TUCoPS :: Macintosh
:: kernel.htm
MacOS 9 Idle Lock exploits
Vulnerability
kernel (Idle Lock)
Affected
Mac OS 9
Description
Sean Sosik-Hamor found following. It's possible to set up the
Finder so that, if the current user goes idle, the screen will be
locked. A simple dialog box is displayed stating that the system
has been idle for too long and a password must be entered. You
have two options. Click OK and enter the password to return to
your session or click OK and click Log Out. It's possible to
seize control of Mac OS under certain conditions by clicking Log
Out.
Some applications have the "feature" of asking you if you're sure
that you want to quit. For example, if connected to a UNIX host
using NiftyTelnetSSH, it will ask you if you're sure you want to
disconnect when the application quits. Other applications with
unsaved data will ask if you want to save changes. Most of these
dialog boxes have OK and Cancel or Yes, No and Cancel for options.
Hitting Cancel at any of these "are you use" dialog boxes will
stop the logout process and return you to the current session.
If there are any such applications open that ask if you would like
to save changes, hitting the "cancel" option on such applications
will abort the logout and the screen lock will no longer be
active, returning you to the user's session, allowing you access
to all of the user's files, data, etc, etc.
Solution
It has been filed into our bug database as ID #2404562. It will
be assigned to the appropriate engineers. So, the current
solution is to close all applications when locking your session so
that it is not possible to circumvent the logout process.