Vulnerability

    kernel (Idle Lock)

Affected

    Mac OS 9

Description

    Sean Sosik-Hamor  found following.   It's possible  to set  up the
    Finder so that, if the current user goes idle, the screen will  be
    locked.  A simple dialog box is displayed stating that the  system
    has been idle for  too long and a  password must be entered.   You
    have two options.   Click OK and enter  the password to return  to
    your session  or click  OK and  click Log  Out.   It's possible to
    seize control of Mac OS  under certain conditions by clicking  Log
    Out.

    Some applications have the "feature" of asking you if you're  sure
    that you want to quit.   For example, if connected to a  UNIX host
    using NiftyTelnetSSH, it will ask  you if you're sure you  want to
    disconnect when  the application  quits.   Other applications with
    unsaved data will ask if you want to save changes.  Most of  these
    dialog boxes have OK and Cancel or Yes, No and Cancel for options.
    Hitting Cancel  at any  of these  "are you  use" dialog boxes will
    stop the logout process and return you to the current session.

    If there are any such applications open that ask if you would like
    to save changes, hitting the "cancel" option on such  applications
    will  abort  the  logout  and  the  screen  lock will no longer be
    active, returning you to  the user's session, allowing  you access
    to all of the user's files, data, etc, etc.

Solution

    It has been filed into our  bug database as ID #2404562.   It will
    be  assigned  to  the  appropriate  engineers.   So,  the  current
    solution is to close all applications when locking your session so
    that it is not possible to circumvent the logout process.