Re: Mac OS 9 Idle Lock Bug

From: Zachary Keane (ZacharyKeaneat_private)
Date: Sun Oct 31 1999 - 20:44:19 PST

Previous message: gabriel rosenkoetter: "Re: Mac OS 9 Idle Lock Bug"
Maybe in reply to: Sean Sosik-Hamor: "Mac OS 9 Idle Lock Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I know the chatter on Bugtraq is usually reserved for UNIX and NT
> issues, however I found a bug in the Mac OS 9 idle locking function
> that's built-in to the operating system.  It's possible to set up the
> Finder so that, if the current user goes idle, the screen will be
> locked.  A simple dialog box is displayed stating that the system has
> been idle for too long and a password must be entered.
>
> You have two options.  Click OK and enter the password to return to
> your session or click OK and click Log Out.  It's possible to seize
> control of Mac OS under certain conditions by clicking Log Out.
>
> Some applications have the "feature" of asking you if you're sure that
> you want to quit.  For example, if connected to a UNIX host using
> NiftyTelnetSSH, it will ask you if you're sure you want to disconnect
> when the application quits.  Other applications with unsaved data will
> ask if you want to save changes.  Most of these dialog boxes have OK
> and Cancel or Yes, No and Cancel for options.  Hitting Cancel at any
> of these "are you use" dialog boxes will stop the logout process and
> return you to the current session.
<snip>
Even more damning than this bug in the idle screen is the fact that one can
interrupt the idle screen by using the programmer's switch (on macs that
have one) or cmd-pwr on the macs that don't have one.  This drops you into
the micro-debugger, if you have no assembly-level debugger installed, or the
debugger of your choice (MacsBug for most, but I think there are a few
commercial ones out there).  From there, it is trivial to kill the idle
screen.  I'll post the details if folks are interested, but most of the
people who would care already know how to kill a program in MacsBug.
Anyway, this brings you back to the Finder, bypassing the idle lock-out.

Although the voice-recognition is undoubtedly cool, it would help if Apple
had bothered to even pretend to make their security features secure.   Oh
well, maybe in 9.1...

Regards,
Zachary Keane



--
"'Tis an old saying, the Devil lurks behind the cross. All is not gold that
glitters. From the tail of the plough, Bamba was made King of Spain; and
from his silks and riches was Rodrigo cast to be devoured by the snakes."
-Miguel de Cervantes, Don Quixote

Previous message: gabriel rosenkoetter: "Re: Mac OS 9 Idle Lock Bug"
Maybe in reply to: Sean Sosik-Hamor: "Mac OS 9 Idle Lock Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:19 PDT