SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X SecurityAgent Lets Physically Local Users Bypass the Screen Saver Password Mechanism
SecurityTracker Alert ID:  1018951
SecurityTracker URL:  http://securitytracker.com/id/1018951
CVE Reference:   CVE-2007-4693   (Links to External Site)
Date:  Nov 15 2007
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.4 - 10.4.10
Description:   A vulnerability was reported in Mac OS X. A physically local user may be able to bypass the screen saver authentication mechanism.

A physically local user may be able to send keystrokes to a process on the system that is running behind the screen saver authentication dialog.

Faisal N. Jawdat reported this vulnerability.

Impact:   A physically local user may be able to bypass the screen saver authentication mechanism.
Solution:   Apple has released a fix, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

[Editor's note: This vulnerability only affects 10.4.x]

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.11 or Security Update 2007-008.

For Mac OS X v10.4.10 (Intel)
The download file is named: "MacOSXUpd10.4.11Intel.dmg"
Its SHA-1 digest is: 4c9103699c7925cc0277cffce4c7419a9d469c31

For Mac OS X v10.4.4 (Intel) through v10.4.9 (Intel)
The download file is named: "MacOSXUpdCombo10.4.11Intel.dmg"
Its SHA-1 digest is: 9a869c44010996bcf1a645f5467dd1bc596924dd

For Mac OS X v10.4.10 (PowerPC)
The download file is named: "MacOSXUpd10.4.11PPC.dmg"
Its SHA-1 digest is: 132d354637604c63d28b57e57e74aed1b21c9894

For Mac OS X v10.4 (PowerPC) through v10.4.9 (PowerPC)
The download file is named: "MacOSXUpdCombo10.4.11PPC.dmg"
Its SHA-1 digest is: 3d403bfa769424c61a3cfac173f8527658f9d4af

For Mac OS X Server v10.4.10 (Universal)
The download file is named: "MacOSXServerUpd10.4.11Univ.dmg"
Its SHA-1 digest is: 37bf2f081d773756472205146a037d1c8c52d45e

For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
The download file is named: "MacOSXSrvrCombo10.4.11Univ.dmg"
Its SHA-1 digest is: 94a87bb6f7c73b68c2a8654a5c2642d7c5e82d56

For Mac OS X Server v10.4.10 (PowerPC)
The download file is named: "MacOSXServerUpd10.4.11PPC.dmg"
Its SHA-1 digest is: 6dde722314da1eaf00f881f026cfe770044f6cda

For Mac OS X Server v10.4 through v10.4.9 (PowerPC)
The download file is named: "MacOSXSrvrCombo10.4.11PPC.dmg"
Its SHA-1 digest is: 3aeb0fae441957c7a831365ad5af1b79b0d87720

For Mac OS X v10.3.9
The download file is named: "SecUpd2007-008Pan.dmg"
Its SHA-1 digest is: 7049852014bb8d31fe8a3b2706e59c1e7d3aebcd

For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-008Pan.dmg"
Its SHA-1 digest is: d085bfc4bc59ca3c81495e9b7029381c3fa9b082

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=307041

Vendor URL:  docs.info.apple.com/article.html?artnum=307041 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 15 Nov 2007 00:03:03 -0500
Subject:  Mac OS X


Apple reported:

SecurityAgent
CVE-ID: CVE-2007-4693
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A person with physical access to a system may be able to
bypass the screen saver authentication dialog
Description: When waking a computer from sleep or screen saver, a
person with physical access may be able to send keystrokes to a
process running behind the screen saver authentication dialog. This
update addresses the issue through improved handling of keyboard
focus between secure text fields. Credit to Faisal N. Jawdat for
reporting this issue.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC