In it, it describes a method through which user accounts ‘locked’ using the new Unity lock screen could be accessed without authorisation.
How? By right-clicking on the indicator applets until the Alt+F2 keyboard shortcut worked. From here, a would-be chancer could issue commands, open apps, access date, and even unlock the session by running the ‘compiz –replace‘ command.
A video demo of the loophole can be viewed on YouTube.
The hack was limited to exploit by someone with local access and could not be run remotely.
Other Lockscreen Issues Patched
The new lock screen, for all its glitter, has been keeping Canonical’s security team busy. The Bypass issue has not been the only flaw to have been discovered.
Just days before Ubuntu 14.04 LTS was due to be released, another critical security issue, one which could force a computer to unlock by triggering any readily reproducible crash at the lock screen, was (as in this case, very quickly) fixed. Another shortcut-based loophole is currently in the process of being fixed.
With Ubuntu LTS releases favoured by many businesses, education institutions and enterprise the issues could have proven bad news. But, if anything, these issue have underline just how prompt Canonical is in responding to and fixing issues — which is hugely reassuring.
It also underlines just how astute the company has been in deciding to only prompt current LTS users to upgrade to 14.04 LTS as of July, when the first point release lands. This extra buffer period of three month gives the Ubuntu community and its super-hero pantheon of developers more time in which to detect and fix security issues such as these.
If you’re running Ubuntu 14.04 LTS remember to check for and install updates often.