[30950] in bugtraq
Another Mac OS X ScreenSaver Security Issue (after Security
daemon@ATHENA.MIT.EDU (Patrick Haruksteiner)
Wed Jul 30 13:02:13 2003
Date: 29 Jul 2003 21:29:07 -0000
Message-ID: <20030729212907.11684.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Patrick Haruksteiner <haruk@gmx.at>
To: bugtraq@securityfocus.com
Hi there!
I discoverd another security issue with the Mac OS X screensaver.
If you have installed escapepod from Ambrosia Software and hit
crtl-alt-delete(==backspace) when the screensaver with password
protection is running, it kills the screensaver and the desktop is
open to anybody - so it has the same effect as the recently
emerged password-exploit.
I expected that there should be a forced logout, if the screensaver
dies... - but there is no such behavior...
I have allready reported this to product-security@apple.com, but
as usual with no reply...
Tested on this System Configuration:
Mac OS X 10.2.6 with Security Update 2003-07-14
1GB RAM
1GHZ PowerBook G4
escapepod 1.0.0d3 from http://www.ambrosiasw.com/utilities/
freebies/
--
/harp
