Security Update Fixes the Screen Effects Hole

jellomizer writes "Here is is. Available from Software Update. 'Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user.' Now we can use our screen savers with the warm and fuzzy secure feeling."

Re:went witout a hitch

Not only is this a desktop for the masses thing, but it makes sense with the servers I build too. I've had enough of installing services on the University servers here and leaving machines up, then coming across a small (but significant) problem when rebooting the machine 2 months later, and needing to go back through just what changed since the last reboot to even remember what may need fixing.

When installing a new daemon it may run quite well initially, but until it's started up through the normal boot process, then I don't consider the install fully tested. Uptime means fuck all if on those rare occasions you DO boot you lose an hour on a little fuckarse tiny problem you could have prevented with a 3 minute reboot at a time you choose.

Re:went witout a hitch

[babbage]

Yeah, but at that point you've gone so much of the way to bringing the system all the way down that you might as well just do the full reboot. You've just described 80% or so of the things that happen in the logout, shutdown, restart, log back in cycle. Unless you just can't have any service disruption in non-GUI software running on your Mac (Apache, MySQL, etc that other machines may be using), then what's the point in saving that 15 seconds & losing state in all your apps anyway? And if you are running services that can't be disrupted, why are you running them on a desktop platform?

Re:went witout a hitch

[babbage]

In which case, the unpatched version is resident in memory, and the patched version is sitting idle on your disc. What's the point of that? When you're ready to apply the patch (which, apparently, isn't right now), then just let the thing reboot & get the clean slate.

Re:Quick question here

Can you prove conclusively that he hand-assembled it?

Didn't think so, asshole. Try again.

The task that hdparm performs can be performed and still have an interface that isn't nearly that cryptic. The interface can be optional, for those users who would prefer to impress their fellow virgins at their mastery of arcane commands.

The concept that the Linux crowd seems to have missed (but that Apple has embraced) is that you can have two ways of doing things:

1) The Easy Way.
2) The Hard Way.

The two need not be mutually exclusive.

If I want to change my machine's hostname, I can do it either in /etc/hostconfig, or I can go into System Preferences and do it. There are all sorts of other examples, but you're not worth any more of my time.

Until the Linux Crowd figures this (and many other usability concepts) out, Linux will remain a toy.

Re:Problem?

[NaugaHunter]

What I got as a general consensus was effectively:
a) The possibility of this being used maliciously required physical access, and other physical methods rendered it near moot.
b) This point is hard to get across when the news report reads "Apple has security failure from locked screen savers", and therefore may as well be fixed.
c) Being a buffer problem in a shared library, it is possible that something else, either presently or in the future, would also become vulnerable. This is probably the best reason to fix it while the risk is still light.

Re:went witout a hitch

And if you are running services that can't be disrupted, why are you running them on a desktop platform?

Simple answer: Because I can.