Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Update Fixes the Screen Effects Hole

Posted by pudge on from the mmmm-overrunning-buffers dept.

jellomizer writes "Here is is. Available from Software Update. 'Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user.' Now we can use our screen savers with the warm and fuzzy secure feeling."

20 of 94 comments (clear)

  1. Re:Versions by qengho · · Score: 4, Informative


    Anybody have any idea what files this updates and what version it updates those files to?

    This is what the package contains. I haven't installed it, so I don't know what the new versions are.

    Listing files for Security Update 2003-07-14
    ./System/Library/Frameworks/Security.framework/Ver sions/A/Resources/Info.plist
    ./System/Library/Frameworks/Security.framework/Ver sions/A/Resources/version.plist
    ./System/Library/Frameworks/Security.framework/Ver sions/A/Security
  2. Re:went witout a hitch by whee · · Score: 5, Informative

    This updates a system framework, which is likely in use by multiple, running, applications. The safest way to ensure everything is operating as it should is to require a restart. Had this been an update of something else, like a user-level application or daemon, then the restart would not have been required.

    You have to remember that this is an operating system for the masses and their desktops. I'm sure this update could've not required a restart, but what if something went wrong? Would your grandmother know how to make sure the current version of a shared library is loaded for her applications?

  3. Re:went witout a hitch by 47Ronin · · Score: 5, Informative

    Noone's forcing you to restart. I just opened up the Mac's Terminal.app and:

    % sudo softwareupdate SecurityUpd2003-07-14-1.0

    [wait for install to finish]

    Installing "Security Update 2003-07-14"... 98% 98% 99% 99% 99% 99% done.

    You have installed one or more updates that requires that you restart your
    computer. Please restart immediately. ...After that I just closed the Terminal. I keep on working and at the end of the day, if I feel like restarting I will. I will also upgrade my OSX webserver this way, and probably never restart it until a real major upgrade occurs.

    --
    Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
  4. Re:went witout a hitch by Acrimonious+Coward · · Score: 5, Informative

    For and update to an application library (Cocoa in this case), you don't really need to restart, you just need to quit all Cococa apps, this includes the Login Window. To accomplish this, do the following:

    1. download and install the patch. 2. log out, if you can. 3. type ">console" or maybe even ">exit" in the user name field of the login window. 4. once in the console, I believe a ctl-D will restart the login window.

  5. Re:Versions by norwoodites · · Score: 3, Informative

    That means, it is just a new Security Framework see the benefit of shared libraries.

  6. It appears to by jnetsurfer · · Score: 3, Informative

    After updating, I tried to crash a few other apps using the "leave an object on the keyboard" method, and the text boxes simply stopped accepting input after a certain amount of time.

    1. Re:It appears to by __aafkqj3628 · · Score: 4, Informative

      In which case, Apple should have named this patch as a patch to Cocoa itself instead of simply the screensaver.

      Trying to reduce the public's perception of the problem are we Apple?
      Just think, a Cocoa buffer overflow still isn't as bad as Windows' shatter attacks.

    2. Re:It appears to by gnuadam · · Score: 4, Informative

      I'm not convinced there was ever a general cocoa problem.

      Obviously, there was the screensaver bug, and I reproduced that myself.

      Other people mentioned a problem with the login window. I've noticed before if I type an incorrect password it drops to a text-console. This is what people observed when trying to overflow the login window. It's certainly not an exploit.

      I tried overflowing text fields in safari and mail, without incident.

      If someone really found another app that was affected as the screensaver was, I'd really like to hear about it.

      Unless someone does, I'll give apple the benefit of the doubt. They fixed the problem, no harm no foul.

      --
      You say :wq, I say ZZ. Why can't we all just get along?
    3. Re:It appears to by __aafkqj3628 · · Score: 2, Informative

      I couldn't even get the screensaver to crash, I'm just reporting what I've heard other people say.
      The bug seemed to be only on specific versions of Darwin/OS X and was a bit strange even then.
      Either way, at least one potential bug is crushed.

  7. For those preferring to not use SU by blb · · Score: 5, Informative

    Apple's page for the update, if you prefer to download manually.

  8. I don't notice a performance hit by jnetsurfer · · Score: 4, Informative

    I don't notice a performance hit while using the files in my home directory (I don't keep MP3s there however). You can monitor the amount of CPU that is being used decrypting files by checking the CPU usage of the 'hdid' process in top or the CPU monitor. But I encrypt my home directory (as you suggested) to protect my Library, financial records, my code, and the files for my business which I use all the time. My desktop (my download folder) is encrypted and I don't notice a performance hit while downloading. (I'm running a Dual 500 MHz machine, should you care)

  9. Problem? by dissy · · Score: 4, Informative

    I dont really see this as that much of a problem.

    So instead you power cycle the laptop, hold down S durring boot to enter single user mode.
    At this point you do technically have root, although without a GUI.

    Change target accounts password, reboot, login.

    If you have a password set in openfirmware to prevent single user mode boots, I have to zap the pram 3 times and the password is gone.

    Granted this is a whole lot harder than breaking the screen saver, but still, any computer someone can get physical access to is not secure under any conditions.

    1. Re:Problem? by Anonymous Coward · · Score: 2, Informative

      "If you have a password set in openfirmware to prevent single user mode boots, I have to zap the pram 3 times and the password is gone."

      Yeah, but you can't do that via cmd-opt-P-R (or the OF command line) if there's an OF password set. You have to crack the case.

      WM

  10. ...and... by djupedal · · Score: 4, Informative

    There is also a fresh iDVD software update today as well. Rumored to fix the "I don' wanna!!!" message...something about multiplexing :)

    No restart needed!!

    1. Re:...and... by feldsteins · · Score: 2, Informative

      It also started allowing me to launch iDVD on my PB 867 even though it doesn't have a superdrive. This way I could still use the app for demo purposes, or even author a DVD and then transfer the project to a DVD-burning station via Firewire target disk mode or something. Very cool, though.

      --
      You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
  11. *yawn* gory details... by andreMA · · Score: 3, Informative
    http://www.info.apple.com/kbnum/n120232

    The download file is named: "SecurityUpd2003-07-14.dmg

    Its SHA-1 digest is: 210f4819b8559b590632cd62b4055a437b9a0267

  12. Re:restart by djward · · Score: 4, Informative

    Just Hide it. Then it's out of the way but still in the Dock reminding you that you eventually should restart.

  13. Re:restart by mrgeometry · · Score: 2, Informative

    Try using the "Save to desktop" command in Software Updater. It downloads the updater (unfortunately doesn't allow you to save it anywhere but the desktop, but you can move it after it's downloaded) so you can run it when it's more convenient.

    As mentioned before, there's not much reason to run the updater if you're not going to reboot right away. Yeah, yeah, maybe sometimes there's some reason, but generally not.

  14. Re:restart by Polarcow · · Score: 1, Informative

    There is a simple solution. Apple Menu->Force Quit... or Command-Shift-Esc.

    Just like any other application, Software Update can be forced to quit. When it finishes writing out the update to disc and asks you to restart, just force quit Software Update and restart your computer when you're done with whatever you're busy with.

  15. That is not true. No reboot is required. by FunkyMarcus · · Score: 2, Informative

    The updated Security.framework will be loaded by ScreenSaverEngine.app the next time it runs - in other words, the next time the screen saver activates.

    Have you tried it? I have. No reboot, and no more crashing screen saver.

    Anything that is already running retains the old version of Security.framework until it's started again, but ScreenSaverEngine.app and loginwindow are both immune. There may be other (unrealized? unreported?) exploits that the update fixes that require a logout or reboot, but to fix the simple screen saver exploit, no such silliness is required.

    Mark