.com> Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't quite agree. Windows uses control-alt-delete as a security device. It binds those keys as a hotkey in such a way that no other aplication can replace it. This is why it is used at logon; it prevents a user from creating a program that looked like a logon prompt, and could bind the control-alt-delete keys to display a password prompt. (pressing control-alt-delete in any application other than the logon screen would display the "shutdown/logoff/task manager" window, at which point you would know not to enter your password in any prompt) If someone were to find a way to bind to those hotkeys, would you then consider this a security issue with Windows? If so, how is Apple's failure to block kill calls to the screen saver not a security issue? Gavin : I agree with Doug White in the assessment that this is, in fact, an : issue : that is the responsibility of Ambrosia, if it is to be considered a : security : issue at all. Apple cannot be held responsible for the code of third : party : developers. : : I downplay the definition of this as a security issue at all because : there are : so many immediate workarounds. One is not running or installing Escape : Pod : in the first place. Another is simply logging out when you leave your : workstation, : rather than relying on ScreenSaverEngine for your security. Bottom line, : there are more direct and more threatening exploits that are available : to : people who happen upon an OS X machine unattended. Allow me to describe : a couple of them: : : 1) If a user finds a machine unattended, whether running : ScreenSaverEngine : or not, and regardless of the presence of Escape Pod on said machine, : the : machine can be booted from an OS X installation CDROM, at which point : the : "Reset Password" option can be used to change root access to the : machine, : which allows the user to log in as root, then change the password for : any account, : including whatever account was initially running ScreenSaverEngine. : Data can : then be removed or overwritten at said user's discretion. : : 2) If an unattended machine is discovered, it can also be powered : down, and : carried off, physically, without regard to the presence of : ScreenSaverEngine : or Escape Pod. : : Do these constitute security threats or exploits that are Apple's : responsibility : to protect against? Of course not. Both are common sense examples of : how many : security measures can be circumvented using simple, direct techniques. : Neither : implies that anyone at Apple should be recoding the operating system, : or any of : it's underlying core technologies in order to prevent them from being : used. : : Beispiel: If the rightful user/administrator of any given OS X machine : were to install : the following shell script, how would it be Apple's responsibility to : prevent this? : : #!/bin/sh : while true : do : killall ScreenSaverEngine : sleep 60 : done : : : - : m a t t h e w n . s h a r p : mns(at)mnslab.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBPylpHDJ2eyFxcwE8EQJicwCgnSYRGSUNTfNMAV0iou93BBdp7igAoNqQ H3kwAEa039HOvQw6E3TnIZ+B =qfb3 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists