Anonymous reports indicate that Apple will be releasing a Security Update for Mac OS X on July 14th. The update will address "a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user."

The bug was reported on July 4th (http://lists.netsys.com/pipermail/full-disclosure/2003-July/010910.html).

just go into screensaver password protected mode and type in a word of sufficiant lenght ( i think about 5000 chars)
Screensaver will crash and exposte the Desktop. No big deal if you work in an protective environment.

no it s like 1300 chars..
but as copy paste isn t working : happy typing.
btw
the update is aviable for the devels.

It's about time Apple addressed this. Security flaws are for PCs.

actually it's 2048 characters. Apparently it's a problem with any Cocoa app, but I'm not sure cause I'm not at a Mac right now. If you type >2048 characters into your password box and hit enter, the screen saver should crash and take you to the desktop.

Hopefully it's another potential problem as well.

One of where if you have it set to computer name (I think it does it in others also, but I have only had it done in Computer name and in flurry) where if you click outside the dialog box, and drag, you move the "screen." Basically, it moves the image that was the screen saver aside, and you can then access the desktop.

Very bizarre problem.

I just hope this is to fix all cocoa apps on your system, not just the screen saver issue. Otherwise, there's a pretty big (and simple) hole to go through into someones system.

Using the emacs shortcuts ctrl-K and ctrl-Y you can fill up the password field with enough characters to crash the screensaver in a very short period of time. I saw this on Slashdot a couple of days ago.

It's unix that is the problem with this bug, my password is over 8 characters long, (10). I once typed in the last 2 digits wrong and it let me log in anyway. Apple know about this but it isn't really full knowledge or whatever, I had to ask some techie @ the mac expo last september (yep - UK). This is also a pain as the keychain doesn't unlock, so you have to type in the propper password anyway!

Originally posted by maradong
no it s like 1300 chars..
but as copy paste isn t working : happy typing.
btw
the update is aviable for the devels.

Ahhh, but emacs-style kill/yank (ctrl-k, ctrl-y) apparently works, making the crash job about a 30-second exercise ...

Originally posted by aptenergy
actually it's 2048 characters. Apparently it's a problem with any Cocoa app, but I'm not sure cause I'm not at a Mac right now. If you type >2048 characters into your password box and hit enter, the screen saver should crash and take you to the desktop.

Yes, any app which uses the Cocoa text field will crash if you put in too many characters.

Originally posted by bograt
It's unix that is the problem with this bug, my password is over 8 characters long, (10). I once typed in the last 2 digits wrong and it let me log in anyway. Apple know about this but it isn't really full knowledge or whatever, I had to ask some techie @ the mac expo last september (yep - UK). This is also a pain as the keychain doesn't unlock, so you have to type in the propper password anyway!

Yes, Apple tends to only validate the first 8 characters of your password.

Used to be that OS 9 would only allow you to enter 8 chars in a password field ... so if you had, say, a Netware server with a 9-char password you were SOL ... I prefer the current approach, although obviously validating all characters in a password would be better :)

Ohh I'm glad they're soting this out...hopefully none of my PC friends will hear about this.

Hopefully they will also read this thread, so post your security holes!

AppleMatt

I could've sworn that Apple addressed the UNIX limitation of 8 char passwords way back in the 10.1 days... one of the 10.1.x updates. It is generally recoginzed as a UNIX flaw, in that only the first 8 characters are used. But we're talking about Apple... I thought they updated that! I'm gonna go make a new user and see if it works.

Originally posted by bobindashadows
I could've sworn that Apple addressed the UNIX limitation of 8 char passwords way back in the 10.1 days... one of the 10.1.x updates. It is generally recoginzed as a UNIX flaw, in that only the first 8 characters are used. But we're talking about Apple... I thought they updated that! I'm gonna go make a new user and see if it works.

Nope it happened to me within a month of today with Jaguar.6

BTW what will happen when it reaches 11? Might they start naming them like Porsche call it Jaguar 911 Turbo and have 3 of them? Or name them after flowers? Gawd knows!

A couple times, I've opened my PowerBook, seen the pasword screen, and before i could start typing, the screen flashed between the creen-saver and the desktop a couple times, then let me in to the system. It hasn't happened enough for me to understand what might be involved, but it certainly was annoying that my security bypassed itself, with no help from me.

I'm pretty sure I heard that in Panther the security is truly system-level and not part of the Screen Effects anymore. So I get the impression that Apple is re-doing this feature entirely. Good thing too.

Originally posted by bograt
It's unix that is the problem with this bug, my password is over 8 characters long, (10). I once typed in the last 2 digits wrong and it let me log in anyway. Apple know about this but it isn't really full knowledge or whatever, I had to ask some techie @ the mac expo last september (yep - UK). This is also a pain as the keychain doesn't unlock, so you have to type in the propper password anyway!

The Problem is that the shadow system of unix doesn't recocnize more than 8 characters. you can find it on all linux systems alike. Unix is not better there.

Now, as apple introduced the keychain, wich can probably hold more than 8 chars in a pwd, the 2 systems are somewhat incompatible i guess.

hmm

It worked... took forever, but after it went to the finder it quickly went back to the screen effects. and my mouse was not in a hot corner.

Originally posted by visor
The Problem is that the shadow system of unix doesn't recocnize more than 8 characters. you can find it on all linux systems alike. Unix is not better there.

Now, as apple introduced the keychain, wich can probably hold more than 8 chars in a pwd, the 2 systems are somewhat incompatible i guess.

hmm

That's only partially correct. The DES hashing algorithm only looks at the first 8 characters, and was traditionally used on Unixes.

But for a couple of years now, Linux and other unixes have switched to MD5, which looks allot further than the first 8. (255 characters?)

Apple even has support for MD5, but for some reason doesn't switches it on by default.

Apple is extremely bad in this department. DES and non-shadowed password. Filevault will be pretty much useless until they fix this..

Anyone have Panther installed? Look in System Prefs. I'm pretty sure the password is no longer under Screen Effects (which itself is renamed, IIRC). Does it seem different?

I think hearing of a potential security hole on 07/04 and posting the fix on 07/14 is not so bad. Ten days...

Two bugs I've seen:

1. Sometimes (about 1 in 10, mainly on slower Macs) the actual display that should be hidden appears for a moment, and THEN the screen re-blanks and demands a password. So an intruder can't use the computer, but they might get a brief look at the locked screen. Hopefully you have no trade secrets displayed in large type :)

2. Folding@Home lets you in even if you type the WRONG password! Clearly a badly written screensaver is able to accidentally bypass the security in the OS's screensaver engine.

Originally posted by Toe
Anyone have Panther installed? Look in System Prefs. I'm pretty sure the password is no longer under Screen Effects (which itself is renamed, IIRC). Does it seem different?

Yep, no password option. I'm gonna see if it's been moved to another panel. They've also removed activation corners! No!

It's now called "Desktop & Screen Saver"

AppleMatt

Originally posted by Vonnie


Apple is extremely bad in this department. DES and non-shadowed password. Filevault will be pretty much useless until they fix this.. [/B]

Does AES look last the first 8 chars?

Is AES faster than MD5?

Oh - and I don't know about you, but mine is definitely shadowed. I don't know a lot in this department, but /etc/passwd has no hashes in it, just the characteristic *s.

Originally posted by AppleMatt
Yep, no password option. I'm gonna see if it's been moved to another panel. They've also removed activation corners! No! I guess the activation corners are now used by Expose (a price I'm willing to pay!). Maybe the Expose CP has some sort of option to let a corner do the screen saver instead? Afterall, Expose can also be activated from F-keys....

http://www.apple.com/macosx/panther/expose.html

Originally posted by Toe
I guess the activation corners are now used by Expose (a price I'm willing to pay!). Maybe the Expose CP has some sort of option to let a corner do the screen saver instead? Afterall, Expose can also be activated from F-keys....

http://www.apple.com/macosx/panther/expose.html

Yes they are and no it doesn't.

It wouldn't be hard to allow both to have activation corners, should you select the same one for both, a message similar to the "display sleep before screen saver" message could be displayed. In fact, you could have them all, as there are 3 expose effects, and one screen saver....

AppleMatt

Originally posted by Toe
Anyone have Panther installed? Look in System Prefs. I'm pretty sure the password is no longer under Screen Effects (which itself is renamed, IIRC). Does it seem different?

WIth Panther there is no configuration setting for the password under "Desktop & Screensaver".

To have Panther prompt for a password for the screensaver, go to Security and then check "Require a password to wake this computer"

Exposé has two dimmed out menu items for each corner "Disable Screensaver" and "Start Screensaver". My guess is that the ability to do screen corners for the screensaver instead of Exposé just hasn't been implemented yet.

"That would never happen on Linukth! Linukth ith bulletproof!!"

And yes, I happen to like his show, but I think his cohost could show more cleavage if she's not going to show more talent :eek:

:D

Typing in a bunch of characters, then select and do a contol-k and then just hold down control-y. it takes about 5 seconds to get in.. CompUsa here I come.. hehee

In Panther inside the Desktop and Screen Saver control panel there is also an option for "Active screen corners" but it seems to be always greyed out. Seems like they are still implenmenting it.

The way I have the screen saver coming on for now, is through the Keychain Menu bar status icon which now has a couple of more features then in Jaguar.