Mac OS X Keychain Lock Bypass

2006-05-08T00:00:00
ID OSVDB:25590
Type osvdb
Reporter Tobias Hahn()
Modified 2006-05-08T00:00:00

Description

Vulnerability Description

Mac OS X contains a flaw that may allow a malicious application to access Keychain items without first requesting that the Keychain be unlocked. The issue is triggered when the application has obtained a reference to a Keychain item prior to the keychain being locked, which may allow the application to continue to use the item. It is possible that the flaw may allow unauthorized access to login information resulting in a loss of confidentiality.

Solution Description

Install Apple Security Update 2006-003, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Mac OS X contains a flaw that may allow a malicious application to access Keychain items without first requesting that the Keychain be unlocked. The issue is triggered when the application has obtained a reference to a Keychain item prior to the keychain being locked, which may allow the application to continue to use the item. It is possible that the flaw may allow unauthorized access to login information resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Security Tracker: 1016072 Secunia Advisory ID:20077 Related OSVDB ID: 25592 Related OSVDB ID: 25593 Related OSVDB ID: 25583 Related OSVDB ID: 25585 Related OSVDB ID: 25589 Related OSVDB ID: 25598 Related OSVDB ID: 25600 Related OSVDB ID: 25586 Related OSVDB ID: 25588 Related OSVDB ID: 25591 Related OSVDB ID: 25595 Related OSVDB ID: 25597 Related OSVDB ID: 25584 Related OSVDB ID: 25594 Related OSVDB ID: 25599 ISS X-Force ID: 26413 FrSIRT Advisory: ADV-2006-1779 CVE-2006-1446 CERT: TA06-132A Bugtraq ID: 17951