Identix BioLogon Client security bug
From: Marc DeBonis (Marc.DeBonis@VT.EDU)Date: 08/02/01
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <5.1.0.14.2.20010802105522.02321eb0@mail.vt.edu> Date: Thu, 2 Aug 2001 10:56:28 -0400 From: Marc DeBonis <Marc.DeBonis@VT.EDU> Subject: Identix BioLogon Client security bug To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Aug 3rd, 2001
10:56am
Vendor: http://www.identix.com
Software: BioLogon 2.0 Client
see http://www.identix.com/itsecurity/software_prod.html
Security flaw in Indentix BioLogon 2.0 Client for Windows
Identix's BioLogon software is used as the software "glue"
to tie together various biometric devices to the Windows
operating system. The BioLogon client can be used to
have smart cards, fingerprint readers, and other devices
interact with Windows.
The security vulnerability exists when the software is
installed onto a Windows system that has more than
one video card installed and the system is doing
"multi-monitor" with the built in virtual desktop software
that comes with Windows 98 SE and Windows 2000.
The problem is that the BioLogon client software attempts
to harden the screensaver password locking mechanism so
that a biometric device is needed to unlock the system.
Unfortunately, the software only locks the first screen (screen
zero). No access is blocked from any other screen (virtual desktop).
Mouse, keyboard, and the screen can be used while screen
zero is locked. In fact, unless the mouse is on screen zero, the
biometric device will not recognize the fact it should inquire
for input (at least with the Cherry keyboard I was testing with)
This was tested on a Windows 98 SE system with four video
cards installed. I have not tested the system with Windows 2000.
First contacted the vendor (Identix) June 27th via their
phone support line. First, I was told that it was an interrupt
problem, then that they did not support third party video drivers.
I was then asked to report the problem via they're email tech
support. I was contacted a few days after that saying that
the problem was noted and replicated but that it was a very
low priority for them. When I discussed with them my posting
this problem, they seemed to become much more attentive.
But, I still have not received any fix for this problem.
Thank you for your attention,
Marc DeBonis
----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
