An Easy But Serious Screensaver Security Problem In X.Org
Phoronix: An Easy But Serious Screensaver Security Problem In X.Org
I've been alerted this afternoon that there's an outstanding security vulnerability within the current X.Org Server that's receiving little attention. This active vulnerability could allow anyone with physical access to your system to easily bypass the desktop's screen lock regardless of your desktop environment...
Hang on, so unless I'm missing something all you have to do is press CTRL+ALT+Keypad-Multiply? I assume Keypad-Multiply is the button directly above the number 9 on my keypad? well I just tried those three button combinations and it did nothing, I'm running Linux Mint Debian Edition.
RHEL 6.x is running X.Org Server 1.10.4, so fortunately it isn't vulnerable. RHEL is one of the most likely Linux desktop OSes to be deployed in a public area such as a computer lab at a university, where you really wouldn't want someone to be able to do this.
That said, I'm sure there is some public computer somewhere in the world where physical access of untrusted users is common/accepted, running X.Org 1.11 or later. Now people know to check before they trust the "lock screen" feature. Good find, Michael (even though you didn't originally find the issue, good job reporting it anyway).
This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers