SecurityFocus posts note about Screen Effects security bug

SecurityFocus has posted a note about a flaw in Mac OS X Screen Effects that allows other applications (including Apple's own) to bypass password entry - an issue we covered back in January 2003 here on MacFixIt.

SecurityFocus writes "Screen Effects has been reported prone to a vulnerability where third party applications may allow a user to kill the Screen Effects process and thereby subvert desktop password protection."

In a January 30, 2003 MacFixIt report, we reported that if you have Full Keyboard Access turned on (available under the Keyboard pane in System Preferences), the dock can be accessed "blind" from behind Screen Effects - you can't see the dock, but some functions using it are still accessible.

Turning off Full Keyboard Access does not help, since you can enable it via the keyboard combination Shift-F1 while the screen aver is prompting for a password. With full keyboard access you are also able to reboot the system, log off the current user and other items. It is possible to access the System Preferences and if the current user has admin privileges you might change the settings for the startup volume.

We also reported that while there is no fail-safe method for securing your Mac using Screen Effects, you can minimize the risk by using custom shortcuts for full keyboard access and uncommon key-combinations.

The SecurityFocus article mentions Ambrosia Software's EscapePod, a small utility that lets you terminate the frontmost application by hitting Control-Alt-Delete, terminate the Dock by hitting Shift-Control-Alt-Delete, or do a force-logout by hitting Command-Control-Alt-Delete. This is very much the same effect as accessing the Dock through Full Keyboard access.

Resources