Apple Fixes Mac OS X Screen-Saver Flaw

Sources said a forthcoming security update will plug a vulnerability in Mac OS X's screen saver that can open locked desktops to prying eyes.

Apple Computer Inc. will soon release a security update to Mac OS X, sources said. The update will reportedly fix a vulnerability in Mac OS Xs screen saver that lets interlopers access locked desktops.

On Thursday, the company seeded developers with a pre-release copy of the update. Recipients said the patch was dated July 14, suggesting Apple plans to release it to users Monday.

"Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user," Apple reportedly told developers in a note accompanying the seed.

The Screen Effects security hole was first publicized last week in a post to the Full Disclosure mailing list. Mac OS Xs screen saver can be locked with a password, preventing access to the desktop. A user discovered that by pressing a key for several minutes and then hitting the enter key, the screen saver could crash, allowing desktop access.

A post to SecuriTeam.com said the crash takes place because of a large buffer of between 1,280 and 1,380 characters that is sent as the password.

Last month the Mac maker released a security update to Mac OS X Server that updated its installation of Apache 2.0, patching a mod_dav security hole. Apple plans to release the next major OS X upgrade, Version 10.3 aka Panther, in both client and server flavors by the end of the year.

Cupertino, Calif.-based Apple was not immediately available for comment.