Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

From: Brian Eckman (eckman_at_umn.edu)
Date: 07/31/03

  • Next message: MightyE: "Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)" 
    Date: Thu, 31 Jul 2003 15:07:49 -0500
To: Gavin Hanover <ghanover@avantipress.com>, bugtraq@securityfocus.com

    Gavin Hanover wrote:
    > I don't quite agree. Windows uses control-alt-delete as a security
    > device. It binds those keys as a hotkey in such a way that no other
    > aplication can replace it. This is why it is used at logon; it
    > prevents a user from creating a program that looked like a logon
    > prompt, and could bind the control-alt-delete keys to display a
    > password prompt. (pressing control-alt-delete in any application
    > other than the logon screen would display the "shutdown/logoff/task
    > manager" window, at which point you would know not to enter your
    > password in any prompt)
    > If someone were to find a way to bind to those hotkeys, would you
    > then consider this a security issue with Windows? If so, how is
    > Apple's failure to block kill calls to the screen saver not a
    > security issue?
    >
    > Gavin

    Windows does allow others to bind to those hotkeys. The Novell client is
    a good example. The Novell NDS password can be used to unlock the screen
    saver, without requiring the Windows password to be entered. Obviously
    other programs could bypass the Windows authentication as well.

    Brian 

    -- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737
"There are 10 types of people in this world. Those who
understand binary and those who don't."
  • Next message: MightyE: "Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)"

    Relevant Pages

    • Re: AD and Expired Password Checking and how to test?
      ... Directory: Windows 2000 ... Using server: ctstepdown.whatever.com:389 ... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... adfind -sc u:username pwdlastset -tdcs ...
      (microsoft.public.windows.server.active_directory)
    • Re: AD and Expired Password Checking and how to test?
      ... Doh, sorry my bad, I should have checked, pwdlastset isn't in the GC in the default schema and I assumed it was because my test forest had that changed. ... Joe Richards Microsoft MVP Windows Server Directory Services ... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ...
      (microsoft.public.windows.server.active_directory)
    • Re: Advice - solution for a company server
      ... For an AD domain there is no advantage in cost to use Bind and it would ... Windows DNS, particularly ... for Windows 2003, has shown to be very robust. ... Bind can not use Active ...
      (microsoft.public.security)
    • Re: Update schema in ADAM from aremote machine
      ... The easiest solution is to use secure bind and bind as a windows principal ... If you create an ADAM user in config partition, and add him to config admins ...
      (microsoft.public.windows.server.active_directory)
    • Re: ADAM Ldapsearch using Windows Domain Account
      ... you can create a bind proxy object to enable ... I just installed ADAM with the purpose of using it as a directory ... I have an ADAM user account that I provisioned that can ... The problem I have is when I try to use a Windows Domain account from the ...
      (microsoft.public.windows.server.active_directory)