Security Update 2005-007

[TommyWillB]

Security Update 2005-007 just popped up on my Software Update. (I'm sill on 10.3.x not 10.4)

Security Update 2005-007 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

AppKit
CoreFoundation
cups
Directory Services
HIToolbox
Kerberos
OpenSSL
ping
Safari
traceroute

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798

Reading the notes, this caught my attention:

• loginwindow CVE-ID: CAN-2005-2509
  
  Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
  
  Impact: A user can gain access to other logged-in accounts if Fast User Switching is enabled.
  
  Description: An error in the handling of Fast User Switching can allow a local user who knows the password for two accounts to log into a third account without knowing the password. This update corrects the authentication error. This issue does not affect systems prior to Mac OS X 10.4. Credit to Sam McCandlish for reporting this issue.

• The CVE has not been updated yet, so I can't find any additional info. Anyone know what the deal with this is?

 

[MisterMe]

There are versions for both MacOS X 10.3 and MacOS X 10.4.

 

[Damrod]

I installed this last night when it came available, no problems during, before or after installation. At least so far... I repaired permissions before and after though, just in case

 

[Porce]

Make sure to get Security Update 2005-007 1.1 if you're on Tiger. They had to re-release it as 1.0 stopped 64 bit applications from running.

 

[kainjow]

Well it's really not that important... not many people run 64-bit apps.

 

[fryke]

which is rather funny when you think about all those comments about how the move to intel was bad because of their 32bit processors (ignoring that intel has 64bit extensions, too and will certainly move more to 64bit through the year until Apple actually ships computers running on intel processors)... But I think the mishap (only providing the 32bit version of a library in the first update) shouldn't have happened... It was an error, corrected quickly, so not much harm done.

 

[TommyWillB]

Okay... So back to the orginial question.

How did this login window bug actually work? What did you have to do to get into the 3rd account after knowing the first 2 paswords?

I don't see this elaborated anywhere...