CVE-1999-1076

Vulnerability

The idle locking function in Mac OS 9 allows local users to bypass the password protection of an idle-locked session. When the idle lock activates, the user interface presents a dialog with options to enter the password or log out. If the user clicks "Log Out", the system attempts to log out, but some applications (e.g., NiftyTelnetSSH, or any app with unsaved changes) display a confirmation dialog asking whether the user is sure. Clicking "Cancel" in that application dialog stops the logout process and returns the attacker to the locked session without entering the password [1]. Affected: Mac OS 9 (all versions with the built-in idle locking feature).

Exploitation

The attacker must have physical access to an unlocked Mac OS 9 session that has automatically become idle-locked and requires a password. The attacker clicks the "Log Out" button in the idle lock dialog, then when an application presents a confirmation dialog (e.g., "Are you sure you want to disconnect?" or "Save changes?"), clicks "Cancel" [1]. The logout sequence aborts, and the attacker gains full access to the original user's session.

Impact

Successful exploitation results in a complete bypass of the password-based idle lock. The attacker gains unauthorized access to the locked session, including all files, applications, and network connections running under the original user's context. Confidentiality, integrity, and availability are all compromised from the perspective of the locked session [1].

Mitigation

Apple has not released an official patch for this issue. Administrators should disable the idle locking feature in Mac OS 9 or enforce physical security measures to prevent unauthorized access. Users should be aware that the idle lock does not provide reliable security. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].