October 29th, 1999
| [2:30 PM] Security Hole Found In Mac OS 9's Multiple User Feature by Dave Hamilton It appears as though a security hole has been found in Mac OS 9's Multiple Users component. It affects users of the "Lock The Screen" feature in the "Login" tab of the Global Multiple User Options settings, found in the Multiple Users Control Panel. If you select to have the computer "Lock The Screen" after an idle time, the system will do just that. When you return, the machine asks for a password. You can either enter your password to continue your session, or choose to "Log Out" the current user and start a new session as someone else. If you choose "Log Out," the computer then begins a shutdown sequence for all the running applications. If an Application needs to prompt the user, to save a document for example, one of the options is typically "Cancel." If cancel is chosen, the shutdown process is terminated, and the user is never logged out. This leaves you with full access to the previous user's account. The bug was first posted on Security Focus (bugtraq id: 745) and, according to them, Apple has been notified and entered the bug into the Mac OS 9 bug tracking database. We have verified the problem here at The Mac Observer as well. The Mac Observer Spin: Things of this nature are BOUND to happen as security-related features are added to an existing operating system. It took Unix many, many years to get to be as secure as it is, and it will take the Mac OS some time to mature in this aspect, as well. We must remember that Mac OS 9's Multiple Users features were designed with convenience in mind first, and they certainly perform that function quite well. Being able to have separate preferences, document folders, and applications configured for each user in a home or office is a wonderful thing and should not be overlooked. That said, everyone should be aware of the limitations of the security side to this feature as well. |