Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

[mns <mns () mnslab com>]

On Wednesday, July 30, 2003, at 04:56  PM, Patrick Haruksteiner wrote:

> On Wednesday, July 30, 2003, at 10:07 h, Doug White wrote:
> > On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:
> >
> > > I discoverd another security issue with the Mac OS X screensaver.
> > > If you have installed escapepod from Ambrosia Software and hit
> > > crtl-alt-delete(==backspace) when the screensaver with password
> > > protection is running, it kills the screensaver and the desktop is
> > > open to anybody - so it has the same effect as the recently
> > > emerged password-exploit.
> >
> > This is not a bug in Apple software. This is a third party extension.
> >
> > Ambrosia's Escape Pod is a utility that kills the frontmost app when 
> > the
> > shortcut keystroke is typed. Naturally it does not ship with MacOS X.
> >
> > Since the screen saver is just another application (called
> > ScreenSaverEngine), if you hit the kill key when its running, it gets
> > killed.  Fancy that!
>
> I know that! But it should be the concern of the OS that you cannot 
> circumvent its security system with the help of other applications!

I agree with Doug White in the assessment that this is, in fact, an 
issue
that is the responsibility of Ambrosia, if it is to be considered a 
security
issue at all. Apple cannot be held responsible for the code of third 
party
developers.

I downplay the definition of this as a security issue at all because 
there are
so many immediate workarounds. One is not running or installing Escape 
Pod
in the first place. Another is simply logging out when you leave your 
workstation,
rather than relying on ScreenSaverEngine for your security. Bottom line,
there are more direct and more threatening exploits that are available 
to
people who happen upon an OS X machine unattended. Allow me to describe
a couple of them:

	1) If a user finds a machine unattended, whether running 
ScreenSaverEngine
	or not, and regardless of the presence of Escape Pod on said machine, 
the
	machine can be booted from an OS X installation CDROM, at which point 
the
	"Reset Password" option can be used to change root access to the 
machine,
	which allows the user to log in as root, then change the password for 
any account,
	including whatever account was initially running ScreenSaverEngine. 
Data can
        then be removed or overwritten at said user's discretion.

	2) If an unattended machine is discovered, it can also be powered 
down, and
	carried off, physically, without regard to the presence of 
ScreenSaverEngine
        or Escape Pod.

Do these constitute security threats or exploits that are Apple's 
responsibility
to protect against? Of course not. Both are common sense examples of 
how many
security measures can be circumvented using simple, direct techniques. 
Neither
implies that anyone at Apple should be recoding the operating system, 
or any of
it's underlying core technologies in order to prevent them from being 
used.

Beispiel: If the rightful user/administrator of any given OS X machine 
were to install
the following shell script, how would it be Apple's responsibility to 
prevent this?

#!/bin/sh
while true
do
        killall ScreenSaverEngine
        sleep 60
done


-
m a t t h e w  n .  s h a r p
mns(at)mnslab.com