A member of the Full Disclosure mailing list posted details of a MacOS X screensaver password-protection bug last Friday, which would allow someone to crash the screensaver - and, if the password protection is turned on, bypassing the password prompt. From the message:
three days ago i discovered a security issue, with the last MacOSX.
there is a way to crash the screensaver locked with password and gain the desktop.
how? - you ask.
i donit know the exact amount of characters, only that if you leave a key pressed for 5 minutes or more and then hit the enter key, you crash the screensaver and gain access to the desktop.
you can mess the desktop and all around it (network, mail, docs, anything you can imagine).
i think that this is a huge secure hole and it must be corrected.
The poster, Delfim Machado, says that he had mailed this information to Apple some time ago and that the message had not received a reply by the time it was posted to Full Disclosure. Additional discussion at MacSlash suggested that all Cocoa applications are susceptible to the bug, including at the login panel - dropping the user into console mode. Other participants reported that they could not reproduce this behaviour; it isnit clear whether this bug applies to everybody.