Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

From: Gavin Hanover (ghanover_at_avantipress.com)
Date: 07/31/03

  • Next message: David Riley: "Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)" 
    To: "mns" <mns@mnslab.com>, <bugtraq@securityfocus.com>
Date: Thu, 31 Jul 2003 15:08:14 -0400

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I don't quite agree. Windows uses control-alt-delete as a security
    device. It binds those keys as a hotkey in such a way that no other
    aplication can replace it. This is why it is used at logon; it
    prevents a user from creating a program that looked like a logon
    prompt, and could bind the control-alt-delete keys to display a
    password prompt. (pressing control-alt-delete in any application
    other than the logon screen would display the "shutdown/logoff/task
    manager" window, at which point you would know not to enter your
    password in any prompt)
    If someone were to find a way to bind to those hotkeys, would you
    then consider this a security issue with Windows? If so, how is
    Apple's failure to block kill calls to the screen saver not a
    security issue?

    Gavin

    : I agree with Doug White in the assessment that this is, in fact, an
    : issue
    : that is the responsibility of Ambrosia, if it is to be considered a
    : security
    : issue at all. Apple cannot be held responsible for the code of
    third
    : party
    : developers.
    :
    : I downplay the definition of this as a security issue at all
    because
    : there are
    : so many immediate workarounds. One is not running or installing
    Escape
    : Pod
    : in the first place. Another is simply logging out when you leave
    your
    : workstation,
    : rather than relying on ScreenSaverEngine for your security. Bottom
    line,
    : there are more direct and more threatening exploits that are
    available
    : to
    : people who happen upon an OS X machine unattended. Allow me to
    describe
    : a couple of them:
    :
    : 1) If a user finds a machine unattended, whether running
    : ScreenSaverEngine
    : or not, and regardless of the presence of Escape Pod on said
    machine,
    : the
    : machine can be booted from an OS X installation CDROM, at which
    point
    : the
    : "Reset Password" option can be used to change root access to the
    : machine,
    : which allows the user to log in as root, then change the password
    for
    : any account,
    : including whatever account was initially running ScreenSaverEngine.
    : Data can
    : then be removed or overwritten at said user's discretion.
    :
    : 2) If an unattended machine is discovered, it can also be powered
    : down, and
    : carried off, physically, without regard to the presence of
    : ScreenSaverEngine
    : or Escape Pod.
    :
    : Do these constitute security threats or exploits that are Apple's
    : responsibility
    : to protect against? Of course not. Both are common sense examples
    of
    : how many
    : security measures can be circumvented using simple, direct
    techniques.
    : Neither
    : implies that anyone at Apple should be recoding the operating
    system,
    : or any of
    : it's underlying core technologies in order to prevent them from
    being
    : used.
    :
    : Beispiel: If the rightful user/administrator of any given OS X
    machine
    : were to install
    : the following shell script, how would it be Apple's responsibility
    to
    : prevent this?
    :
    : #!/bin/sh
    : while true
    : do
    : killall ScreenSaverEngine
    : sleep 60
    : done
    :
    :
    : -
    : m a t t h e w n . s h a r p
    : mns(at)mnslab.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBPylpHDJ2eyFxcwE8EQJicwCgnSYRGSUNTfNMAV0iou93BBdp7igAoNqQ
    H3kwAEa039HOvQw6E3TnIZ+B
    =qfb3
    -----END PGP SIGNATURE-----

  • Next message: David Riley: "Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)"

    Relevant Pages

    • RE: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)
      ... I wouldn't consider this a bug. ... It is like me writing a script that kills ... should allow me to kill the process (assuming I own ScreenSaverEngine). ... Another Mac OS X ScreenSaver Security Issue (after Security ...
      (Bugtraq)
    • Re: how can I test the security of my Linux box ?
      ... Very few ppl are interested in going to jail for helping someone ... Just as BIND - use djbDNS instead of BIND. ... > SATAN is also another program to try on to test your security. ... Satan is quite old - Nessus will be much better nowadays. ...
      (comp.os.linux.security)
    • Re: Waiting for BIND security announcement
      ... include the fixes that the security officer deems important enough to ... I can't speak for the security team, but I'm pretty sure that this ... There is even an option in the port to overwrite the base BIND ... name server to the big bad world while tracking RELENG_N_M ("release ...
      (freebsd-questions)
    • Re: ADAM - New users reading data - best practices
      ... You bind to the directory (or the connection to the ... AUTHENTICATED USERS built-in security principal for your ACL entries. ...
      (microsoft.public.windows.server.active_directory)
    • TCP/IP for HP OpenVMS Bind Version 8 Potential Denial
      ... SSRT3653 - TCP/IP for HP OpenVMS Bind Version 8 Potential Denial ... Software Security Response Team ...
      (comp.os.vms)
    • Quantcast