Linked by Eugenia Loli on Fri 4th Jul 2003 18:44 UTC
Bugs & Viruses Delfim Machado made public a way of crashing a password-protected screensaver and thus giving full access to the user account that the screensaver was running under. All a user has to do is to keep pressing any key for 5 minutes or so and then pressing Enter. Delfim Machado contacted Apple's Security department with his discovery, but when he didn't hear back, he decided to go public.
Order by: Score:
v Sensationalized?
by your mom on Fri 4th Jul 2003 18:51 UTC
v RE :Sensationalized?
by Eugenia on Fri 4th Jul 2003 18:53 UTC
Screensavers
by Buck on Fri 4th Jul 2003 18:54 UTC

I always thought screesavers were the product of the Devil himself!

LOL
by Admiral Horror on Fri 4th Jul 2003 18:55 UTC

This is priceless!!!

Does this affect 10.2 only or 10.1 and 10.0 as well?

Hmm...I'm expecting a quick fix
by techtrucker on Fri 4th Jul 2003 18:55 UTC

I'll bet that Apple takes care of this one quickly. I for one make extensive use of password protected screen savers...

Good for him
by Christopher X on Fri 4th Jul 2003 18:56 UTC

light a fire under their asses, if a security hole is reported and they sit on their thumbs then by god get their attention. I hope this works.

G5 AIX
by anonymous on Fri 4th Jul 2003 18:56 UTC

This is why NASA will probably stick to the G5 but running AIX, instead or hackOSX!

re: Hmm
by Anonymous on Fri 4th Jul 2003 18:59 UTC

sounds like an overflow thing, easy to fix. but dissapointing anyways considering the quality of the OS

Question
by Dekkard on Fri 4th Jul 2003 19:01 UTC

Is this bug remotely exploitable?

lol
by atici on Fri 4th Jul 2003 19:02 UTC

The email this guy sent to Apple probably got ignored, or wasn't directed to appropriate dept. to begin with. ;) His email lacks professionalism and it's no surprise he was ignored, although in a way that could harm Apple in the end.

It's highly probable that Apple has more issues with security than many other OSes, based on its limited userbase, its mentality (it's no OpenBSD, and aims for average Joe) and lack of maturity. I don't think there're companies who specializes in finding out security holes in OS X (although AFAIK there're such security companies for Windows).

This doesn't reflect badly on companies
by anon on Fri 4th Jul 2003 19:07 UTC

I pity companies though. Consumers don't want security. They want features. They vote with their wallets, and they will almost never elect someone with "invisible" security.

Security holes are basically bug reports, and they get shuffled into the bugtracker. They don't get the highest priority. If you want security, go for Free Software, maybe OpenBSD. If you want a good consumer machine, go for Windows or MacOS.

If there's a problem in these companies, it's that they don't have teams which mentor and do code reviews. I don't know what the process is at Apple, but it's probably not impressive.

Too Pretty
by Mystilleef on Fri 4th Jul 2003 19:10 UTC

Which make me wonder what other scanty vulnerabilities MacOSX is under. I have never really trusted Macs, I don't know why. Things that are too pretty are usually too dangerous.

Regards,

Mystilleef

10.2.6 fixed?
by adam on Fri 4th Jul 2003 19:14 UTC

I can't reproduce this in 10.2.6.

3 days!
by Anonymous on Fri 4th Jul 2003 19:21 UTC

He waited three days from the time he found it to releasing it to the public? Nice! Remind me how long it takes Microsoft to release a patch again.

Better 'sploit
by minkwe on Fri 4th Jul 2003 19:24 UTC

Just take the Mac with you. It's a fine piece of equipment. If you have physical access to it, then there's no real security

fixed?
by danny on Fri 4th Jul 2003 19:26 UTC

i can't reproduce it in 10.2.6 either.
it's probably already fixed.

re: Too Pretty
by Chris on Fri 4th Jul 2003 19:28 UTC

Yes, but pretty and dangerous is still preferable to ugly and dangerous. ;-)

LOL
by jbett on Fri 4th Jul 2003 19:45 UTC

I'm thankful it's just the screensaver.. HAHA. I don't even use that feature. Is this really a security flaw or a feature flaw? It's not like every hacker has direct access to the box which he wishes to hack.

fixed ? !!
by Anonymous on Fri 4th Jul 2003 19:47 UTC

i tried it several times ....
it can't be reproduced in 10.2.6 !

re: fixed?
by Derek Kent on Fri 4th Jul 2003 19:47 UTC

I can't reproduce this in 10.2.4, 10.2.5, or 10.2.6. I didn't try other versions of OS X though. This appears to have been fixed for a while at least.

Can anyone replicate?
by schmegglefurt on Fri 4th Jul 2003 19:48 UTC

I tried it as well and I cant replicate it on a B/W G3 10.2.6 or an iBook 500 (same OS). MacOSX is generally fairly secure (note max points on sundays hack challenge). But most OS's are fairly easy to hack when you have physical access. I think, if anything, this underscores the importance of not being dependant on a screensaver for local security. Its sort of like putting a cheap cable lock on your bicycle, It might discourage a casual theif (hacker), but thats about it.

slightly agree with moderated dude....
by jbett on Fri 4th Jul 2003 19:50 UTC

I mean is this really a security flaw? or hole? I mean even though you can crash the screensaver doesn't mean you can hack the system remotely or even break into any administratively locked functions. Anybody who has used Mac OS X knows that you even need an Admin password to run installers.

re: fixed?
by Derek Kent on Fri 4th Jul 2003 19:50 UTC

Odd... he seems to be using an updated version of MacOS X 10.2, yet a least 4 other people here claim they can't reproduce the security vulnerability with updated versions of OS X 10.2.

No, it's not remotely exploitable.
by WattsM on Fri 4th Jul 2003 19:51 UTC

It's interesting noting in passing that the headline for this here was "Security Hole in Mac OS X" while on MacSlash it was "Bug in AppleScreensaver." They're both technically accurate, of course. Is one an understatement, or is one an overstatement?

Meanwhile, while the Mac-bashers here gleefully try to paint this as doomfully as they can, I'm going to go off and delete a few more copies of whatever destructive Windows-only email virus is going around this week...

i tried it
by zephc on Fri 4th Jul 2003 19:56 UTC

and it sort of crashed, but after a second it took me back to the screen saver. Weird.

Speaking of responsivenes to security vulnerabilities...
by Anonymous on Fri 4th Jul 2003 20:05 UTC

Speaking of responsivenes to security vulnerabilities... Apple has ALWAYS been RIGHT on top of them. Never do I remember a time since OS X was released that more than a week transpired before a bug was quashed by way of software updated. Typically its been within about 2 days... sometimes only 1. This is right in line with open source and is a MASSIVE step up from the speed at which Microsoft quashes bugs.

Re: zephc
by Anonymous on Fri 4th Jul 2003 20:06 UTC

What is your build number?

(Go to Apple menu About this Mac)

Re: No, it's not remotely exploitable.
by Anonymous on Fri 4th Jul 2003 20:10 UTC

"It's interesting noting in passing that the headline for this here was "Security Hole in Mac OS X" while on MacSlash it was "Bug in AppleScreensaver." They're both technically accurate, of course. Is one an understatement, or is one an overstatement?"

Thats something I've noticed of OS News all the time... specificly about Mac-centric headlines. Typically the most disparaging sounding headline of many to choose from. If one isn;t disparaging enough, one is often created.

Also, if there is a lot of positive news going round about an Apple specific technology, its not uncommon from OS news to seek out the only negative soundsing news piece.

Thats not to say that OS News always publishes negative sounding (or negative in actuality) headlines, but the ratio of positive to negative news is far more out of proportion to the rest of the tech news industry.

black hole
by mstrip on Fri 4th Jul 2003 20:12 UTC

i wonder who had more security holes, MS Windows, OS X or Linux? Shouldn't be to hard of a question. Just don't trust Windows.

I will have to try this hole for myself as the article says,,,,,,to really see if it's true.

at last...
by Anonymous on Fri 4th Jul 2003 20:22 UTC

...a security exploit which even the non-techie understands and can use.

not fixed !!
by Anonymous on Fri 4th Jul 2003 20:27 UTC

the "exploit" works ...
but to my mind you have to press any key much longer than 5 minutes..

Re: Anonymous (IP: ---.dip.t-dialin.net)
by Anonymous on Fri 4th Jul 2003 20:45 UTC

What is your build number?

(Go to Apple menu About this Mac)

RE: Anonymous (IP: ---.dip.t-dialin.net)
by Anonymous on Fri 4th Jul 2003 20:55 UTC

the newest version ---> 10.2.6

build number
by Anonymous on Fri 4th Jul 2003 20:57 UTC

No, I want the build number...

oops.. nevermind.
by Anonymous on Fri 4th Jul 2003 20:59 UTC

oops.. nevermind. They aren't doing build numbers in About this Mac.

I can't reproduce this...
by Bascule on Fri 4th Jul 2003 21:01 UTC

...with 10.2.6, which is what Mr. Delfim Machado also appears to be running.

Perhaps there's something more at play for him, as it seems several other people have tried to reproduce this and have been unable.

Some more specific details of his particular installation would be informative.

No Luck
by Spatula on Fri 4th Jul 2003 21:05 UTC

I tried but it didn't have any problems. I had the key pressed for over 10 min. I am running 10.2.6

I can't reproduce this...
by Anonymous on Fri 4th Jul 2003 21:07 UTC

I tried too, and I can't do it either. I have 4 different makes, 3 of which or using a slightly different version of OS X... and I cant reproduce it no matter what i do... any any of these machines. I called a few friends who are also running OS X just now and they too couldn't reproduce it either.

Could this just be an attempt at spreading FUD?

It's hard to gauge becausr those people that claim that they can reproduce it on this board are definately in the minority. God knows there are a handful of individuals that visit this site regularly who take great glee in spreading Apple FUD. It is very possible that they may be just trying to push this along without knowing one way or another.

Do the following: 1) type in a few letters 2) hit option-left arrow 3) hit ctl-k 4) repeat until it doesn't seem like you are adding any more dots 5) Use the mouse to click the enter button 6) Wait several seconds to a minute for the crash to actually happen.

I tried something else
by Anonymous on Fri 4th Jul 2003 21:18 UTC

I pressed up, up, down, down, left, right, left, right, B, A, start

and got unlimited lives!...

screen savers
by Jeremy wininger on Fri 4th Jul 2003 21:19 UTC

I can't duplicate it in 10.2.6 or in the WWDC Developers Preview of Panther.

This is a stupid flaw for sure. But it's stupidity also rivals someone who will sit holding a key for 5 mins to try and crash a screen saver.

Screen saver passwords have been an off and on problem for qite some time. Heck, I even remember back in the windows 95 and windows 98 days being able to kill the screen saver by hitting ctrl-alt-del and killing it's process. It wasn't an everytime thing but it did work most of the time. We had problems with it quite often back when I was working sales at Curcuit City (I was young and needed the money).

Ah well, live and learn.

re: not here
by Anonymous on Fri 4th Jul 2003 21:30 UTC

i just tried it in an ibook 800 mhz with 10.2.6 and nothing happens.

re: I tried something else
by stupidnewbie on Fri 4th Jul 2003 21:40 UTC

what games was that for again?

thought it was:
up, up, down, down, left, right, left, right, B, A, B, A, start. Am I think of TMNT The Arcade Game or Contra...

Oh yeah, and screensavers suck ass

Eugenia update the story
by Anonymous on Fri 4th Jul 2003 21:51 UTC

I can't replicate this problem on my Mac and neither can all the other Mac users here. It seems Apple fixed the bug but failed to notify the bug hunter.

so the "hole" exists
by jbett on Fri 4th Jul 2003 21:55 UTC

Sounds like the techniques involved are fairly difficult but I'll have to try it when I get home to use my Mac, but one question to all those who are attempting to hack a box after they have go through the password. On a box that has been security tightened, meaning the control panel has been locked and any system specific options have been locked. What are you going to do? Open the shell and hack at it that way? One way or another your gonna have to actually hack a password, there's no way around it, getting through a screensaver is the least of your problems. Besides most OS X computers I know are auto login. Why didn't you just reboot the computer and save time? Your still screwed when it comes to advanced system options anyways.

Build numbers
by Xian on Fri 4th Jul 2003 22:05 UTC

Do Apple Menu, then About This Mac.
Click where is says Version: 10.2.x and it will switch to the build number. Do it once more if you want to see your serial number.

Follow these instructions. . .
by cshuman on Fri 4th Jul 2003 22:19 UTC

-> hit and hold any key for 5 seconds
-> hold down shift, hit home key (to highlight what you've typed so far)
-> ctrl+k
-> hold down ctrl+y until the text box stops scrolling to the right
-> hit enter

Beige G3 running 10.2.6

I got this from Macslash.

It does work!

Can't reproduce it either
by Anonymous on Fri 4th Jul 2003 22:21 UTC

I can't reproduce this bug either on Mac OS X 10.2.6.

I pressed "x" for 9 minutes and pressed enter. (actually, a book and a pen were holding "x"). No crash, worked as expected.

FUD?
by Anonymous on Fri 4th Jul 2003 22:23 UTC

Looks to me like this exploit might be an attept at spreading FUD. Nobody can reproduce it.

Re: Can't reproduce it either
by Anonymous on Fri 4th Jul 2003 22:44 UTC

Aah, you have to wait till you can't add any more characters too it. I used the control-k, control-y trick. It does work. My 9 minutes were probably too short.

RE:Can't reproduce it either
by Kevin Arvin on Fri 4th Jul 2003 23:11 UTC

I can't reproduce this bug either on Mac OS X 10.2.6.

Doesn't work on 10.2.4 either.

Only good thing...
by Anonymous on Fri 4th Jul 2003 23:29 UTC

The only good thing about a Mac is that you can attach a chain to those stupid handles on the box and use it as a BOAT ANCHOR!!!

re: Only good thing...
by jbett on Fri 4th Jul 2003 23:40 UTC

About PC's is you can use their big ass fans as air conditioning. (This will be true of the new G5 macs)

This rebuttle is brought to you by the morons who post flames with no real intelligent point or thought.

RE: FUD?
by S Isaac on Fri 4th Jul 2003 23:54 UTC

Confirmed on my 12" Powerbook and G4 Power Mac, both running 10.2.6 (build 6L60). This is no FUD.

Re: Only good thing...
by Anonymous on Sat 5th Jul 2003 00:17 UTC

"The only good thing about a Mac is that you can attach a chain to those stupid handles on the box and use it as a BOAT ANCHOR!!!"

Okay Mr. I'm going to copy this comment from slashdot rather than think up my own troll comment...

RE: FUD?
by Anonymous on Sat 5th Jul 2003 00:19 UTC

"Confirmed on my 12" Powerbook and G4 Power Mac, both running 10.2.6 (build 6L60). This is no FUD."

How do we know you're not one of the ones trying to spread to FUD? People with your exact same system cat reproduce the supposed exploit.

I don't buy it.

RE: not fixed !!
by Negvibe on Sat 5th Jul 2003 00:41 UTC

the "exploit" works ...
but to my mind you have to press any key much longer than 5 minutes..


Wait. Where's the "any" key again?

Do screen savers even save screens any more? I mean, Apple calls them Screen Effects.

Just seems easy enough to hit shift-command-q instead of leaving it up to some screen eye candy to secure your computer.

Happy 4th people.

Local exploitation - User only - Screensavers _are_ evil
by Mark Wilson on Sat 5th Jul 2003 00:43 UTC

1. Locally exploitable only -- but it is still a problem.

2. Only works for the user space -- i.e., home directory and subdirectories. System access still requires a password.

3. I don't use screensavers.

It does work on my system
by Oscar Castillo on Sat 5th Jul 2003 01:51 UTC

I'm running Jag 10.2.6 and after several long spins of the color wheel, it does bring me back to the desktop.

RE: FUD?
by S Isaac on Sat 5th Jul 2003 02:22 UTC

"How do we know you're not one of the ones trying to spread to FUD? People with your exact same system cat reproduce the supposed exploit.

I don't buy it."

You're right. You can't know that I'm not an FUD spreader. And unless you see it yourself you may never believe, at least not until Apple releases a patch.

well,
by le_tigre on Sat 5th Jul 2003 02:57 UTC

you can kdl red hat if you do the exact same thing for a couple of days straight. i guess that's better ;)

i wonder if windows has similar problems.

Jul 4 16:56:47 Admins-Computer crashdump: Crash report written to: /Users/admin/Library/Logs/CrashReporter/ScreenSaverEngine.crash.log

This is the message in my Console log after I did the "hack". Not that it really matters to me since I don't actually use this feature anyway.

Short of video taping the whole ordeal I don't know how else I can prove it isn't "FUD".

Whaaaa...?
by Captain Chris on Sat 5th Jul 2003 05:34 UTC

Who the HELL figured this one out? Really: how much time did this guy burn sitting around holding down keys for minutes at a time and pressing something else? Did he start with "Shift," "Esc," "Backspace," or what? (I don't know how these are labled on a Mac keyboard, so don't flame me...you get my drift). I mean, come on...until this went public, who the f**k would ever think to do anything like this? (It just goes to show how bored some people really are, doesn't it?)

login
by Anonymous on Sat 5th Jul 2003 06:33 UTC

And if you try this at the login screen (filling the password box until it can't take any more) the gui dies and you're dropped to a Darwin console. One more way to run OS X text mode only....

RE: Whaaaaa?
by Leslie Donaldson on Sat 5th Jul 2003 07:58 UTC

It was probably discovered the same to reboot win NT doing this. Someone was working, pulled out a book to check up on some facts, the book rested on the space bar etc etc.

NT would do the same thing if a mouse was givin input to any window the keybaord buffer would overflow into the video driver an reboot the machine.

Workinging sun boxes with type 5 keyboards I discovered if the keyboard is proped up ( the front edge is straight down, (moved it up to open a 3 ring binder) and it falls forward (keys down) it would rock perfectly to l1-a the machine the cause it to boot.

Hey stuff happens.

Donaldson

Re: anonymous
by anon on Sat 5th Jul 2003 07:59 UTC

How do we know you're not one of the ones trying to spread to FUD? People with your exact same system cat reproduce the supposed exploit.

How about you? I'm sure you can reproduce this hole, you're just trying to cover it up.

RE: anonymous
by anon on Sat 5th Jul 2003 09:49 UTC

Sorry to say it, but this is definitely reproducible. It dumps something like the following into /var/log/system.log:

Jul 5 03:29:51 Notgonnatellya crashdump: Crash report written to: /Users/xxxx/Library/Logs/CrashReporter/ScreenSaverEngine.crash.log

In that file it dumps:

**********

Date/Time: 2003-07-05 03:29:51 -0600
OS Version: 10.2.6 (Build 6L60)
Host: xxx-xxx-xxx-xxx.client.attbi.com

Command: ScreenSaverEngine
PID: 557

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x03cfd000

Thread 0 Crashed:
#0 0x9007460c in memmove
#1 0x92be129c in checkpw_internal
#2 0x92cf4414 in checkpw
#3 0x000066cc in 0x66cc
#4 0x930c7e44 in forwardMethod
#5 0x933593e4 in -[NSWindow keyDown:]
#6 0x930c7e44 in forwardMethod
#7 0x930c1694 in -[NSWindow sendEvent:]
#8 0x930a8e20 in -[NSApplication sendEvent:]
#9 0x000074d8 in 0x74d8
#10 0x930b1dac in -[NSApplication run]
#11 0x00004678 in 0x4678
#12 0x00004328 in 0x4328
#13 0x000041a8 in 0x41a8

Thread 1:
#0 0x90014d08 in syscall_thread_switch
r20: 0x00000000 r21: 0x00000000 r22: 0x03914650 r23: 0x00000000
r24: 0x00000000 r25: 0x03936680 r26: 0xfffffffd r27: 0x03e11000
r28: 0x00000001 r29: 0x0003a2c7 r30: 0x03d74db0 r31: 0x92be1134

**********

Date/Time: 2003-07-05 03:29:51 -0600
OS Version: 10.2.6 (Build 6L60)
Host: xxx-xxx-xxx-xxx.client.attbi.com

Command: ScreenSaverEngine
PID: 557

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x03cfd000

Thread 0 Crashed:
#0 0x9007460c in memmove
#1 0x92be129c in checkpw_internal
#2 0x92cf4414 in checkpw
#3 0x000066cc in 0x66cc
#4 0x930c7e44 in forwardMethod
#5 0x933593e4 in -[NSWindow keyDown:]
#6 0x930c7e44 in forwardMethod
#7 0x930c1694 in -[NSWindow sendEvent:]
#8 0x930a8e20 in -[NSApplication sendEvent:]
#9 0x000074d8 in 0x74d8
#10 0x930b1dac in -[NSApplication run]
#11 0x00004678 in 0x4678
#12 0x00004328 in 0x4328
#13 0x000041a8 in 0x41a8

Thread 1:
#0 0x90014d08 in syscall_thread_switch
#1 0x97e03ef4 in +[NSThread sleepUntilDate:]
#2 0x93081cac in -[NSUIHeartBeat _heartBeatThread:]
#3 0x97e2cc50 in forkThreadForFunction
#4 0x90020d28 in _pthread_body

Thread 2:
#0 0x90073c28 in mach_msg_trap
#1 0x90005f70 in mach_msg
#2 0x901489f0 in __CFRunLoopRun
#3 0x90180f58 in CFRunLoopRunSpecific
#4 0x97e05680 in -[NSRunLoop runMode:beforeDate:]
#5 0x97e3450c in -[NSRunLoop runUntilDate:]
#6 0x001c9dc0 in -[AppleFlurryView startBackgroundAnimation:]
#7 0x9321a820 in +[NSApplication _startDrawingThread:]
#8 0x97e2cc50 in forkThreadForFunction
#9 0x90020d28 in _pthread_body

Granted, it's a silly exploit--if someone has access to my console, I'm a lot more worried about them walking out the door with it. And I don't know the history between this guy and Apple, but I do know that so far (as an OS X user since 10.1) I've been impressed with Apple's responsiveness. Nevertheless... it is an exploit. I know campus users will be concerned by it. Simply calling it FUD doesn't make it so, and trying to sweep it under the rug is definitely *not* the responsible way to deal with it. Let's hope Apple takes it more seriously than some of the people posting to this forum.

Not a hard one to get
by tres on Sat 5th Jul 2003 10:44 UTC

First: yes, this exploit does work.

Second: no, it didn't take some knucklehead sitting at keyboard poking numbers all day. Apple dropped the ball on this one. There should be bounds checking on the length of the password in the screen saver dialog. If you're testing, that's one of the first things you'd test for.

Plain.
Pure.
Simple.

Don't get me wrong, I'm a big Mac fanboy, but this exploit is just brain-dead. Apple should have bounds checking on any and every password dialog. It should be part of the API. There should be no password longer than 256 characters to begin with.

This is just stupid though. I can write a seven line program (including headers) that will crash windows--every time. I've been able to do this for years. It's a petty exploit that doesn't do much of anything. Just like this one.

Granted, for anyone relying on a screensaver to protect their machine, this is not good news, but the fact is, if you're relying on a screensaver to protect your machine against a local attacker, you've lost already.

Re: RE: Whaaaaa?
by xJulian on Sat 5th Jul 2003 11:50 UTC

*lol* I wonmder if something like this still works on WinXP?

Old Windows screen saver trick
by twiddle on Sat 5th Jul 2003 12:14 UTC

I don't know if this works anymore, but back in the very early days of Windows 95 I created a virtual desktop application. Funny thing was, it turned out that the screen saver were just normal maximized windows. So when my app went to slide to a different desktop, the screen saver (and its password dialog if set) went with it. Instant bypass of "security". I eventually had to program the virtual desktop app to not move screen saver windows.

Anyone know if Mac OS X screen savers are vunerable to this trick?

re boat anchor thingee
by dabooty on Sat 5th Jul 2003 12:46 UTC

actualy both the slashdot and this comment come from "mac killed my inner child" a hilarious movie you should all check out

Re: No, it's not remotely exploitable.
by Ian Pulsford on Sat 5th Jul 2003 12:48 UTC

Agree with Anonymous on page 16-30. OSNews posts too many negative articles about Apple (and SUN). One minor local exploit is exposed and it gets a mention. There have been many worse (and remote) exploits in other OSen.

interesting problem . . . .
by Matt on Sat 5th Jul 2003 18:10 UTC

With having version 10.2.6 running on my old PowerBook, I have tried reproducing this security hole the guy was talking about. I've sat here and have tried to get the problem he described to work, but it seems I don't have the problem in the first place. I could be doing something wrong, but I did exactly what the guy stated.

This kind of reminds me of Windows users, people that haven't service packed their machines or done any updates find these problems and then make SO much noise about it, that they haven't even considered appling the service packs that document fixing the problem they have.

Maybe this guy just needs to keep on top of those security and regular updates from Apple. That could be another possibility that Apple has not reply back, but what software giant ever response back to their feedback customers. They only listen to there developers, beta testers, or internal groups.

But other then that, I've been very pleased with Apple's approach to security in OS X. I think they have TOO much security, most of the time I find myself editing their UNIX files just to make the OS do what I need it to do. I can be a pain in the butt, but it's better to have more security and having to scale it down yourself, then you adding security to the machine. Just so you can sleep at night.

I can't wait for that new File Volt that was introduced on Panther, that should come in handy.

Re: tres
by Bascule on Sat 5th Jul 2003 18:52 UTC

Second: no, it didn't take some knucklehead sitting at keyboard poking numbers all day. Apple dropped the ball on this one. There should be bounds checking on the length of the password in the screen saver dialog. If you're testing, that's one of the first things you'd test for.

Oh please, I think the dozen or so people here who tried the exploit from the initial description have proven that the password entry box does have bounds checking.

A unique sequence was used to circumvent the bounds checking on the password box, probably exploiting some rather complex code like Unicode conversion, a problem MS also had which was the hole exploited by Code Red.

You should give Apple a little more credit. On the whole they've had an excellent track record in regards to security.

Notgonnatellya crashdump
by hylas on Sat 5th Jul 2003 19:03 UTC

Hey anon,
Thanks for the facts, nicely done.
Gold Star.
A refreshing departure from "listen to me, I'm an expert" approach ... which doesn't work - at all.


http://www.counterpane.com/syslog-attack-sigs.pdf

Boat anchor thingie
by Floyd Lloyd on Sat 5th Jul 2003 19:13 UTC

It would be even funnier if his complaints were at all current. For a good half of his rant I was trying to figure out if this dude had ever actually used a Mac. My guess is that he is discussing primarily Mac OS9, and maybe a super early release of 10.

The command-spc bar-. has not been used for years. If he's making reference to OS9, I couldn't agree more - I detested OS9.

I have simply never ruined a system file because the updater wanted my attention - this is akin to saying "windows update wanted to update media player so I erased a few registry keys becuse I couldn't figure out what it wanted."

Maybe he shouldn't delete files he really wants to keep so often. I have never had this problem either, but yes, I admit that undelete is a nice DOS based feature for people who have an itchy delete finger.

Finally, his shutdown rant has never been an issue as far as I can remember - I admited that I detest Mac Pre-OSX, but even in that environment these magical crashes never occured for me. Certainly not now. I have never had trouble shutting a computer of any sort down either. I think mabe if he finds that challenging, he might be better off with paper and ink.

Too bad really since there is certainly plenty of good material fo an OSX rant like that - I was looking forward to something more interesting. FWIW, this is not coming from an OSX fanatic. In the room I'm sittig in, at my house, I have winXP, SuSE Linux, and Mac OSX running. I just really didn't think that that rant was funny. Well, OK, I'd really like to kick the fsck out of a few boxen, but that has nothing to do with the OS inside...

sequence
by Anonymous on Sat 5th Jul 2003 19:51 UTC

ok. I tried it now, and it does crash the screen saver. but it;s not the lenght of the password..,, you only need to press the right sequence of keys and it crashes in seconds, not 5 minutes

RE: Bascule
by tres on Sat 5th Jul 2003 21:05 UTC


Oh please, I think the dozen or so people here who tried the exploit from the initial description have proven that the password entry box does have bounds checking.

A unique sequence was used to circumvent the bounds checking on the password box, probably exploiting some rather complex code like Unicode conversion, a problem MS also had which was the hole exploited by Code Red.

You should give Apple a little more credit. On the whole they've had an excellent track record in regards to security.


Don't get me wrong, Bascule. I use OS X every day, and wouldn't even think of going back.

The exploit does not require any unique sequence. It's simply a buffer overflow. I've tried and failed with this exploit (using the "hold down key for 5 minutes" routine) and succeeded crashing the screen saver by actually filling the text entry box all the way (<ctrl+k> + <ctrl+y> i.e. using a cut and paste to speed things up). I have a feeling that those who haven't gotten this exploit to work simply haven't gotten the text entry box filled.

I think Apple has a great track record regarding security. Much better than most. That's just one of the reasons that when I'm asked what computer I recommend, I always tell people that Apple is the best way to spend their money. My bet is that early this coming week we'll see a software update for the screen saver. It should be a simple fix.

As I said in my first post, this is a trivial exploit that doesn't have much practical value. If you're using a screen saver to lock local attackers out of your computer, well then you've already lost.

Security
by anon on Sat 5th Jul 2003 21:24 UTC

As I said in my first post, this is a trivial exploit that doesn't have much practical value. If you're using a screen saver to lock local attackers out of your computer, well then you've already lost.

You gain security by having multiple layers of it. Otherwise you have a "crunchy outside and soft inside." Don't make it easy and quick for an attacker to break your system. Put obstacles in the way, especially when it's so easy to use buffer-overflow resistant programming in the first place.

reset password
by Benjamin Huot on Sat 5th Jul 2003 21:58 UTC

If you have access to the installation discs, you can reset the root and admin passwords (really all passwords). I don't know if you have to have the ones that came with that specific computer or any installation disc will work. I had to do that for my mom this weekend. This sounds like a greater security threat. I also don't think that anyone who knows anything about security is going to use screensavers to protects their computer. Why don't they just log out? If you have enough RAM it doesn't take any time at all to get all your applications running again.

Re: reset password
by anon on Sat 5th Jul 2003 23:33 UTC

Sure, at universities people rely on screensavers when they need a quick trip to the bathroom. If Anonymous is right, it doesn't even take any time to break the screensaver. Enough time to dash off an email to president@whitehouse.gov. See this book:
http://www.admin.com/

How can you guyz pick at little bug with screen saver! it like every day I get about 5 bug fixes from REDHAT a day. And not just that in australia we have same Internet Cafes that run on Linuxs it take me about 5 secs to bring them down. The good old Ctrl-Alt-Backspace until you get back to the login screen and then press Ctrl-Alt-Del what reboot the system of which if you ctrl-alt-del when it start cause linux to damge it system files.

Linux can't do any tasks right and even up to the standards of MACOS or Windows. Even BEOS. And the amount of ram Linux need to do basic tasks is really poor.

Apple are makes of best software and how Apple turn UNIX from unused mass of code to one of the easy's and powerful's OS in World is amazing. One little bug is none thing. People do make mistake's even Apple

Don't point the finger at Linux
by Anonymous on Sun 6th Jul 2003 00:48 UTC

Assuming OS X does indeed have a bug (many consider it debatable considering the fact that almost none can reproduce it and the few that do theres reason to believe it is mere FUD from the peanut gallery) it is wrong to point the finger at Linux for its supposed large amount of bugs.

Linux is actually relatively bug free. However, the same cannot be said for Windows and many of Microsoft's other software products and services.

RE:Anothony
by myuu on Sun 6th Jul 2003 00:58 UTC

First of anothony, most of the bugfixes from redhat are not exploitable, they just are updates to fix potential issues, or bad coding that was only found because the software is OSS.

Second the issues with RG at the cafe is due to poor setup/admining. (+the Ctrl-Alt-Del thing should affect os x too) Ctl-Alt-Bckspc is a X key function to kill X, i imagine it would be quite easy to bypass. Gimme few hrs and I can make a Linux box just as or even more stable/secure/kiddie-proof than OS X.

no. I'm not try to troll or even start FUD. I love my ibook and os x, and I dual boot os x and linux, just get your facts straight.

Same sh!t different day.
by Quattro on Sun 6th Jul 2003 05:30 UTC

I reported the same bug to Apple only in the login screen. This bug did a little more than kill a screensaver, it killed Aqua and dropped you in a root shell. Although it was never mentioned in any of the security alerts, it was a problem up to one of the later 10.1 or early 10.2 releases.

Now with the PowerMac G5, OSX security holes can be expoited upto 32% faster than equivalent P4 systems running WindowsXP.

Fill 'er up...
by bmad on Sun 6th Jul 2003 05:59 UTC

Re: Tres Re: Bascule...

I agree--I'm guessing the people who haven't been able to reproduce this haven't followed the directions fully. It's not about how long you've held down a key... perhaps the original poster didn't make that point clearly. It's about how many characters you've entered... if you're still adding little dots to the password entry box when you hit enter, you haven't entered enough. Use cut & paste and you'll see the problem pretty quickly.

To the people who're suggesting that this was fixed in an earlier patch, look at the logfiles posted by anon (and yes, I am that anon)... that's a current system.

To folks claiming there's no security without physical security, you're missing the point. If someone has to reboot from CD and change my password to gain access, well, sure they can do that and sure I'm screwed... but at least I'll know about it pretty quickly. An exploit like this gives someone access to my desktop--and all that that implies--without me ever knowing. Like most people, I'd rather know when I've been screwed.

Anyway, as with most of the people posting on this thread, I'm not too concerned about this on my home box. But after working in a campus lab during my undergrad years, I can definitely see where this will be a concern in that environment. You shouldn't have to close all of your work just to take a quick bathroom break... and using cut & paste, you can exploit this overflow to be on someone's desktop in 30 seconds tops. Considering Apple's interest in that market, they should be on this pretty quickly.

Thanks for the post re: Panther. Can anyone else with a pre-release confirm it?

That's because the computers were configured by morons... They only need to add Option "DontZap" in Section "ServerFlags". They can also disable Ctrl-Alt-Del in inittab...

Who do you blame for Nimda and the SQL Slammer worm: Microsoft or the lazy sysadmins? I blame the sysadmins because Microsoft fixed these holes about 6 months before each worm. It's not their fault if some improvised sysadmins didn't used their patches.

Re: Wrawrat
by Bascule on Sun 6th Jul 2003 18:01 UTC

Who do you blame for Nimda and the SQL Slammer worm: Microsoft or the lazy sysadmins?

I would say Microsoft deserves the brunt of the blame for the SQL Slammer worm.

I blame the sysadmins because Microsoft fixed these holes about 6 months before each worm.

And then released subsequent patches which rendered systems vulnerable again.

It's not their fault if some improvised sysadmins didn't used their patches.

It is their fault if their patches are also the source of security problems. Perhaps you "forgot" the enormous controversy surrounding Microsoft's patching system following the SQL Slammer worm.

Re: Question by Dekkard
by Anonymous on Mon 7th Jul 2003 03:25 UTC

Question
 By Dekkard (IP: ---.cm128.alnpa.supercable.es) - Posted on 2003-07-04 19:01:13
Is this bug remotely exploitable?


yeah just call up the mark and tell them what keys to press.