Apple to fix one screen saver flaw; another remains

Ziff Davis reports that Apple will fix a bug in Mac OS X's Scren Effects component that allows the application to be crashed, and subsequently system access gained, by entering a certain number of characters.

However, there is also an issue (noted here on MacFixIt in January) that will apparently remain. This flaw allows applications to be freely quit or launched - while Mac OS X's Screen Effects is prompting for a password.

If you have Full Keyboard Access turned on (available under the Keyboard pane in System Preferences), the dock can be accessed "blind" from behind Screen Effects - you can't see the dock, but some functions using it are still accessible. On our in-house system, we have the Dock set to appear when the "Control-F3" keyboard combination is pressed.

When Screen Effects prompts for a password, pressing this keyboard combination will move the cursor out of the pop-up prompt dialog box, and onto the Dock (which is not visible). Pressing tab to switch applications, and then pressing "Q" will cause applications to quit. Likewise, pressing "Return" will cause applications to launch.

This issue significantly undermines the protection level offered by Screen Effects. If you choose to use this method of password security, make sure that Full Keyboard Access is turned off.

Resources