Slashdot Mirror

← Back to Stories (view on slashdot.org)

Screensaver Bug in Mac OS X

Posted by michael on from the bomb-icon dept.

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."

16 of 452 comments (clear)

  1. Why... by Anonymous Coward · · Score: 5, Insightful

    Is it always buffer overflows? :/

  2. Still no evidence... by idiotnot · · Score: 4, Insightful

    ....that it's remotely exploitable.

    Any machine you can get physical access to is insecure.

    It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).

    1. Re:Still no evidence... by Sunnan · · Score: 4, Insightful

      I'm getting kinda tired of hearing "Pah! It wasn't a remote exploit, anyway..." followed by "Any machine you can get physical access to is insecure." as an excuse when there's a security hole. Sure, network exploits are worse but local exploits are still problems.

      As for "Any machine you can get physical with..", how about a machine with good security measures before and during the boot loading (to avoid stuff like bios/OF-tricks or the classic "passing /bin/sh to lilo"-trick) as well as encrypted filesystems to prevent someone just taking your disks and mount them in another computer?

      Or I dunno, maybe any machine you can get physical with is insecure. That won't make me take this bug any less seriously. The unfreeness of many prominent cocoa objects, including end-user-widget ones, does seem like quite a risk to me. Relying on a single source of fixes has never been a good idea.

  3. Re:THe bug is bigger than the article lets on by tbmaddux · · Score: 5, Insightful
    In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine... don't forget the password or you will be totally screwed!
    The open firmware password can still be circumvented with physical access to the machine. Change the amount of RAM and then zap PRAM 3 times and you're in. Or just yank the hard drive and go to work on it at your leisure. So 1) you won't be totally screwed, and 2) you can't count on it to protect you. If someone can get to your machine, they don't need the exploit described in the original article to compromise it (though it does make things convenient).
    --
    Can't you see that everyone is buying station wagons?
  4. Re:Full Text by slamb · · Score: 4, Insightful
    An AC wrote: Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard. fucking kids these days. :)

    About a message containing:

    Delfim Machado - dbcm@xpto.org
    XPTO:: Portuguese OpenSource Community - http://lab.xpto.org

    He's Portuguese. Could you have written that report as well in his language? I'm all for basic literacy, but I can speak English and a tiny bit of Spanish. I think anyone who can communicate in a language other than their native one is doing pretty well, even if the readers do have to struggle a bit.

  5. Re:Finally, there's no objection! by Anonymous Coward · · Score: 3, Insightful

    You just dont get it.

    Mac OS X doesn't have a UNIX layer like Cygwin.

    It IS a true, blue UNIX.

    see, cygwin can be removed from windows, there is absolutely no way to remove the UNIX CORE from Mac OS X.

    Use it, and you'll see.

  6. Physical access != physical access by yerricde · · Score: 3, Insightful

    Any machine you can get physical access to is insecure.

    Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.

    --
    Will I retire or break 10K?
  7. Re:Finally, there's no objection! by GlassHeart · · Score: 5, Insightful
    Sounds like MacOSX can be called UNIX in a same way as Windows-95

    What are you talking about? A screensaver password vulnerability requires physical access to the machine. Most Unices will not protect against a malicious user with physical access, either.

    at least [Linux and NT] has a general design idea of what is a protection of user sessions.

    That's even more ridiculous. This is a bug, not something there by design.

  8. Re:ok people wtf by Lukey+Boy · · Score: 3, Insightful
    I disagree; in a work environment where there's a server room with a bunch of machines with a KVM attached but no physical access, this opens up the machines to attacks from insiders that don't have access.

    I mean, shit, when it comes to security it's always better to be safe than sorry.

  9. Re:LP by Phroggy · · Score: 4, Insightful

    Okay now...Apple is swiftly closing the gap with Microsoft in the amount of holes it has.

    Compare:

    Microsoft

    Apple

    Notice how many of Apple's security holes are actually holes in things like Sendmail, BIND, Samba, Apache and CUPS, all of which are off by default, and affect Linux and FreeBSD as well.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  10. The tone of the original letter to apple by ultrapenguin · · Score: 4, Insightful

    Was so immature, its no wonder it got ignored.
    I would be surprised if the mail didnt get deleted after just looking at the subject of it :)

    Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.

  11. Doesn't matter by itistoday · · Score: 5, Insightful

    This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.

    --
    Best. Webhost. Ever. Dreamhost.
  12. Re:Get root access by usr122122121 · · Score: 4, Insightful
    On any computer using OSX, it is possible to change the root password with 6 easy steps: [snip]
    This suggestion wouldn't work if the computer was secured with the Open Firmware Password method.

    Yes, the OF Password is also circumventable, but not if the machine is physically locked :-)

    If you want your machine to be secure, you can take steps to ensure that it is, regardless of platform, but when there is physical access to the machine it generally takes a lot more security to do so.

    --

    -braxton
  13. Re:Hey! I'm famous. by joeykiller · · Score: 5, Insightful

    Well, perhaps you would be patching your machine if OS X were open source, but let's face it: 99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile). They're waiting for binary upgrades trough something like RedHat's update program.

    So in that respect I don't think the vast majority of OS X users are worse off then most Linux users.

  14. Re:The screensaver was never meant to be secure by steeviant · · Score: 5, Insightful

    For the purposes of this post, I'll assume that we are including unix work alikes like Linux under the umbrella of Unix

    I don't think you understand much about this subject. Mac OS X is a multi user system from the ground up, as much as any other Unix system, the only thing that is NOT multi user about it at the moment is the GUI.

    If you go into /etc/inittab on any other Unix and comment out all of the lines that start virtual terminals except one, that doesn't stop it from being a Unix system, nor does it stop it being multiuser.

    You are confused about what makes a system into a Unix system. The architecture of Mac OS X is a lot like every other Unix system (but for a few technical changes to abstract the OS from the hardware, and make it easier to write low level OS plugins, and binary device drivers) until you reach the GUI level.

    If I take Linux or BSD or Solaris or HP/UX or AIX or Tru64 and put a GUI on it that is not the X Window System, it doesn't stop being a Unix machine.

    It seems like you think Apple took Mac OS 9, stuck a Unix layer like Cygwin on top and are trying to call it a Unix system, This is not the case. If anything, compatibility with Mac OS 9 is the thing that is tacked on and "not supposed to be there".

    If you want to read all about Mac OS X's history, so that you can fully understand it, and not seem like an idiotic troll when posting on the subject try reading something like these two O'Reilly articles on the history of Mac OS X.

    http://www.macdevcenter.com/pub/a/mac/2002/05/03 /c ocoa_history_one.html
    http://www.macdevcenter.com /pub/a/mac/2002/05/10/c ocoa_history_two.html

    Anyway, rest assured that Apple didn't take their old OS and tack on new features to make it Unix, they took Unix, and tacked on new features to make it compatible with Mac OS.

  15. Re:Because Panthers run faster by kasperd · · Score: 4, Insightful

    My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.

    Or perhaps somebody realized there was a bug and fixed it without ever considering how bad the bug was.

    --

    Do you care about the security of your wireless mouse?