[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.55.0308020325120.10769@tinberg.wi.securepipe.com>
Date: Sat, 2 Aug 2003 03:42:37 -0500 (CDT)
From: Mark Tinberg <mtinberg@...urepipe.com>
To: Patrick Haruksteiner <haruk@....at>
Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security
Update 2003-07-14)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:
> I discoverd another security issue with the Mac OS X screensaver.
> If you have installed escapepod from Ambrosia Software and hit
> crtl-alt-delete(==backspace) when the screensaver with password
> protection is running, it kills the screensaver and the desktop is
> open to anybody - so it has the same effect as the recently
> emerged password-exploit.
> I expected that there should be a forced logout, if the screensaver
> dies... - but there is no such behavior...
>
> I have allready reported this to product-security@...le.com, but
> as usual with no reply...
>
> Tested on this System Configuration:
>
> Mac OS X 10.2.6 with Security Update 2003-07-14
> 1GB RAM
> 1GHZ PowerBook G4
> escapepod 1.0.0d3 from http://www.ambrosiasw.com/utilities/
> freebies/
I'm surprised at all the confusion about this issue from the people on the
list. It seems to me that the responsibility for fixing this problem is
Apple's and that the correct course of action is for the screen lock
utility to block _ALL_ access to keyboard and mouse events for any other
process. When the screenlock is running, it should:
1) Always be on top of other windows. The window manager should not
allow windows to popup over the screensaver, and certainly not allow
them input
2) All input should be bound to the screensaver process, no other other
process should be allowed keyboard/mouse[0] input. Certainly all
hotkeys should be disabled
3) For extra points, in event of failure, system should immediately log
out the console user. It should fail closed if possible, rather than
give away console access in the event of an error.
There are probably a few other responsibilities that a screen lock has
that I can't think of at the moment, but the main thrust is that a screen
lock should enforce security policy within its realm of responsibility.
- --
Mark Tinberg <MTinberg@...urepipe.com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
[0] Or really any HID or ADB device. It might be easier and safer to
just disable everything that isn't a keyboard.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE/K3l+Fu7F5OUjbGcRAmeEAJwPwx2A3kXC9aOikXOSfPZ0/Pr2ygCeOf0a
VlGpRBfYTM7/tFO9lVntl9Q=
=cEWK
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists