Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Update Fixes the Screen Effects Hole

Posted by pudge on from the mmmm-overrunning-buffers dept.

jellomizer writes "Here is is. Available from Software Update. 'Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user.' Now we can use our screen savers with the warm and fuzzy secure feeling."

11 of 94 comments (clear)

  1. went witout a hitch by poil11 · · Score: 4, Interesting

    i just hope that one day updates won't require a restart.

    1. Re:went witout a hitch by andreMA · · Score: 2, Interesting
      Yep, you said it yourself: keeping apache et al running. And other servers; I happen to run several instances of TinyMUSH 3.1 on my aging 500MHz dual. It's helpful for them to not rely on proper handling of signals to "shit! I better checkpoint!" - let alone the inconveninece my users would suffer from an actual reboot.

      So... some folks do have a lot more to worry about than the GUI. Sure, I could just run Darwin, but I do a small amount of stuff that requires a GUI too.

    2. Re:went witout a hitch by capmilk · · Score: 2, Interesting

      Did you reboot after the update? I did, and I can't do anything on my desktop without entering the screen saver password.

  2. Does this fix the problem globally? by commodoresloat · · Score: 4, Interesting

    It's unclear from the docs whether this fixes just the problem of the screensaver dumping you back into a session without the password, or whether this addresses the buffer overflow that could cause other applications to crash, including the login window.

  3. Versions by hackwrench · · Score: 5, Interesting

    Anybody have any idea what files this updates and what version it updates those files to?

  4. Here's a reason this IS important by jnetsurfer · · Score: 5, Interesting

    I know that you can gain access to my machine by rebooting and changing the root password. I know that you can get around the open-firmware protection. I know that a screen saver doesn't protect my hard drive from someone opening my machine and taking it... but I am still very thankful for this update. Why? Because I encrypt my entire home directory. (Via the method I mentioned here a while ago). So, the "lock screen" option is very important to me -- If you reboot my machine, my home directory is once again encrypted. So the Screen Saver password does have it's place.

    1. Re:Here's a reason this IS important by commodoresloat · · Score: 2, Interesting

      How long does it take to decrypt when you log in? This is a great idea, but I'm assuming you only use the encrypted user for certain limited tasks where security is paramount. For day to day operations, I wouldn't want to have to wait for my iTunes and iPhoto libraries, along with whatever crap I've downloaded to my download folder, to be decrypted every time I log in.

  5. restart by dema · · Score: 3, Interesting

    Apple really needs to add a "Restart Later" option to SU. I can't count the number of time it's been incredibly inconvenient to restart so I've had to force quit SU.

  6. It is a problem by jnetsurfer · · Score: 2, Interesting

    Read my comment above. One thing (amongst others) that rebooting does is unmount any encrypted disks, requiring the user to enter the password again to remount them. Cracking my root password won't gain you access to the encrypted disks I had open before you rebooted my machine.

  7. Print center now broken by Haberdasher · · Score: 2, Interesting

    I don't know if it's related, but all the printers have disappeared from print center. When I tried to add it back, I got an error. Ideas?

  8. FileVault? by Capt_Troy · · Score: 2, Interesting

    How will FileVault effect your current encryption method? Will you switch to use FileVault when Panther comes out? What is your opinion of FV? And this is a great idea, you should get credit since Apple implemented this as well.