Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: An Easy But Serious Screensaver Security Problem In X.Org

  1. #1
    Join Date
    Jan 2007
    Posts
    15,644

    Default An Easy But Serious Screensaver Security Problem In X.Org

    Phoronix: An Easy But Serious Screensaver Security Problem In X.Org

    I've been alerted this afternoon that there's an outstanding security vulnerability within the current X.Org Server that's receiving little attention. This active vulnerability could allow anyone with physical access to your system to easily bypass the desktop's screen lock regardless of your desktop environment...

    http://www.phoronix.com/vr.php?view=MTA0NTA

  2. #2
    Join Date
    Dec 2008
    Location
    San Bernardino, CA
    Posts
    234

    Default

    Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.

  3. #3
    Join Date
    Jan 2012
    Posts
    3

    Default

    Hang on, so unless I'm missing something all you have to do is press CTRL+ALT+Keypad-Multiply? I assume Keypad-Multiply is the button directly above the number 9 on my keypad? well I just tried those three button combinations and it did nothing, I'm running Linux Mint Debian Edition.

  4. #4
    Join Date
    May 2011
    Posts
    1,611

    Default

    definitely a show-stopper

  5. #5
    Join Date
    Dec 2008
    Location
    San Bernardino, CA
    Posts
    234

    Default

    Not cool for multi-user systems!

  6. #6
    Join Date
    Sep 2008
    Posts
    989

    Default

    RHEL 6.x is running X.Org Server 1.10.4, so fortunately it isn't vulnerable. RHEL is one of the most likely Linux desktop OSes to be deployed in a public area such as a computer lab at a university, where you really wouldn't want someone to be able to do this.

    That said, I'm sure there is some public computer somewhere in the world where physical access of untrusted users is common/accepted, running X.Org 1.11 or later. Now people know to check before they trust the "lock screen" feature. Good find, Michael (even though you didn't originally find the issue, good job reporting it anyway).

  7. #7
    Join Date
    Jun 2006
    Posts
    24

    Default

    List of affected distros :
    http://distrowatch.com/search.php?pk...11.*#pkgsearch

    Ubuntu 12.04 here which is not affected (running xorg 1.10.4)

  8. #8
    Join Date
    Oct 2009
    Location
    .ca
    Posts
    406

    Default

    Pathetic. How can that slip by a whole bunch of developers who supposedly know what they're doing?
    Get back on the ship, dammit!

  9. #9
    Join Date
    Aug 2011
    Posts
    18

    Default

    Quote Originally Posted by gururise View Post
    Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
    Me too. In GNOME 3, it brings me back to the desktop, but kills the top activites panel.

  10. #10
    Join Date
    Aug 2007
    Posts
    6,675

    Default

    This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •