Slashdot Mirror

← Back to Stories (view on slashdot.org)

Screensaver Bug in Mac OS X

Posted by michael on from the bomb-icon dept.

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."

6 of 452 comments (clear)

  1. Why... by Anonymous Coward · · Score: 5, Insightful

    Is it always buffer overflows? :/

  2. Re:THe bug is bigger than the article lets on by tbmaddux · · Score: 5, Insightful
    In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine... don't forget the password or you will be totally screwed!
    The open firmware password can still be circumvented with physical access to the machine. Change the amount of RAM and then zap PRAM 3 times and you're in. Or just yank the hard drive and go to work on it at your leisure. So 1) you won't be totally screwed, and 2) you can't count on it to protect you. If someone can get to your machine, they don't need the exploit described in the original article to compromise it (though it does make things convenient).
    --
    Can't you see that everyone is buying station wagons?
  3. Re:Finally, there's no objection! by GlassHeart · · Score: 5, Insightful
    Sounds like MacOSX can be called UNIX in a same way as Windows-95

    What are you talking about? A screensaver password vulnerability requires physical access to the machine. Most Unices will not protect against a malicious user with physical access, either.

    at least [Linux and NT] has a general design idea of what is a protection of user sessions.

    That's even more ridiculous. This is a bug, not something there by design.

  4. Doesn't matter by itistoday · · Score: 5, Insightful

    This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.

    --
    Best. Webhost. Ever. Dreamhost.
  5. Re:Hey! I'm famous. by joeykiller · · Score: 5, Insightful

    Well, perhaps you would be patching your machine if OS X were open source, but let's face it: 99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile). They're waiting for binary upgrades trough something like RedHat's update program.

    So in that respect I don't think the vast majority of OS X users are worse off then most Linux users.

  6. Re:The screensaver was never meant to be secure by steeviant · · Score: 5, Insightful

    For the purposes of this post, I'll assume that we are including unix work alikes like Linux under the umbrella of Unix

    I don't think you understand much about this subject. Mac OS X is a multi user system from the ground up, as much as any other Unix system, the only thing that is NOT multi user about it at the moment is the GUI.

    If you go into /etc/inittab on any other Unix and comment out all of the lines that start virtual terminals except one, that doesn't stop it from being a Unix system, nor does it stop it being multiuser.

    You are confused about what makes a system into a Unix system. The architecture of Mac OS X is a lot like every other Unix system (but for a few technical changes to abstract the OS from the hardware, and make it easier to write low level OS plugins, and binary device drivers) until you reach the GUI level.

    If I take Linux or BSD or Solaris or HP/UX or AIX or Tru64 and put a GUI on it that is not the X Window System, it doesn't stop being a Unix machine.

    It seems like you think Apple took Mac OS 9, stuck a Unix layer like Cygwin on top and are trying to call it a Unix system, This is not the case. If anything, compatibility with Mac OS 9 is the thing that is tacked on and "not supposed to be there".

    If you want to read all about Mac OS X's history, so that you can fully understand it, and not seem like an idiotic troll when posting on the subject try reading something like these two O'Reilly articles on the history of Mac OS X.

    http://www.macdevcenter.com/pub/a/mac/2002/05/03 /c ocoa_history_one.html
    http://www.macdevcenter.com /pub/a/mac/2002/05/10/c ocoa_history_two.html

    Anyway, rest assured that Apple didn't take their old OS and tack on new features to make it Unix, they took Unix, and tacked on new features to make it compatible with Mac OS.