| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <00e401c357a5$c373c370$2d1ba8c0@blesdal> Date: Thu, 31 Jul 2003 15:53:14 -0500 From: "Fred Noltie" <noltie@...mail.net> To: <bugtraq@...urityfocus.com> Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) From: "Brian Eckman" <eckman@....edu> > > If someone were to find a way to bind to those hotkeys, would you > > then consider this a security issue with Windows? If so, how is > > Apple's failure to block kill calls to the screen saver not a > > security issue? > > > > Gavin > > > Windows does allow others to bind to those hotkeys. The Novell client is > a good example. The Novell NDS password can be used to unlock the screen > saver, without requiring the Windows password to be entered. Obviously > other programs could bypass the Windows authentication as well. > It's been a few years and things may have changed, but in the past Novell accomplished this by replacing the standard msgina.dll with one of their own making. Microsoft provides information on how to do this sort of thing: http://support.microsoft.com/default.aspx?scid=kb;en-us;810756 FWIW, there is even a GNU replacement (well, for NT, anyway): http://wwwthep.physik.uni-mainz.de/~frink/newgina_pre09/readme.html It seems to me, though, that if the admin replaces Microsoft's GINA, he can't complain about how (or whether) the replacement traps Ctrl+Alt+Del. I don't think (though I may be mistaken) that there's a way to trap those hotkeys when Microsoft's msgina.dll is in place and working properly. Regards, Fred Noltie
Powered by blists - more mailing lists