On Wednesday, July 30, 2003, at 04:56 PM, Patrick Haruksteiner wrote: > > On Wednesday, July 30, 2003, at 10:07 h, Doug White wrote: >> On Tue, 29 Jul 2003, Patrick Haruksteiner wrote: >> >>> I discoverd another security issue with the Mac OS X screensaver. >>> If you have installed escapepod from Ambrosia Software and hit >>> crtl-alt-delete(==backspace) when the screensaver with password >>> protection is running, it kills the screensaver and the desktop is >>> open to anybody - so it has the same effect as the recently >>> emerged password-exploit. >> >> This is not a bug in Apple software. This is a third party extension. >> >> Ambrosia's Escape Pod is a utility that kills the frontmost app when >> the >> shortcut keystroke is typed. Naturally it does not ship with MacOS X. >> >> Since the screen saver is just another application (called >> ScreenSaverEngine), if you hit the kill key when its running, it gets >> killed. Fancy that! > > I know that! But it should be the concern of the OS that you cannot > circumvent its security system with the help of other applications! > > I agree with Doug White in the assessment that this is, in fact, an issue that is the responsibility of Ambrosia, if it is to be considered a security issue at all. Apple cannot be held responsible for the code of third party developers. I downplay the definition of this as a security issue at all because there are so many immediate workarounds. One is not running or installing Escape Pod in the first place. Another is simply logging out when you leave your workstation, rather than relying on ScreenSaverEngine for your security. Bottom line, there are more direct and more threatening exploits that are available to people who happen upon an OS X machine unattended. Allow me to describe a couple of them: 1) If a user finds a machine unattended, whether running ScreenSaverEngine or not, and regardless of the presence of Escape Pod on said machine, the machine can be booted from an OS X installation CDROM, at which point the "Reset Password" option can be used to change root access to the machine, which allows the user to log in as root, then change the password for any account, including whatever account was initially running ScreenSaverEngine. Data can then be removed or overwritten at said user's discretion. 2) If an unattended machine is discovered, it can also be powered down, and carried off, physically, without regard to the presence of ScreenSaverEngine or Escape Pod. Do these constitute security threats or exploits that are Apple's responsibility to protect against? Of course not. Both are common sense examples of how many security measures can be circumvented using simple, direct techniques. Neither implies that anyone at Apple should be recoding the operating system, or any of it's underlying core technologies in order to prevent them from being used. Beispiel: If the rightful user/administrator of any given OS X machine were to install the following shell script, how would it be Apple's responsibility to prevent this? #!/bin/sh while true do killall ScreenSaverEngine sleep 60 done - m a t t h e w n . s h a r p mns(at)mnslab.com
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 12:00:32 PDT