SecureMac.com - 04.19.2K1 http://www.securemac.com/ Security Advisory subject: Netopia's Mac OS X Timbuktu Preview method: not remote - console only Netopia's Mac OS X version of Timbuktu makes it possible to gain full access without logging in. Scenario: At the login screen of the freshly updated Mac OS X with preview version of Timbuktu for Mac OS X we have found a Timbuktu icon in the upper left hand portion of the screen. The menu contains all of the goodies (open timbuktu, turn tcp on/off, about, etc) Timbuktu users have known and loved from the classic OS. The menu About Timbuktu when clicked on gives you full control to the apple menu and system preferences without even being logged into OS X. Having access to the System Preferences without being logged in can allow access to the users panel where someone could change passwords or any system setting. Essentially, you've got admin access to the entire system prefs window and the users panel even shows the hidden admin/root user. If you have purchased this product and would like this issue taken care of please contact Netopia Netopia - "Although we welcome your feedback, the software is sold without warrantee" http://www.securemac.com/timubktuosxpreviewhole. cfm SM
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 11:57:23 PDT