Slashdot Mirror
Security Update Fixes the Screen Effects Hole
jellomizer writes "Here is is. Available from Software Update. 'Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user.'
Now we can use our screen savers with the warm and fuzzy secure feeling."
i just hope that one day updates won't require a restart.
About them Apple Switchers,
ain't they well informed
goin' to and frow,
switchn' they platform.
Them banjo pickin' Apple Switchers,
see how much they spent?
They switch to stop blue screens of death
or just to Think Different.
Look at all those Apple Switchers,
hey they even chicks!
Some just switch to make a point,
some just for the kicks.
How to be an Apple Switcher,
if you want to know?
Take a trip to Apple's store
and pony up the dough.
A programmer is a machine for converting coffee into code.
is is? I cannot seem to find "is". I feel so lost!
Sure can tell its Monday afternoon - editors are still recovering from the weekend
Could pudge or jellomizer please post a hyperlink? Thanks!
It's unclear from the docs whether this fixes just the problem of the screensaver dumping you back into a session without the password, or whether this addresses the buffer overflow that could cause other applications to crash, including the login window.
whenever I launch my buddy list it reports the following error:
which also takes out my Rendezvous list.
Hope it's a transient network problem & not the update that broke it.
Anybody have any idea what files this updates and what version it updates those files to?
yep, was transient -- false alarm.
Dear Apple:
I bought an Apple computer because of its native support for teledildonics. I bought a USB FUFME and MacOS immediately recognized it and installed drivers instantly! As a gay Catholic priest who often can't be at the altar all the time, you can understand how the ability to have sex with children whilst on the airplane with my Powerbook and wireless internet service is a lifesaver.
I just have a single question, will Apple be releasing a firewire version of the FUFME anytime soon?
With much gayness,
Father Michael "Arminass" Sims
Dear Father Sims
Thank you for your kind letter! Being a former Catholic priest myself, I know exactly what you are talking about! It has been our dream at Apple Computers ever since we began in the 80's to shape the homosexual experience with the ultimate computer.
I can answer your letter by saying that YES we will indeed be making a firewire version of the FUFME. With the additional bandwidth offered by the firewire bus, we will be able to more accurately record and deliver more minute and subtle movements that the USB FUFME simply couldnt support due to lack of bandwidth. You will be able to recognize our firewire FUFME in stores by the fancy holographic logo of a cock entering an Apple.
We are glad to help loyal customers such as yourself. If you ever have any more questions, feel free to drop a line (or connect to my teledildonic FUFME server on fufme://cockman.apple.com).
Hugh G. Cockman
President
Homosexual Liaison Services
Apple Computer, Inc.
I don't want to start a holy war here, but what is the deal with you Linux fanatics? I've been sitting here at my freelance gig in front of an Athlon64 (an XP-3000+) running SuSE for about 20 minutes now while it attempts to copy a 500 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my eMac running Mac OS X 10.3, which by all standards should be a lot slower than this PC, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, KDE will not work. And everything else has ground to a halt. Even pico is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various Linux distros, but suffice it to say there have been many, not the least of which is I've never seen a Linux distro that has run faster than its Wintel counterpart, despite the Linuxhead's insistence of open-source efficiency. My eMac 1Ghz with 512 megs of ram runs faster than this 3000 mhz(?) machine at times. From a productivity standpoint, I don't get how people can claim that a Linux PC is a superior machine.
Linuxheads, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a GNU/Linux system over other faster, cheaper, more stable systems.
I know that you can gain access to my machine by rebooting and changing the root password. I know that you can get around the open-firmware protection. I know that a screen saver doesn't protect my hard drive from someone opening my machine and taking it... but I am still very thankful for this update. Why? Because I encrypt my entire home directory. (Via the method I mentioned here a while ago). So, the "lock screen" option is very important to me -- If you reboot my machine, my home directory is once again encrypted. So the Screen Saver password does have it's place.
After updating, I tried to crash a few other apps using the "leave an object on the keyboard" method, and the text boxes simply stopped accepting input after a certain amount of time.
Apple's page for the update, if you prefer to download manually.
Well, you seem to have had more luck than I did. Right now, iChat is acting rather oddly, with the windows for new messages resizing a moment after they appear. It almost looks like the system is acting slow and it's stuttering.
Since I don't use iChat often, I guess it really doesn't matter to me. Just hope no other apps have weird reactions, though.
I don't notice a performance hit while using the files in my home directory (I don't keep MP3s there however). You can monitor the amount of CPU that is being used decrypting files by checking the CPU usage of the 'hdid' process in top or the CPU monitor. But I encrypt my home directory (as you suggested) to protect my Library, financial records, my code, and the files for my business which I use all the time. My desktop (my download folder) is encrypted and I don't notice a performance hit while downloading. (I'm running a Dual 500 MHz machine, should you care)
I don't want to start a holy war here, but what is the deal with you Mac fanatics? I've been sitting here at my cubicle in front of a Mac (a brand new dual G4 1400MHz with a gig of RAM) for about 20 minutes now while it attempts to copy a 20 meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this Mac, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, Safari will not work. And everything else has ground to a halt. Even SimpleText is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various Macs, but suffice it to say there have been many, not the least of which is I've never seen a Mac that has run faster than its Wintel counterpart, despite the Macs' faster chip architecture. My 486/66 with 8 megs of ram runs faster than this dual G4 machine at times. From a productivity standpoint, I don't get how people can claim that the Macintosh is a superior machine.
Mac addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Mac over other faster, cheaper, more stable systems.
It's Ogg not "OGG", you fuckin' fuck fucker.
I dont really see this as that much of a problem.
So instead you power cycle the laptop, hold down S durring boot to enter single user mode.
At this point you do technically have root, although without a GUI.
Change target accounts password, reboot, login.
If you have a password set in openfirmware to prevent single user mode boots, I have to zap the pram 3 times and the password is gone.
Granted this is a whole lot harder than breaking the screen saver, but still, any computer someone can get physical access to is not secure under any conditions.
There is also a fresh iDVD software update today as well. Rumored to fix the "I don' wanna!!!" message...something about multiplexing :)
No restart needed!!
The download file is named: "SecurityUpd2003-07-14.dmg
Its SHA-1 digest is: 210f4819b8559b590632cd62b4055a437b9a0267
Apple really needs to add a "Restart Later" option to SU. I can't count the number of time it's been incredibly inconvenient to restart so I've had to force quit SU.
This is a [lame] local user access hack/exploit. No big deal. Why fix it? They should ignore the problem. If enough people complain then it's not a bug, it's a _feature_. Has the moon gone red?
Oh, wait, I stopped using Microsoft products. Sorry.
Read my comment above. One thing (amongst others) that rebooting does is unmount any encrypted disks, requiring the user to enter the password again to remount them. Cracking my root password won't gain you access to the encrypted disks I had open before you rebooted my machine.
I don't know if it's related, but all the printers have disappeared from print center. When I tried to add it back, I got an error. Ideas?
jellomizer writes "Here is is. Available..."
With that spelling you could write for the NY Times
.
___ Shout Central - Crushes your nuts!
The updated Security.framework will be loaded by ScreenSaverEngine.app the next time it runs - in other words, the next time the screen saver activates.
Have you tried it? I have. No reboot, and no more crashing screen saver.
Anything that is already running retains the old version of Security.framework until it's started again, but ScreenSaverEngine.app and loginwindow are both immune. There may be other (unrealized? unreported?) exploits that the update fixes that require a logout or reboot, but to fix the simple screen saver exploit, no such silliness is required.
Mark
As long as you're cool with the possibility / liklihood that you've only fixed part of the problem, that's fine. I'm just saying that, personally, I can afford to let the machine be down for the 90 seconds it would take to reboot, and doing so would give me the peace of mind that the problem is actually fixed. Doing it halfway is the approach that seems silly to me :-)
DO NOT LEAVE IT IS NOT REAL
How will FileVault effect your current encryption method? Will you switch to use FileVault when Panther comes out? What is your opinion of FV? And this is a great idea, you should get credit since Apple implemented this as well.
GRIN. I'm gonna start eefin any second.
Funny,
nobody seems to be screaming that Apple is stupid and lazy. In fact, I see more Microsoft security bashing here that Apple security bashing.
But... isn't the error with Apple software?
So... why aren't you all screaming at the horrible evil that is Apple?
Not that I think Apple is either of those things, mind you. Or at least not in relation to this issue. I just think that the obscene amount of Microsoft bashing is 20% based on their problems and business practices, and 80% because of jealousy that we all can't have billions of dollars too.
I think I should get credit from Apple... especially as one of Apple's employees was posing back and forth with me here at /. when I posted my method. So they can't claim that they didn't know about my method!
As for whether or not I'll use FileVault, that remains to be seen... I have yet to get ahold of panther (since it's not been released yet) so I don't know if FileVault will suit my needs.
It sounds very similar to my method, with one exception: my method leaves my home directory encrypted all the time, and decrypts "on-the-fly" as files are needed. This allows my files to stay secure... (although they may be written to a swapfile while being decrypted.) I would be worried that with FileVault, it would decrypt my entire home directory and it would be possible to prevent FileVault from re-encrypting it. (Like hard rebooting after my home dir was decrypted, for example)
As for my thinking of the idea, I can't claim complete credit for it -- I don't know that a user with less knowledge thought of the idea but couldn't implement it, and wrote Apple to suggest it. (Although I'd like to think I thought of it!)
Apple has shown a resonable turn around time on fixing bugs, whereas Microsoft will procrastinate on fixing a vunerability, even after someone has turned it into a virus. That, and to Apple "security" doesn't mean pressuring programmers not to let anyone else but the company know of said vunerability. Finally, Microsoft is a features company while Apple is a *good* features company. By that, I mean Microsoft will throw new features into a product regardless of whether or not they are actually usefull (think MS Bob and personalized menus), whereas Apple actually puts some thought into new versions of their software. That carelessness on MS's part is one reason why they have so many bugs.
There's a hole in my screen?
I'm glad they patched that up before I noticed.
It's fixed now.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht