Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

From: "Fred Noltie" <noltie () airmail net>
Date: Thu, 31 Jul 2003 15:53:14 -0500
From: "Brian Eckman" <eckman () umn edu>


If someone were to find a way to bind to those hotkeys, would you
then consider this a security issue with Windows? If so, how is
Apple's failure to block kill calls to the screen saver not a
security issue?

Gavin



Windows does allow others to bind to those hotkeys. The Novell client

is

a good example. The Novell NDS password can be used to unlock the

screen

saver, without requiring the Windows password to be entered. Obviously
other programs could bypass the Windows authentication as well.



It's been a few years and things may have changed, but in the past
Novell accomplished this by replacing the standard msgina.dll with one
of their own making. Microsoft provides information on how to do this
sort of thing:

http://support.microsoft.com/default.aspx?scid=kb;en-us;810756

FWIW, there is even a GNU replacement (well, for NT, anyway):

http://wwwthep.physik.uni-mainz.de/~frink/newgina_pre09/readme.html

It seems to me, though, that if the admin replaces Microsoft's GINA, he
can't complain about how (or whether) the replacement traps
Ctrl+Alt+Del. I don't think (though I may be mistaken) that there's a
way to trap those hotkeys when Microsoft's msgina.dll is in place and
working properly.

Regards,

Fred Noltie
Previous By Date Next
Previous By Thread Next

Current thread: