Security Update Fixes the Screen Effects Hole

jellomizer writes "Here is is. Available from Software Update. 'Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user.' Now we can use our screen savers with the warm and fuzzy secure feeling."

went witout a hitch

[poil11]

i just hope that one day updates won't require a restart.

Re:went witout a hitch

[qengho]

i just hope that one day updates won't require a restart.

Ain't it annoying? How the hell am I going to get my uptime past 30 days or so if I keep having to restart because of patches? Curse you, Apple, for fixing things on a regular basis!!

Re:went witout a hitch

[Acrimonious Coward]

For and update to an application library (Cocoa in this case), you don't really need to restart, you just need to quit all Cococa apps, this includes the Login Window. To accomplish this, do the following:

1. download and install the patch. 2. log out, if you can. 3. type ">console" or maybe even ">exit" in the user name field of the login window. 4. once in the console, I believe a ctl-D will restart the login window.

Re:went witout a hitch

[babbage]

Yeah, but at that point you've gone so much of the way to bringing the system all the way down that you might as well just do the full reboot. You've just described 80% or so of the things that happen in the logout, shutdown, restart, log back in cycle. Unless you just can't have any service disruption in non-GUI software running on your Mac (Apache, MySQL, etc that other machines may be using), then what's the point in saving that 15 seconds & losing state in all your apps anyway? And if you are running services that can't be disrupted, why are you running them on a desktop platform?

Re:went witout a hitch

[andreMA]

Yep, you said it yourself: keeping apache et al running. And other servers; I happen to run several instances of TinyMUSH 3.1 on my aging 500MHz dual. It's helpful for them to not rely on proper handling of signals to "shit! I better checkpoint!" - let alone the inconveninece my users would suffer from an actual reboot.

So... some folks do have a lot more to worry about than the GUI. Sure, I could just run Darwin, but I do a small amount of stuff that requires a GUI too.

Re:went witout a hitch

[Anonymous Coward]

And if you are running services that can't be disrupted, why are you running them on a desktop platform?

Simple answer: Because I can.

Re:went witout a hitch

[morcheeba]

Just switch to PPC Linux 2.5.75, where you can get 30 years of uptime [iu.edu]. And some people complain about this like it's a bad thing!!

Re:went witout a hitch

[Alan Partridge]

30 years of uptime? Eh? Can you explain to me how this is KNOWN when the PPC platform hasn't existed yet for 30 years?

Re:went witout a hitch

[Alan Partridge]

oh, I see

Re:went witout a hitch

[morcheeba]

wow, harsh. just to be clear, that was not me posting as an AC.

Re:went witout a hitch

[whee]

This updates a system framework, which is likely in use by multiple, running, applications. The safest way to ensure everything is operating as it should is to require a restart. Had this been an update of something else, like a user-level application or daemon, then the restart would not have been required.

You have to remember that this is an operating system for the masses and their desktops. I'm sure this update could've not required a restart, but what if something went wrong? Would your grandmother know how to make sure the current version of a shared library is loaded for her applications?

Re:went witout a hitch

[Anonymous Coward]

Not only is this a desktop for the masses thing, but it makes sense with the servers I build too. I've had enough of installing services on the University servers here and leaving machines up, then coming across a small (but significant) problem when rebooting the machine 2 months later, and needing to go back through just what changed since the last reboot to even remember what may need fixing.

When installing a new daemon it may run quite well initially, but until it's started up through the normal boot

Re:went witout a hitch

[47Ronin]

Noone's forcing you to restart. I just opened up the Mac's Terminal.app and:

% sudo softwareupdate SecurityUpd2003-07-14-1.0

[wait for install to finish]

Installing "Security Update 2003-07-14"... 98% 98% 99% 99% 99% 99% done.

You have installed one or more updates that requires that you restart your
computer. Please restart immediately. ...After that I just closed the Terminal. I keep on working and at the end of the day, if I feel like restarting I will. I will also upgrade my OSX webserver this way, and probably never restart it until a real major upgrade occurs.

Re:went witout a hitch

[babbage]

In which case, the unpatched version is resident in memory, and the patched version is sitting idle on your disc. What's the point of that? When you're ready to apply the patch (which, apparently, isn't right now), then just let the thing reboot & get the clean slate.

That is not true. No reboot is required.

[FunkyMarcus]

The updated Security.framework will be loaded by ScreenSaverEngine.app the next time it runs - in other words, the next time the screen saver activates.

Have you tried it? I have. No reboot, and no more crashing screen saver.

Anything that is already running retains the old version of Security.framework until it's started again, but ScreenSaverEngine.app and loginwindow are both immune. There may be other (unrealized? unreported?) exploits that the update fixes that require a logout or reboot, but to fix

Re:That is not true. No reboot is required.

[babbage]

As long as you're cool with the possibility / liklihood that you've only fixed part of the problem, that's fine. I'm just saying that, personally, I can afford to let the machine be down for the 90 seconds it would take to reboot, and doing so would give me the peace of mind that the problem is actually fixed. Doing it halfway is the approach that seems silly to me :-)

Re:went witout a hitch

[momerath2003]

As an alternative, you can just force-quit Software Update after it presents the sheet confirming whether you want to restart or shut down.

Re:went witout a hitch

[andreMA]

I think Babbage is correct here, in that you gain no benefit from the update until rebooting.

But if you feel as I do that the bug this update addresses is trivial, skipping the eboot makes sense. Install it and forget it, then simply let it take effect when you next need to reboot. Or wait; it's up to you.

Maybe better to wait; sometimes the damndest things... happen.

Re:went witout a hitch

[hankster164]

i can still click+select+drag the screensaver over and click on desktop items. i can even launch apps, including terminal.app. All the while the "please enter screensaver password" window hovers about. This update is weak. There still remains a vulnerability.

Re:went witout a hitch

[andreMA]

That's doubleplus ungood. I assumes that you're able to interatct with the terminal session so launched, as the user who was logged in?

I'm not being sarcastic here... but have you complained yet to Apple? I know that the person who disclosed the original problem (the buffer overflow in the password feild, was it?) expresssed dismay that Apple hadn't responded to him. But here we are two weeks after the public disclosure and there's at least a partial fix for what (forgive me) is a slight problem that requir

Re:went witout a hitch

[capmilk]

Did you reboot after the update? I did, and I can't do anything on my desktop without entering the screen saver password.

Re:went witout a hitch

[hankster164]

Ive rebooted twice since installing the update. There still remains a vulnerability.I can click+drg the screensaver aside and access desktop items including entering the file browser and navigating to and launching any app i want as the user who owns the screensaver password. Could my update install have failed?. When i installed it there was no indication of it at all

Re:went witout a hitch

[hankster164]

oh...forgot to mention that im using Apple's default "Computer Name" screensaver.

Re:went witout a hitch

[eobiont]

I just hope that one day updaytes won't disable CUPS printing.

Them Apple Switchers

[inertia187]

About them Apple Switchers,
ain't they well informed
goin' to and frow,
switchn' they platform.
Them banjo pickin' Apple Switchers,
see how much they spent?
They switch to stop blue screens of death
or just to Think Different.
Look at all those Apple Switchers,
hey they even chicks!
Some just switch to make a point,
some just for the kicks.
How to be an Apple Switcher,
if you want to know?
Take a trip to Apple's store
and pony up the dough.

Yee and/or Haw as needed

[macguiguru]

GRIN. I'm gonna start eefin any second.

W h e r e . . .

[dlosey]

is is? I cannot seem to find "is". I feel so lost!

Sure can tell its Monday afternoon - editors are still recovering from the weekend

Could pudge or jellomizer please post a hyperlink? Thanks!

Re:W h e r e . . .

[inertia187]

Maybe it all depends on what your definition of the word is is.

Does this fix the problem globally?

[commodoresloat]

It's unclear from the docs whether this fixes just the problem of the screensaver dumping you back into a session without the password, or whether this addresses the buffer overflow that could cause other applications to crash, including the login window.

It appears to

[jnetsurfer]

After updating, I tried to crash a few other apps using the "leave an object on the keyboard" method, and the text boxes simply stopped accepting input after a certain amount of time.

Re:It appears to

[__aafkqj3628]

In which case, Apple should have named this patch as a patch to Cocoa itself instead of simply the screensaver.

Trying to reduce the public's perception of the problem are we Apple?
Just think, a Cocoa buffer overflow still isn't as bad as Windows' shatter attacks.

Re:It appears to

[gnuadam]

I'm not convinced there was ever a general cocoa problem.

Obviously, there was the screensaver bug, and I reproduced that myself.

Other people mentioned a problem with the login window. I've noticed before if I type an incorrect password it drops to a text-console. This is what people observed when trying to overflow the login window. It's certainly not an exploit.

I tried overflowing text fields in safari and mail, without incident.

If someone really found another app that was affected as the screensaver was, I'd really like to hear about it.

Unless someone does, I'll give apple the benefit of the doubt. They fixed the problem, no harm no foul.

Re:It appears to

[__aafkqj3628]

I couldn't even get the screensaver to crash, I'm just reporting what I've heard other people say.
The bug seemed to be only on specific versions of Darwin/OS X and was a bit strange even then.
Either way, at least one potential bug is crushed.

Re:It appears to

[gnuadam]

I agree that a buffer overflow in the login window would be bad. I've just seen no evidence that the login crashes are linked to a buffer overflow or are the same as the screensaver problem.

I've "crashed" the login screen by just entering the wrong password - not a buffer overflow, I'd not suspect.

The people who reported crashing the login window did the same thing...they entered an incorrect password. I don't think it's length had anything to do with the reported behavior. That's my only point.

You could crash Mail

[scruffyMark]

I tried it in Mail - went into prefs, add new account, and in one of the field, say server name, put about 3000 characters. Hit return, and watch Mail crash.

It's fixed now.

Re:Broke My iChat

[yugure]

Well, you seem to have had more luck than I did. Right now, iChat is acting rather oddly, with the windows for new messages resizing a moment after they appear. It almost looks like the system is acting slow and it's stuttering.

Since I don't use iChat often, I guess it really doesn't matter to me. Just hope no other apps have weird reactions, though.

Versions

[hackwrench]

Anybody have any idea what files this updates and what version it updates those files to?

Re:Versions

[qengho]

Anybody have any idea what files this updates and what version it updates those files to?

This is what the package contains. I haven't installed it, so I don't know what the new versions are.

Listing files for Security Update 2003-07-14
./System/Library/Frameworks/Security.framework/Ver sions/A/Resources/Info.plist
./System/Library/Frameworks/Security.framework/Ver sions/A/Resources/version.plist
./System/Library/Frameworks/Security.framework/Ver sions/A/Security

Re:Versions

[norwoodites]

That means, it is just a new Security Framework see the benefit of shared libraries.

Re:Quick question here

[Anonymous Coward]

Can you prove conclusively that he hand-assembled it?

Didn't think so, asshole. Try again.

The task that hdparm performs can be performed and still have an interface that isn't nearly that cryptic. The interface can be optional, for those users who would prefer to impress their fellow virgins at their mastery of arcane commands.

The concept that the Linux crowd seems to have missed (but that Apple has embraced) is that you can have two ways of doing things:

1) The Easy Way.
2) The Hard Way.

The two need no

Re:Quick question here

[agent dero]

It's a sad day in troll history, when the troll accidentally compliments the OS in question.

Meanwhile, he seems to be from the future, with an Opteron which isn't availible yet, along with MacOS X 10.3 (Panther)


Athlon64 XP -3000+, wha?

Here's a reason this IS important

[jnetsurfer]

I know that you can gain access to my machine by rebooting and changing the root password. I know that you can get around the open-firmware protection. I know that a screen saver doesn't protect my hard drive from someone opening my machine and taking it... but I am still very thankful for this update. Why? Because I encrypt my entire home directory. (Via the method I mentioned [tumaz.com] here a while ago). So, the "lock screen" option is very important to me -- If you reboot my machine, my home directory is once again encrypted. So the Screen Saver password does have it's place.

Re:Here's a reason this IS important

[commodoresloat]

How long does it take to decrypt when you log in? This is a great idea, but I'm assuming you only use the encrypted user for certain limited tasks where security is paramount. For day to day operations, I wouldn't want to have to wait for my iTunes and iPhoto libraries, along with whatever crap I've downloaded to my download folder, to be decrypted every time I log in.

I don't notice a performance hit

[jnetsurfer]

I don't notice a performance hit while using the files in my home directory (I don't keep MP3s there however). You can monitor the amount of CPU that is being used decrypting files by checking the CPU usage of the 'hdid' process in top or the CPU monitor. But I encrypt my home directory (as you suggested) to protect my Library, financial records, my code, and the files for my business which I use all the time. My desktop (my download folder) is encrypted and I don't notice a performance hit while downloading. (I'm running a Dual 500 MHz machine, should you care)

Re:I don't notice a performance hit

[commodoresloat]

Interesting; about how much space does your home dir take up? After I posted I realized it's probably pretty easy to store mp3s and photos elsewhere; I would probably put my download folder on an unencrypted disk too. Thanks for the info!

FileVault?

[Capt_Troy]

How will FileVault effect your current encryption method? Will you switch to use FileVault when Panther comes out? What is your opinion of FV? And this is a great idea, you should get credit since Apple implemented this as well.

I should get credit!

[jnetsurfer]

I think I should get credit from Apple... especially as one of Apple's employees was posing back and forth with me here at /. when I posted my method. So they can't claim that they didn't know about my method!

As for whether or not I'll use FileVault, that remains to be seen... I have yet to get ahold of panther (since it's not been released yet) so I don't know if FileVault will suit my needs.

Re:I should get credit!

[Capt_Troy]

Well, from what I know about FileVault (from watching wwdc coverage) it simply encrypts your home directory when you log out, and unencrypts it when you log back in (I assume similar functionality exists when your box goes to sleep or screensaver or something). It sounds an aweful lot like your method. I would truly hope that Apple would recognize you for the idea (if they implemented it some other way) at least!

That was a feature I thought was really an innovative in Panther, one of those, "Why didn't I

Sounds almost like what I need...

[jnetsurfer]

It sounds very similar to my method, with one exception: my method leaves my home directory encrypted all the time, and decrypts "on-the-fly" as files are needed. This allows my files to stay secure... (although they may be written to a swapfile while being decrypted.) I would be worried that with FileVault, it would decrypt my entire home directory and it would be possible to prevent FileVault from re-encrypting it. (Like hard rebooting after my home dir was decrypted, for example)

As for my thinking of

For those preferring to not use SU

[blb]

Apple's page [apple.com] for the update, if you prefer to download manually.

Re:For those preferring to not use SU

[MachineShedFred]

Heh.

I prefer to use Software Update... ... but some clown requires authentication at our firewall. Apple doesn't believe in authenticated proxies, or in .pac autoconfiguration, so I'm screwed.

HTTP download it is.

Re:Please, why choose Mac?

[Anonymous Coward]

I don't want to start a holy war here, but what is the deal with you trolling losers? I've been sitting here at my cubicle reading slashdot for about 20 minutes now and again some pathetic AC has posted another variation on the parent troll. A pathetic AC. At home, where I also read slashdot, which by all standards should be the same as slashdot at work, the same troll will still appear in about 20 minutes. If that.

In addition, during reading the parent troll, I will not work. And everything else has groun

Problem?

[dissy]

I dont really see this as that much of a problem.

So instead you power cycle the laptop, hold down S durring boot to enter single user mode.
At this point you do technically have root, although without a GUI.

Change target accounts password, reboot, login.

If you have a password set in openfirmware to prevent single user mode boots, I have to zap the pram 3 times and the password is gone.

Granted this is a whole lot harder than breaking the screen saver, but still, any computer someone can get physical access to is not secure under any conditions.

Re:Problem?

[Anonymous Coward]

"If you have a password set in openfirmware to prevent single user mode boots, I have to zap the pram 3 times and the password is gone."

Yeah, but you can't do that via cmd-opt-P-R (or the OF command line) if there's an OF password set. You have to crack the case.

WM

Re:Problem?

[NaugaHunter]

What I got as a general consensus was effectively:
a) The possibility of this being used maliciously required physical access, and other physical methods rendered it near moot.
b) This point is hard to get across when the news report reads "Apple has security failure from locked screen savers", and therefore may as well be fixed.
c) Being a buffer problem in a shared library, it is possible that something else, either presently or in the future, would also become vulnerable. This is probably the best reason to fix it while the risk is still light.

It is a problem

[jnetsurfer]

Read my comment [slashdot.org] above. One thing (amongst others) that rebooting does is unmount any encrypted disks, requiring the user to enter the password again to remount them. Cracking my root password won't gain you access to the encrypted disks I had open before you rebooted my machine.

...and...

[djupedal]

There is also a fresh iDVD software update today as well. Rumored to fix the "I don' wanna!!!" message...something about multiplexing :)

No restart needed!!

Re:...and...

[feldsteins]

It also started allowing me to launch iDVD on my PB 867 even though it doesn't have a superdrive. This way I could still use the app for demo purposes, or even author a DVD and then transfer the project to a DVD-burning station via Firewire target disk mode or something. Very cool, though.

*yawn* gory details...

[andreMA]

http://www.info.apple.com/kbnum/n120232

The download file is named: "SecurityUpd2003-07-14.dmg

Its SHA-1 digest is: 210f4819b8559b590632cd62b4055a437b9a0267

restart

[dema]

Apple really needs to add a "Restart Later" option to SU. I can't count the number of time it's been incredibly inconvenient to restart so I've had to force quit SU.

Re:restart

[djward]

Just Hide it. Then it's out of the way but still in the Dock reminding you that you eventually should restart.

Re:restart

[mrgeometry]

Try using the "Save to desktop" command in Software Updater. It downloads the updater (unfortunately doesn't allow you to save it anywhere but the desktop, but you can move it after it's downloaded) so you can run it when it's more convenient.

As mentioned before, there's not much reason to run the updater if you're not going to reboot right away. Yeah, yeah, maybe sometimes there's some reason, but generally not.

Re:restart

[Polarcow]

There is a simple solution. Apple Menu->Force Quit... or Command-Shift-Esc.

Just like any other application, Software Update can be forced to quit. When it finishes writing out the update to disc and asks you to restart, just force quit Software Update and restart your computer when you're done with whatever you're busy with.

WAIT A MINUTE HERE (!)

[krray]

This is a [lame] local user access hack/exploit. No big deal. Why fix it? They should ignore the problem. If enough people complain then it's not a bug, it's a _feature_. Has the moon gone red?

Oh, wait, I stopped using Microsoft products. Sorry.

Print center now broken

[Haberdasher]

I don't know if it's related, but all the printers have disappeared from print center. When I tried to add it back, I got an error. Ideas?

WARNING : FLAME IN PROGRESS

[emo boy]

jellomizer writes "Here is is. Available..."

With that spelling you could write for the NY Times
.

Security Vulnerabilities?

[Fareq]

Funny,

nobody seems to be screaming that Apple is stupid and lazy. In fact, I see more Microsoft security bashing here that Apple security bashing.

But... isn't the error with Apple software?

So... why aren't you all screaming at the horrible evil that is Apple?

Not that I think Apple is either of those things, mind you. Or at least not in relation to this issue. I just think that the obscene amount of Microsoft bashing is 20% based on their problems and business practices, and 80% because of jealousy th

simple

[Scudsucker]

Apple has shown a resonable turn around time on fixing bugs, whereas Microsoft will procrastinate on fixing a vunerability, even after someone has turned it into a virus. That, and to Apple "security" doesn't mean pressuring programmers not to let anyone else but the company know of said vunerability. Finally, Microsoft is a features company while Apple is a *good* features company. By that, I mean Microsoft will throw new features into a product regardless of whether or not they are actually usefull (th

Re:Security Vulnerabilities?

[ITman75]

one of my friends is an A$$isntant Manager of a apple store. He bought one of the great G something or other with the 17" flat monitor. Well he was showing off his Mac and 10 times in 1/2 hour he had to keep cold shutdowns and restarts cuz it kept on crashing... Yeah PCs crash too, but at least with Micro$oft W2K there is no vulnability of someone coming up to it and getting in thru the screen saver.

Re:Security Vulnerabilities?

[c13v3rm0nk3y]

one of my friends is an A$$isntant Manager of a apple store. He bought one of the great G something or other with the 17" flat monitor. Well he was showing off his Mac and 10 times in 1/2 hour he had to keep cold shutdowns and restarts cuz it kept on crashing... Yeah PCs crash too, but at least with Micro$oft W2K there is no vulnability of someone coming up to it and getting in thru the screen saver.

... and then this one time, at band camp...