Slashdot Mirror

← Back to Stories (view on slashdot.org)

Screensaver Bug in Mac OS X

Posted by michael on from the bomb-icon dept.

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."

30 of 452 comments (clear)

  1. Why... by Anonymous Coward · · Score: 5, Insightful

    Is it always buffer overflows? :/

  2. 2 words by amanpatelhotmail.com · · Score: 2, Insightful

    log out!

  3. What, like this is the first security issue? by binaryDigit · · Score: 2, Insightful

    I don't see what the big deal with this is. It's not like Apple hasen't released other security patches to OSX. Or are we "forgiving" them for stuff that is found in the non Apple specific parts (e.g. sendmail), if so, why should we, they ship it, they charge for it, right? Anyone out there honestly believe that there aren't a whole host of other issues just waiting to be found?

  4. Still no evidence... by idiotnot · · Score: 4, Insightful

    ....that it's remotely exploitable.

    Any machine you can get physical access to is insecure.

    It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).

    1. Re:Still no evidence... by Sunnan · · Score: 4, Insightful

      I'm getting kinda tired of hearing "Pah! It wasn't a remote exploit, anyway..." followed by "Any machine you can get physical access to is insecure." as an excuse when there's a security hole. Sure, network exploits are worse but local exploits are still problems.

      As for "Any machine you can get physical with..", how about a machine with good security measures before and during the boot loading (to avoid stuff like bios/OF-tricks or the classic "passing /bin/sh to lilo"-trick) as well as encrypted filesystems to prevent someone just taking your disks and mount them in another computer?

      Or I dunno, maybe any machine you can get physical with is insecure. That won't make me take this bug any less seriously. The unfreeness of many prominent cocoa objects, including end-user-widget ones, does seem like quite a risk to me. Relying on a single source of fixes has never been a good idea.

    2. Re:Still no evidence... by Anonymous Coward · · Score: 1, Insightful

      encrypted filesystems to prevent someone just taking your disks and mount them in another computer?

      Why bother? If it's that important, lock away the main case behind a concrete wall. Sure, you wouldn't be able to get to the CD-ROM drive either (unless it's external), but if security is that important, who cares?

      And aside from the fact that bugs are bad, local security holes can become remote security holes. All it takes is one "oops, you send keystrokes remotely, no big deal" bug.

  5. Re:THe bug is bigger than the article lets on by tbmaddux · · Score: 5, Insightful
    In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine... don't forget the password or you will be totally screwed!
    The open firmware password can still be circumvented with physical access to the machine. Change the amount of RAM and then zap PRAM 3 times and you're in. Or just yank the hard drive and go to work on it at your leisure. So 1) you won't be totally screwed, and 2) you can't count on it to protect you. If someone can get to your machine, they don't need the exploit described in the original article to compromise it (though it does make things convenient).
    --
    Can't you see that everyone is buying station wagons?
  6. Once again... no response from the company? by kylef · · Score: 2, Insightful
    here is the mail that i've sent to apple security people, they didn't replied :(

    I'm not trying to blast Apple in particular here or anything, but it seems that all companies have had a poor record lately responding to security holes pointed out by email users. Recall the Microsoft Passport security vulnerability.

    Granted, I would guess that the email volume these receive claiming discovery of new exploits is daunting, but doesn't this deserve top priority for response?

  7. Good Grief! by computerme · · Score: 2, Insightful

    If you have access to any machine, you can override security. Can anyone say, "boot up with a cd-rom"? I thought you could. These are the droids you are looking for, move along... move along...

  8. Yawn.... by Anonymous Coward · · Score: 2, Insightful

    Wintel fanboys/Apple haters who are having your fun because (finally!) there's a security hole in Mac OS X, take note: This bug requires PHYSICAL ACCESS TO THE COMPUTER to exploit. Compared to the network security holes Windows is famous for Nimda, Code Red, IE-buffer-overflow-of-the-week, this bug is about a serious as a typo in a dialog box.

  9. Re:Full Text by slamb · · Score: 4, Insightful
    An AC wrote: Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard. fucking kids these days. :)

    About a message containing:

    Delfim Machado - dbcm@xpto.org
    XPTO:: Portuguese OpenSource Community - http://lab.xpto.org

    He's Portuguese. Could you have written that report as well in his language? I'm all for basic literacy, but I can speak English and a tiny bit of Spanish. I think anyone who can communicate in a language other than their native one is doing pretty well, even if the readers do have to struggle a bit.

  10. Re:Finally, there's no objection! by Anonymous Coward · · Score: 3, Insightful

    You just dont get it.

    Mac OS X doesn't have a UNIX layer like Cygwin.

    It IS a true, blue UNIX.

    see, cygwin can be removed from windows, there is absolutely no way to remove the UNIX CORE from Mac OS X.

    Use it, and you'll see.

  11. Physical access != physical access by yerricde · · Score: 3, Insightful

    Any machine you can get physical access to is insecure.

    Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.

    --
    Will I retire or break 10K?
  12. Re:Is this a true "buffer overflow" attack? by HeghmoH · · Score: 2, Insightful

    A buffer overflow just means that you overflow a buffer. This results in writing to memory beyond the buffer. Most buffer-overflow exploits involve using a buffer overflow to write interesting things to the memory beyond the buffer, resulting in having the program execute code the attacker sends it. But even if writing to that memory just crashes the program, it's still a buffer overflow.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  13. Re:Finally, there's no objection! by GlassHeart · · Score: 5, Insightful
    Sounds like MacOSX can be called UNIX in a same way as Windows-95

    What are you talking about? A screensaver password vulnerability requires physical access to the machine. Most Unices will not protect against a malicious user with physical access, either.

    at least [Linux and NT] has a general design idea of what is a protection of user sessions.

    That's even more ridiculous. This is a bug, not something there by design.

  14. Re:ok people wtf by Lukey+Boy · · Score: 3, Insightful
    I disagree; in a work environment where there's a server room with a bunch of machines with a KVM attached but no physical access, this opens up the machines to attacks from insiders that don't have access.

    I mean, shit, when it comes to security it's always better to be safe than sorry.

  15. Re:LP by Phroggy · · Score: 4, Insightful

    Okay now...Apple is swiftly closing the gap with Microsoft in the amount of holes it has.

    Compare:

    Microsoft

    Apple

    Notice how many of Apple's security holes are actually holes in things like Sendmail, BIND, Samba, Apache and CUPS, all of which are off by default, and affect Linux and FreeBSD as well.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  16. The screensaver was never meant to be secure by Carthag · · Score: 2, Insightful

    It's a screensaver. It's not a lock-out mode. Hopefully, though, the new switch-user thingie in Panther will be what you're all thinking the screensaver is.

    1. Re:The screensaver was never meant to be secure by steeviant · · Score: 5, Insightful

      For the purposes of this post, I'll assume that we are including unix work alikes like Linux under the umbrella of Unix

      I don't think you understand much about this subject. Mac OS X is a multi user system from the ground up, as much as any other Unix system, the only thing that is NOT multi user about it at the moment is the GUI.

      If you go into /etc/inittab on any other Unix and comment out all of the lines that start virtual terminals except one, that doesn't stop it from being a Unix system, nor does it stop it being multiuser.

      You are confused about what makes a system into a Unix system. The architecture of Mac OS X is a lot like every other Unix system (but for a few technical changes to abstract the OS from the hardware, and make it easier to write low level OS plugins, and binary device drivers) until you reach the GUI level.

      If I take Linux or BSD or Solaris or HP/UX or AIX or Tru64 and put a GUI on it that is not the X Window System, it doesn't stop being a Unix machine.

      It seems like you think Apple took Mac OS 9, stuck a Unix layer like Cygwin on top and are trying to call it a Unix system, This is not the case. If anything, compatibility with Mac OS 9 is the thing that is tacked on and "not supposed to be there".

      If you want to read all about Mac OS X's history, so that you can fully understand it, and not seem like an idiotic troll when posting on the subject try reading something like these two O'Reilly articles on the history of Mac OS X.

      http://www.macdevcenter.com/pub/a/mac/2002/05/03 /c ocoa_history_one.html
      http://www.macdevcenter.com /pub/a/mac/2002/05/10/c ocoa_history_two.html

      Anyway, rest assured that Apple didn't take their old OS and tack on new features to make it Unix, they took Unix, and tacked on new features to make it compatible with Mac OS.

  17. The tone of the original letter to apple by ultrapenguin · · Score: 4, Insightful

    Was so immature, its no wonder it got ignored.
    I would be surprised if the mail didnt get deleted after just looking at the subject of it :)

    Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.

  18. Re:ok people wtf by Orion_ · · Score: 2, Insightful

    If the root user leaves the machine screen-locked then anyone can access the system. How is this not bad?

    Agreed that this is bad, but the root user is disabled by default on OSX. If you enable the root account in Netinfo, log into the GUI with it, and then leave it logged in with a screen saver running, you're a fucking idiot anyway, and you really deserve what you get.

    That said, this will be a good test of Apple's response time for security issues. My understanding is that they've been pretty good about that; I guess we'll see.

  19. Doesn't matter by itistoday · · Score: 5, Insightful

    This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.

    --
    Best. Webhost. Ever. Dreamhost.
  20. Re:Get root access by usr122122121 · · Score: 4, Insightful
    On any computer using OSX, it is possible to change the root password with 6 easy steps: [snip]
    This suggestion wouldn't work if the computer was secured with the Open Firmware Password method.

    Yes, the OF Password is also circumventable, but not if the machine is physically locked :-)

    If you want your machine to be secure, you can take steps to ensure that it is, regardless of platform, but when there is physical access to the machine it generally takes a lot more security to do so.

    --

    -braxton
  21. Re:Earlier Today.... by Anonymous Coward · · Score: 2, Insightful

    Because /. is about bitching about problems, not fixing them. With it's own list, there'd be one less thing to bitch about.

  22. Re:Hey! I'm famous. by joeykiller · · Score: 5, Insightful

    Well, perhaps you would be patching your machine if OS X were open source, but let's face it: 99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile). They're waiting for binary upgrades trough something like RedHat's update program.

    So in that respect I don't think the vast majority of OS X users are worse off then most Linux users.

  23. Re:THe bug is bigger than the article lets on by Arker · · Score: 2, Insightful

    You can't secure a computer if the attacker can physically pick it up and cart it away for an extended period of time. That's a given.

    But the point is that taking reasonable precautions like this can make sure no one can get into your puter and ftp all your files off while you're in the bathroom.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  24. Re:Because Panthers run faster by kasperd · · Score: 4, Insightful

    My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.

    Or perhaps somebody realized there was a bug and fixed it without ever considering how bad the bug was.

    --

    Do you care about the security of your wireless mouse?
  25. Re:ok people wtf by Anonymous Coward · · Score: 1, Insightful

    And you are stupid enough to leave a superuser logged in protected only by a screensaver?

  26. Re:Hey! I'm famous. by alienw · · Score: 2, Insightful

    Well, yes, but his point was that we would already have a patch available in binary form by now were it open-source. Since it isn't, we have to wait for Apple to cough up a patch when it feels like it.

  27. This is a pain in the sphincter by Foxone · · Score: 2, Insightful

    You guys keep saying that since people have physical access they can rest the password anyway... that is not the issue. I have tons of apps that are open at the same time at work. (Photoshop, quark, Golive) Golive is linked to more than 4 network servers mounted on the desktop. When I log in it takes more than 5 minutes to load all apps and files. I can t log off everytime I go to grab some water or leave my desk for a meeting. Our webserver has more than 25 thousand pages and they all need to be loaded/parsed by Golive on launch. What I need is to protect the machine from temporary access from co-workers/consultants etc. looking for personal/confidential stuff. They will not reset the password because that would raise eyebrows, what they need is stealth. This needs to be fixed very very quickly since login out all the time is NOT an option for me.