Security Update 2003-07-14 Coming

[MacRumors]

Anonymous reports indicate that Apple will be releasing a Security Update for Mac OS X on July 14th. The update will address "a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user."

The bug was reported on July 4th.

 

[visor]

Typical memory overflow

just go into screensaver password protected mode and type in a word of sufficiant lenght ( i think about 5000 chars)
Screensaver will crash and exposte the Desktop. No big deal if you work in an protective environment.

 

[maradong]

no it s like 1300 chars..
but as copy paste isn t working : happy typing.
btw
the update is aviable for the devels.

 

[pyrotoaster]

It's about time Apple addressed this. Security flaws are for PCs.

 

[aptenergy]

2048

actually it's 2048 characters. Apparently it's a problem with any Cocoa app, but I'm not sure cause I'm not at a Mac right now. If you type >2048 characters into your password box and hit enter, the screen saver should crash and take you to the desktop.

 

[GPTurismo]

Hopefully it's another potential problem as well.

One of where if you have it set to computer name (I think it does it in others also, but I have only had it done in Computer name and in flurry) where if you click outside the dialog box, and drag, you move the "screen." Basically, it moves the image that was the screen saver aside, and you can then access the desktop.

Very bizarre problem.

 

[dialectro]

I just hope this is to fix all cocoa apps on your system, not just the screen saver issue. Otherwise, there's a pretty big (and simple) hole to go through into someones system.

 

[SumDumGuy]

Using the emacs shortcuts ctrl-K and ctrl-Y you can fill up the password field with enough characters to crash the screensaver in a very short period of time. I saw this on Slashdot a couple of days ago.

 

[bograt]

Similar bug with log-in

It's unix that is the problem with this bug, my password is over 8 characters long, (10). I once typed in the last 2 digits wrong and it let me log in anyway. Apple know about this but it isn't really full knowledge or whatever, I had to ask some techie @ the mac expo last september (yep - UK). This is also a pain as the keychain doesn't unlock, so you have to type in the propper password anyway!

 

[jettredmont]

Originally posted by maradong
no it s like 1300 chars..
but as copy paste isn t working : happy typing.
btw
the update is aviable for the devels.

Ahhh, but emacs-style kill/yank (ctrl-k, ctrl-y) apparently works, making the crash job about a 30-second exercise ...

 

[jettredmont]

Re: 2048

Originally posted by aptenergy
actually it's 2048 characters. Apparently it's a problem with any Cocoa app, but I'm not sure cause I'm not at a Mac right now. If you type >2048 characters into your password box and hit enter, the screen saver should crash and take you to the desktop.

Yes, any app which uses the Cocoa text field will crash if you put in too many characters.

 

[jettredmont]

Re: Similar bug with log-in

Originally posted by bograt
It's unix that is the problem with this bug, my password is over 8 characters long, (10). I once typed in the last 2 digits wrong and it let me log in anyway. Apple know about this but it isn't really full knowledge or whatever, I had to ask some techie @ the mac expo last september (yep - UK). This is also a pain as the keychain doesn't unlock, so you have to type in the propper password anyway!

Yes, Apple tends to only validate the first 8 characters of your password.

Used to be that OS 9 would only allow you to enter 8 chars in a password field ... so if you had, say, a Netware server with a 9-char password you were SOL ... I prefer the current approach, although obviously validating all characters in a password would be better

 

[AppleMatt]

Ohh I'm glad they're soting this out...hopefully none of my PC friends will hear about this.

Hopefully they will also read this thread, so post your security holes!

AppleMatt

 

[bobindashadows]

I could've sworn....

I could've sworn that Apple addressed the UNIX limitation of 8 char passwords way back in the 10.1 days... one of the 10.1.x updates. It is generally recoginzed as a UNIX flaw, in that only the first 8 characters are used. But we're talking about Apple... I thought they updated that! I'm gonna go make a new user and see if it works.

 

[bograt]

Re: I could've sworn....

Originally posted by bobindashadows
I could've sworn that Apple addressed the UNIX limitation of 8 char passwords way back in the 10.1 days... one of the 10.1.x updates. It is generally recoginzed as a UNIX flaw, in that only the first 8 characters are used. But we're talking about Apple... I thought they updated that! I'm gonna go make a new user and see if it works.

Nope it happened to me within a month of today with Jaguar.6

BTW what will happen when it reaches 11? Might they start naming them like Porsche call it Jaguar 911 Turbo and have 3 of them? Or name them after flowers? Gawd knows!

 

[Toe]

A couple times, I've opened my PowerBook, seen the pasword screen, and before i could start typing, the screen flashed between the creen-saver and the desktop a couple times, then let me in to the system. It hasn't happened enough for me to understand what might be involved, but it certainly was annoying that my security bypassed itself, with no help from me.

I'm pretty sure I heard that in Panther the security is truly system-level and not part of the Screen Effects anymore. So I get the impression that Apple is re-doing this feature entirely. Good thing too.

 

[visor]

Re: Similar bug with log-in

Originally posted by bograt
It's unix that is the problem with this bug, my password is over 8 characters long, (10). I once typed in the last 2 digits wrong and it let me log in anyway. Apple know about this but it isn't really full knowledge or whatever, I had to ask some techie @ the mac expo last september (yep - UK). This is also a pain as the keychain doesn't unlock, so you have to type in the propper password anyway!

The Problem is that the shadow system of unix doesn't recocnize more than 8 characters. you can find it on all linux systems alike. Unix is not better there.

Now, as apple introduced the keychain, wich can probably hold more than 8 chars in a pwd, the 2 systems are somewhat incompatible i guess.

hmm

 

[noverflow]

tried it

It worked... took forever, but after it went to the finder it quickly went back to the screen effects. and my mouse was not in a hot corner.

 

[Vonnie]

Re: Re: Similar bug with log-in

Originally posted by visor
The Problem is that the shadow system of unix doesn't recocnize more than 8 characters. you can find it on all linux systems alike. Unix is not better there.

Now, as apple introduced the keychain, wich can probably hold more than 8 chars in a pwd, the 2 systems are somewhat incompatible i guess.

hmm

That's only partially correct. The DES hashing algorithm only looks at the first 8 characters, and was traditionally used on Unixes.

But for a couple of years now, Linux and other unixes have switched to MD5, which looks allot further than the first 8. (255 characters?)

Apple even has support for MD5, but for some reason doesn't switches it on by default.

Apple is extremely bad in this department. DES and non-shadowed password. Filevault will be pretty much useless until they fix this..

 

[Toe]

Anyone have Panther installed? Look in System Prefs. I'm pretty sure the password is no longer under Screen Effects (which itself is renamed, IIRC). Does it seem different?

 

[pianojoe]

Something good at least...

I think hearing of a potential security hole on 07/04 and posting the fix on 07/14 is not so bad. Ten days...

 

[nagromme]

I've seen 2 bugs

Two bugs I've seen:

1. Sometimes (about 1 in 10, mainly on slower Macs) the actual display that should be hidden appears for a moment, and THEN the screen re-blanks and demands a password. So an intruder can't use the computer, but they might get a brief look at the locked screen. Hopefully you have no trade secrets displayed in large type

2. Folding@Home lets you in even if you type the WRONG password! Clearly a badly written screensaver is able to accidentally bypass the security in the OS's screensaver engine.

 

[AppleMatt]

Originally posted by Toe
Anyone have Panther installed? Look in System Prefs. I'm pretty sure the password is no longer under Screen Effects (which itself is renamed, IIRC). Does it seem different?

Yep, no password option. I'm gonna see if it's been moved to another panel. They've also removed activation corners! No!

It's now called "Desktop & Screen Saver"

AppleMatt

 

[bobindashadows]

Re: Re: Re: Similar bug with log-in

Originally posted by Vonnie


Apple is extremely bad in this department. DES and non-shadowed password. Filevault will be pretty much useless until they fix this.. [/B]

Does AES look last the first 8 chars?

Is AES faster than MD5?

Oh - and I don't know about you, but mine is definitely shadowed. I don't know a lot in this department, but /etc/passwd has no hashes in it, just the characteristic *s.

 

[Toe]

Originally posted by AppleMatt
Yep, no password option. I'm gonna see if it's been moved to another panel. They've also removed activation corners! No!

I guess the activation corners are now used by Expose (a price I'm willing to pay!). Maybe the Expose CP has some sort of option to let a corner do the screen saver instead? Afterall, Expose can also be activated from F-keys....

http://www.apple.com/macosx/panther/expose.html