Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

From: Patrick Haruksteiner (harukat_private)
Date: Tue Jul 29 2003 - 14:29:07 PDT

Next message: Stephen Clowater: "Re: Remote Linux Kernel < 2.4.21 DoS in XDR routine."

Previous message: SGI Security Coordinator: "[VulnWatch] IRIX nsd server and modules mishandle AUTH_UNIX gid list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hi there! I discoverd another security issue with the Mac OS X screensaver. If you have installed escapepod from Ambrosia Software and hit crtl-alt-delete(==backspace) when the screensaver with password protection is running, it kills the screensaver and the desktop is open to anybody - so it has the same effect as the recently emerged password-exploit. I expected that there should be a forced logout, if the screensaver dies... - but there is no such behavior... I have allready reported this to product-securityat_private, but as usual with no reply... Tested on this System Configuration: Mac OS X 10.2.6 with Security Update 2003-07-14 1GB RAM 1GHZ PowerBook G4 escapepod 1.0.0d3 from http://www.ambrosiasw.com/utilities/ freebies/ -- /harp

Next message: Stephen Clowater: "Re: Remote Linux Kernel < 2.4.21 DoS in XDR routine."
Previous message: SGI Security Coordinator: "[VulnWatch] IRIX nsd server and modules mishandle AUTH_UNIX gid list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 09:44:32 PDT