lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F297715.2060500@umn.edu>
Date: Thu, 31 Jul 2003 15:07:49 -0500
From: Brian Eckman <eckman@....edu>
To: Gavin Hanover <ghanover@...ntipress.com>,
	bugtraq@...urityfocus.com
Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security 
   Update 2003-07-14)


Gavin Hanover wrote:
> I don't quite agree. Windows uses control-alt-delete as a security
> device. It binds those keys as a hotkey in such a way that no other
> aplication can replace it. This is why it is used at logon; it
> prevents a user from creating a program that looked like a logon
> prompt, and could bind the control-alt-delete keys to display a
> password prompt. (pressing control-alt-delete in any application
> other than the logon screen would display the "shutdown/logoff/task
> manager" window, at which point you would know not to enter your
> password in any prompt)
> If someone were to find a way to bind to those hotkeys, would you
> then consider this a security issue with Windows? If so, how is
> Apple's failure to block kill calls to the screen saver not a
> security issue?
> 
> Gavin


Windows does allow others to bind to those hotkeys. The Novell client is 
a good example. The Novell NDS password can be used to unlock the screen 
saver, without requiring the Windows password to be entered. Obviously 
other programs could bypass the Windows authentication as well.

Brian
-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ