Mac OS X SecurityAgent Lets Physically Local Users Bypass the Screen Saver Password Mechanism
|
|
SecurityTracker Alert ID: 1018951
|
|
SecurityTracker URL: http://securitytracker.com/id?1018951
|
|
CVE Reference: CVE-2007-4693
(Links to External Site)
|
Date: Nov 15 2007
|
Impact: User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Apple Security Advisory
|
Version(s): 10.4 - 10.4.10
|
Description: A vulnerability was reported in Mac OS X. A physically local user may be able to bypass the screen saver authentication mechanism.
A physically local user may be able to send keystrokes to a process on the system that is running behind the screen saver authentication dialog.
Faisal N. Jawdat reported this vulnerability.
|
Impact: A physically local user may be able to bypass the screen saver authentication mechanism.
|
Solution: Apple has released a fix, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloa
ds/
[Editor's note: This vulnerability only affects 10.4.x]
The Software Update utility will present the update that applies
to
your system configuration. Only one is needed, either
Mac OS X v10.4.11 or Security Update 2007-008.
For Mac OS X v10.4.10 (Intel)
The
download file is named: "MacOSXUpd10.4.11Intel.dmg"
Its SHA-1 digest is: 4c9103699c7925cc0277cffce4c7419a9d469c31
For Mac OS
X v10.4.4 (Intel) through v10.4.9 (Intel)
The download file is named: "MacOSXUpdCombo10.4.11Intel.dmg"
Its SHA-1 digest is: 9a869c44010996bcf1a645f5467dd1bc596924dd
For Mac OS X v10.4.10 (PowerPC)
The download file is named: "MacOSXUpd10.4.11PPC.dmg"
Its SHA-1 digest is: 132d354637604c63d28b57e57e74aed1b21c9894
For
Mac OS X v10.4 (PowerPC) through v10.4.9 (PowerPC)
The download file is named: "MacOSXUpdCombo10.4.11PPC.dmg"
Its SHA-1 digest
is: 3d403bfa769424c61a3cfac173f8527658f9d4af
For Mac OS X Server v10.4.10 (Universal)
The download file is named: "MacOSXServerUpd10.4.11Univ.dmg"
Its
SHA-1 digest is: 37bf2f081d773756472205146a037d1c8c52d45e
For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
The download
file is named: "MacOSXSrvrCombo10.4.11Univ.dmg"
Its SHA-1 digest is: 94a87bb6f7c73b68c2a8654a5c2642d7c5e82d56
For Mac OS X Server
v10.4.10 (PowerPC)
The download file is named: "MacOSXServerUpd10.4.11PPC.dmg"
Its SHA-1 digest is: 6dde722314da1eaf00f881f026cfe770044f6cda
For
Mac OS X Server v10.4 through v10.4.9 (PowerPC)
The download file is named: "MacOSXSrvrCombo10.4.11PPC.dmg"
Its SHA-1 digest is:
3aeb0fae441957c7a831365ad5af1b79b0d87720
For Mac OS X v10.3.9
The download file is named: "SecUpd2007-008Pan.dmg"
Its SHA-1
digest is: 7049852014bb8d31fe8a3b2706e59c1e7d3aebcd
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-008Pan.dmg"
Its
SHA-1 digest is: d085bfc4bc59ca3c81495e9b7029381c3fa9b082
The Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=307041
|
Vendor URL: docs.info.apple.com/article.html?artnum=307041 (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: UNIX (Mac OS X)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 15 Nov 2007 00:03:03 -0500
Subject: Mac OS X
|
Apple reported:
SecurityAgent
CVE-ID: CVE-2007-4693
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A person with physical access to a system may be able to
bypass the screen saver authentication dialog
Description: When waking a computer from sleep or screen saver, a
person with physical access may be able to send keystrokes to a
process running behind the screen saver authentication dialog. This
update addresses the issue through improved handling of keyboard
focus between secure text fields. Credit to Faisal N. Jawdat for
reporting this issue.
|
|
