Title: Apple Mac OS X SecurityAgent "Switch User..." Arbitrary Account Authentication Bypass
Sep 20, 2005
Mac OS X contains a flaw that may allow a malicious user to gain unauthorized access to a locked desktop. The issue is triggered when the "Switch User..." button appears in the screensaver Unlock Dialog, even with Fast User Switching disabled. It is possible that the flaw may allow the currently logged-in user's desktop to be displayed without a password resulting in a loss of confidentiality and/or integrity.
Local Access Required
Loss of Confidentiality,
Loss of Integrity
Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (Security Update 2005-008) to address this vulnerability.