Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

From: Alaric B Snell (alaric_at_alaric-snell.com)
Date: 07/31/03

  • Next message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2003:032)" 
    Date: Thu, 31 Jul 2003 18:54:50 +0100
To: Rizwan Jiwan <Rizwan.Jiwan@KINGSTON.Hummingbird.com>

    Rizwan Jiwan wrote:
    > I wouldn't consider this a bug. It is like me writing a script that kills
    > any process named "ScreenSaverEngine". If I run it with my privileges it
    > should allow me to kill the process (assuming I own ScreenSaverEngine).
    > Escape Pod does what it is meant to. OS X does what it is meant to--that is
    > unless you are suggesting that the operating system not allow the user to
    > kill the screen saver process which is just stupid because I have had my
    > screen saver crash on me.

    Yes. But either way, it looks as if a side effect of Escape Pod is that
    it nullifies the security of the screen saver.

    It sounds like the real issue is that the screensaver - which is meant
    to lock the keyboard, mouse, and display device to prevent tampering by
    passers-by (who do not have the option of taking the machine home and
    mounting the disk in another machine et al). The flaw seems to be in
    that the OS is still passing keyboard events to the likes of Escape Pod
    when the screensaver has asked to lock the keyboard. Maybe it's the
    screen saver's fault, in that it's not properly locking the keyboard,
    but it's more likely to be that the code in the GUI that handles locking
    the console should disable 'hotkey' processing too.

    >
    > -Riz
    >

    ABS

  • Next message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2003:032)"

    Relevant Pages

    • Re: CDE screensaver lock not accepting passwd (SunOs 5.9)
      ... >> A colleague of mine is connecting to a SunOs 5.9 server from a local ... There's no separate screensaver program; ... on the remote machine for me to choose which one to kill, ... so it'd be hard to know which to kill. ...
      (comp.unix.solaris)
    • Re: CDE screensaver lock not accepting passwd (SunOs 5.9)
      ... >> A colleague of mine is connecting to a SunOs 5.9 server from a local ... There's no separate screensaver program; ... on the remote machine for me to choose which one to kill, ... so it'd be hard to know which to kill. ...
      (comp.sys.sun.admin)
    • Re: etch upgrade problem
      ... various font packages, so I can't determine if the keyboard map is ... If I hit the caps lock key, the screensaver does suggest I ... You can try to kill the screen saver and/or the screen lock. ...
      (Debian-User)
    • Re: Screensaver Question
      ... move the mouse which should wake up the screen saver just fine. ... >> If I was using a piece of software that turned off my screensaver, ... > It doesn't disable it altogether, just stops screensaving as if you'd ... > I tried KEYBOARD but that only stuffs data into the keyboard buffer ...
      (microsoft.public.fox.programmer.exchange)
    • Re: killing (terminating) password protected screensaver
      ... Ricardo, ok my code works not in context of user, it can kill screen saver ... but when it kills a password protected screensaver I see locked ...
      (microsoft.public.win2000.security)