Slashdot Mirror
Security Update Fixes the Screen Effects Hole
jellomizer writes "Here is is. Available from Software Update. 'Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user.'
Now we can use our screen savers with the warm and fuzzy secure feeling."
i just hope that one day updates won't require a restart.
About them Apple Switchers,
ain't they well informed
goin' to and frow,
switchn' they platform.
Them banjo pickin' Apple Switchers,
see how much they spent?
They switch to stop blue screens of death
or just to Think Different.
Look at all those Apple Switchers,
hey they even chicks!
Some just switch to make a point,
some just for the kicks.
How to be an Apple Switcher,
if you want to know?
Take a trip to Apple's store
and pony up the dough.
A programmer is a machine for converting coffee into code.
is is? I cannot seem to find "is". I feel so lost!
Sure can tell its Monday afternoon - editors are still recovering from the weekend
Could pudge or jellomizer please post a hyperlink? Thanks!
It's unclear from the docs whether this fixes just the problem of the screensaver dumping you back into a session without the password, or whether this addresses the buffer overflow that could cause other applications to crash, including the login window.
whenever I launch my buddy list it reports the following error:
which also takes out my Rendezvous list.
Hope it's a transient network problem & not the update that broke it.
Anybody have any idea what files this updates and what version it updates those files to?
yep, was transient -- false alarm.
I know that you can gain access to my machine by rebooting and changing the root password. I know that you can get around the open-firmware protection. I know that a screen saver doesn't protect my hard drive from someone opening my machine and taking it... but I am still very thankful for this update. Why? Because I encrypt my entire home directory. (Via the method I mentioned here a while ago). So, the "lock screen" option is very important to me -- If you reboot my machine, my home directory is once again encrypted. So the Screen Saver password does have it's place.
After updating, I tried to crash a few other apps using the "leave an object on the keyboard" method, and the text boxes simply stopped accepting input after a certain amount of time.
Apple's page for the update, if you prefer to download manually.
Well, you seem to have had more luck than I did. Right now, iChat is acting rather oddly, with the windows for new messages resizing a moment after they appear. It almost looks like the system is acting slow and it's stuttering.
Since I don't use iChat often, I guess it really doesn't matter to me. Just hope no other apps have weird reactions, though.
I don't notice a performance hit while using the files in my home directory (I don't keep MP3s there however). You can monitor the amount of CPU that is being used decrypting files by checking the CPU usage of the 'hdid' process in top or the CPU monitor. But I encrypt my home directory (as you suggested) to protect my Library, financial records, my code, and the files for my business which I use all the time. My desktop (my download folder) is encrypted and I don't notice a performance hit while downloading. (I'm running a Dual 500 MHz machine, should you care)
Turn on DMA you dumb fuck. You are running hardware thats newer then the kernel and the kernel turned off dma because it was an unknown IDE chipset.
/dev/hda
hdparm -u 1 -c 1 -d 1 -k 1
Don't blame the OS because your hardware is newer then the OS release you are using and its not fully supported.
1) It was a troll, you fucking retard.
2) That's probably the least intuitive line ever. No wonder Linux remains the plaything of 35-year-old virgins who live in their parents' basements.
I'm going to blame the OS for being FUCKING RETARDED and needing that. Christ.
Hm. I suggest you rewrite that command as follows:
/dev/hda
hdparm -d 1 -u 1 -c 1 -k 1
Afflack.
"That's probably the least intuitive line ever"
Then don't use it. Its not supposed to be intuitive, you are fucking around with low level hardware settings and kernel drivers because you are running an OS that doesn't "support" your hardware. Don't go installing operating system revisions on hardware it wasn't intended and tested on and you won't have to deal with it.
If you don't want to dick around with hardware and OS combinations on the PC platform buy it with the OS preinstalled. I love it when retards go out and hand assemble a PC then bitch that it doesn't work as well as their apple... well duh, you went and assembled your own system, its your responsibilty to make sure its integrated well.
As for blaming the OS, when an OS comes out that writes its own drivers for hardware that doesn't exist yet, please let us know.
Can you prove conclusively that he hand-assembled it?
/etc/hostconfig, or I can go into System Preferences and do it. There are all sorts of other examples, but you're not worth any more of my time.
Didn't think so, asshole. Try again.
The task that hdparm performs can be performed and still have an interface that isn't nearly that cryptic. The interface can be optional, for those users who would prefer to impress their fellow virgins at their mastery of arcane commands.
The concept that the Linux crowd seems to have missed (but that Apple has embraced) is that you can have two ways of doing things:
1) The Easy Way.
2) The Hard Way.
The two need not be mutually exclusive.
If I want to change my machine's hostname, I can do it either in
Until the Linux Crowd figures this (and many other usability concepts) out, Linux will remain a toy.
I don't want to start a holy war here, but what is the deal with you trolling losers? I've been sitting here at my cubicle reading slashdot for about 20 minutes now and again some pathetic AC has posted another variation on the parent troll. A pathetic AC. At home, where I also read slashdot, which by all standards should be the same as slashdot at work, the same troll will still appear in about 20 minutes. If that.
In addition, during reading the parent troll, I will not work. And everything else has ground to a halt.
I won't bore you with the laundry list of other insults that I've thought of while reading variations on the parent troll, but it is suffice to say there have been many. I don't get how someone can claim to get satisfaction from posting the same troll over and over again, whether it be changed to read Mac Classic, Mac OS X, FreeBSD, OGG, Windows, IE, PPC, or anything else.
Troll addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to post variations of the same boring old troll.
I dont really see this as that much of a problem.
So instead you power cycle the laptop, hold down S durring boot to enter single user mode.
At this point you do technically have root, although without a GUI.
Change target accounts password, reboot, login.
If you have a password set in openfirmware to prevent single user mode boots, I have to zap the pram 3 times and the password is gone.
Granted this is a whole lot harder than breaking the screen saver, but still, any computer someone can get physical access to is not secure under any conditions.
I think your mother should be proofreading your posts.
Well I think your mother... bah, nevermind.
There is also a fresh iDVD software update today as well. Rumored to fix the "I don' wanna!!!" message...something about multiplexing :)
No restart needed!!
The download file is named: "SecurityUpd2003-07-14.dmg
Its SHA-1 digest is: 210f4819b8559b590632cd62b4055a437b9a0267
Apple really needs to add a "Restart Later" option to SU. I can't count the number of time it's been incredibly inconvenient to restart so I've had to force quit SU.
This is a [lame] local user access hack/exploit. No big deal. Why fix it? They should ignore the problem. If enough people complain then it's not a bug, it's a _feature_. Has the moon gone red?
Oh, wait, I stopped using Microsoft products. Sorry.
Read my comment above. One thing (amongst others) that rebooting does is unmount any encrypted disks, requiring the user to enter the password again to remount them. Cracking my root password won't gain you access to the encrypted disks I had open before you rebooted my machine.
I don't know if it's related, but all the printers have disappeared from print center. When I tried to add it back, I got an error. Ideas?
jellomizer writes "Here is is. Available..."
With that spelling you could write for the NY Times
.
___ Shout Central - Crushes your nuts!
The updated Security.framework will be loaded by ScreenSaverEngine.app the next time it runs - in other words, the next time the screen saver activates.
Have you tried it? I have. No reboot, and no more crashing screen saver.
Anything that is already running retains the old version of Security.framework until it's started again, but ScreenSaverEngine.app and loginwindow are both immune. There may be other (unrealized? unreported?) exploits that the update fixes that require a logout or reboot, but to fix the simple screen saver exploit, no such silliness is required.
Mark
As long as you're cool with the possibility / liklihood that you've only fixed part of the problem, that's fine. I'm just saying that, personally, I can afford to let the machine be down for the 90 seconds it would take to reboot, and doing so would give me the peace of mind that the problem is actually fixed. Doing it halfway is the approach that seems silly to me :-)
DO NOT LEAVE IT IS NOT REAL
How will FileVault effect your current encryption method? Will you switch to use FileVault when Panther comes out? What is your opinion of FV? And this is a great idea, you should get credit since Apple implemented this as well.
GRIN. I'm gonna start eefin any second.
Right... on the Athlon64 that won't be released by AMD until September 22. Nice try troll.
Funny,
nobody seems to be screaming that Apple is stupid and lazy. In fact, I see more Microsoft security bashing here that Apple security bashing.
But... isn't the error with Apple software?
So... why aren't you all screaming at the horrible evil that is Apple?
Not that I think Apple is either of those things, mind you. Or at least not in relation to this issue. I just think that the obscene amount of Microsoft bashing is 20% based on their problems and business practices, and 80% because of jealousy that we all can't have billions of dollars too.
I think I should get credit from Apple... especially as one of Apple's employees was posing back and forth with me here at /. when I posted my method. So they can't claim that they didn't know about my method!
As for whether or not I'll use FileVault, that remains to be seen... I have yet to get ahold of panther (since it's not been released yet) so I don't know if FileVault will suit my needs.
It sounds very similar to my method, with one exception: my method leaves my home directory encrypted all the time, and decrypts "on-the-fly" as files are needed. This allows my files to stay secure... (although they may be written to a swapfile while being decrypted.) I would be worried that with FileVault, it would decrypt my entire home directory and it would be possible to prevent FileVault from re-encrypting it. (Like hard rebooting after my home dir was decrypted, for example)
As for my thinking of the idea, I can't claim complete credit for it -- I don't know that a user with less knowledge thought of the idea but couldn't implement it, and wrote Apple to suggest it. (Although I'd like to think I thought of it!)
Apple has shown a resonable turn around time on fixing bugs, whereas Microsoft will procrastinate on fixing a vunerability, even after someone has turned it into a virus. That, and to Apple "security" doesn't mean pressuring programmers not to let anyone else but the company know of said vunerability. Finally, Microsoft is a features company while Apple is a *good* features company. By that, I mean Microsoft will throw new features into a product regardless of whether or not they are actually usefull (think MS Bob and personalized menus), whereas Apple actually puts some thought into new versions of their software. That carelessness on MS's part is one reason why they have so many bugs.
There's a hole in my screen?
I'm glad they patched that up before I noticed.
It's fixed now.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
It's a sad day in troll history, when the troll accidentally compliments the OS in question.
Meanwhile, he seems to be from the future, with an Opteron which isn't availible yet, along with MacOS X 10.3 (Panther)
Athlon64 XP -3000+, wha?
Error 407 - No creative sig found