Apple Fixes Mac OS X Screen-Saver Flaw

Sources said a forthcoming security update will plug a vulnerability in Mac OS X's screen saver that can open locked desktops to prying eyes.

Apple Computer Inc. will soon release a security update to Mac OS X, sources said. The update will reportedly fix a vulnerability in Mac OS Xs screen saver that lets interlopers access locked desktops. On Thursday, the company seeded developers with a pre-release copy of the update. Recipients said the patch was dated July 14, suggesting Apple plans to release it to users Monday. "Security Update 2003-07-14 addresses a potential vulnerability when a password is required upon waking from the Screen Effects feature, which could allow an unauthorized user access to the desktop of the logged in user," Apple reportedly told developers in a note accompanying the seed. The Screen Effects security hole was first publicized last week in a post to the Full Disclosure mailing list. Mac OS Xs screen saver can be locked with a password, preventing access to the desktop. A user discovered that by pressing a key for several minutes and then hitting the enter key, the screen saver could crash, allowing desktop access. A post to SecuriTeam.com said the crash takes place because of a large buffer of between 1,280 and 1,380 characters that is sent as the password. Last month the Mac maker released a security update to Mac OS X Server that updated its installation of Apache 2.0, patching a mod_dav security hole. Apple plans to release the next major OS X upgrade, Version 10.3 aka Panther, in both client and server flavors by the end of the year. Cupertino, Calif.-based Apple was not immediately available for comment.