Slashdot Mirror


Screensaver Bug in Mac OS X

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."

21 of 452 comments (clear)

  1. Finally, there's no objection! by HomerNet · · Score: 5, Funny

    A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

    --
    I have no tag line
    1. Re: Finally, there's no objection! by Black+Parrot · · Score: 3, Funny


      > A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

      And think how much faster the exploits will run on a G5!

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:Finally, there's no objection! by Alsee · · Score: 4, Funny

      Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

      I'm sorry but you're going to have to provide support for more than a single security hole before you convince me to switch. Windows has a proven track record of reliable security holes in almost every portion of the system, everything from E-mail to wordprocessors to Plug-N-Play and more.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
    3. Re:Finally, there's no objection! by fireman+sam · · Score: 5, Funny

      The real reason that Apple didn't go with Linux is because they had a conversation with RMS. The outcome of which would have resulted in the calling of the product GNU/Linux/OSX/Aqua. Apple just couldn't bring themselves to share the product name with any other company/entity.

      --
      it is only after a long journey that you know the strength of the horse.
    4. Re:Finally, there's no objection! by LittleBigLui · · Score: 3, Funny

      yeah, but you wouldn't call SunOS a UNIX. I mean, its name doesn't even end in an "x"!!

      --
      Free as in mason.
  2. Oh my god! by sageFool · · Score: 5, Funny

    Someone with physical access to your machine can access it!! WHO KNEW?! Call in the army reserve and physically secure access to all your machines!

  3. So...my cat by Spoticus · · Score: 5, Funny

    can hop up on the desk and crack OS X?

  4. emacs in a password box... by ceswiedler · · Score: 5, Funny

    Hah! I knew it! Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!

    Actually, the thing that surprises me is that they managed to trim emacs down so it's only an operating system.

  5. Quick summary of article. by Anonymous Coward · · Score: 5, Funny

    It's been discovered that someone with physical access to your computer can access it.

  6. Very Good News for Me! by Doctor+Sbaitso · · Score: 4, Funny

    My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!

    --

    ---
    Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
    1. Re:Very Good News for Me! by Lord_Dweomer · · Score: 4, Funny
      "My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!"

      Yes, but please be thoughtful of other people who might happen to see the screen while you're on the site....Besides, you can go to www.msn.com from home anyways.

      --
      Buy Steampunk Clothing Online!
    2. Re:Very Good News for Me! by NotAnotherReboot · · Score: 4, Funny

      Type in goatse.cx links in a Safari window and put the screensaver back on. Allow unsuspecting employees to turn off the screensaver and hit enter.

    3. Re:Very Good News for Me! by Trurl's+Machine · · Score: 3, Funny

      I think they will be rather happy about that. How many times visitors call them with this annoying "sir, can you unlock this screensaver, please"? (and then the inevitable "damned, where did I stuck this post-it note with our current password"). I bet the whole instruction "how to crash the screensaver in 3 easy steps" will be pasted right at the entrance!

  7. Re:Why... by Waffle+Iron · · Score: 4, Funny
    Is it always buffer overflows? :/

    Because extensive user testing has shown that some people can type their passwords so fast that even a GHz-class RISC processor can't keep up unless the password capture program is written in C. The system can fall behind if it takes more than a handful opcodes per character in the inner loop. Unfortunately, these performance constraints preclude checking array bounds between each typed character.

    It's regrettable that we have to live with risks like these, but we have little choice when dealing with data input at these kinds of speeds.

  8. Re:Why... by Alsee · · Score: 4, Funny

    a GHz-class RISC processor can't keep up unless the password capture program is written in C.

    How the hell did you get it to work in C? I had to hand roll the code in assembler and optimize the register allocations. You can also save a byte and a cycle on the loop if you take the branch-prediction microcode into account.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  9. HERE's an even simpler hack by goombah99 · · Score: 3, Funny
    got physical access? good. then put in a install CD. boot it, and select change password from the menu. Ta Da.

    Oh you dont want to change the password? well then boot in single user mode and you dont need one. Ta Da

    Oh they left open firmware on?. open the case and remove one of the memory cards. reboot. ta da!

    --
    Some drink at the fountain of knowledge. Others just gargle.
  10. i saw this in a movie by cyberrodent · · Score: 3, Funny

    that's how Mystique hacked into that government computer in Xmen 2 -- and I'm pretty sure that's how Jeff Goldblum hacked into the alien ship too - only we didn't know it at the time because os X was only released to celebrites at that time.

    (and that's why he did those commercials too!)

    cyberRodent

    --
    Talk is cheap. Supply exceeds demand.
  11. Revenge of the drinking bird by gotr00t · · Score: 4, Funny
    Like how Homer Simpson got his "drinking bird" to cover for him by constantly pressing 'y' while he went to the movies, you could do the same thing. Have one of those drinking birds continually tap a single key over and over again while the Mac is in screensaver mode, and EVENTUALLY, it will terminate due to this bug.

    It probably didn't work for you because you didn't type enough stuff. Go buy a drinking bird.

  12. Doesn't work at all! WTF? by EvilStein · · Score: 5, Funny

    I got drunk last night and passed out at the keyboard and came 'round *six hours later* - a lot longer than the 5 minutes needed for this "exploit" and I STILL couldn't get into my Mac OS X box.

    Couldn't find any more beer, and I couldn't find my pants, either.. but that's another story.. grrr

  13. Re:Why... by LittleBigLui · · Score: 3, Funny

    you can't imagine how much the resource usage can be optimized by constraining the password to 4 letters max, only caps, and only letters from A to D, no numbers or other symbols. By imposing those limits on the passwords you could implement range-checking and avoid any and all buffer overflows, hence making the system WAY MORE SECURE!

    --
    Free as in mason.
  14. Re:Hey! I'm famous. by Lev13than · · Score: 5, Funny

    If OS X was truly open source, we'd probably be patching our machines right now, instead of impotently discussing this on slashdot.

    True, except you wouldn't be able to run Fink to download the screensaver patch until you figure out why your computer crashes every time you type with your hardware-hacked keyboard. You suspect that it's because your version of OpenAqua is creating conflicts with GND (GND's Not Darwin), but you can't go online to check because the web forum doesn't support OnSafari 0.1.2.33a.

    --
    When you have nothing left to burn you must set yourself on fire