OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc DeBonis (Marc.DeBonisVT.EDU)
Date: Thu Aug 02 2001 - 09:56:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Aug 3rd, 2001
    10:56am

    Vendor: http://www.identix.com
    Software: BioLogon 2.0 Client
    see http://www.identix.com/itsecurity/software_prod.html

    Security flaw in Indentix BioLogon 2.0 Client for Windows

    Identix's BioLogon software is used as the software "glue"
    to tie together various biometric devices to the Windows
    operating system. The BioLogon client can be used to
    have smart cards, fingerprint readers, and other devices
    interact with Windows.

    The security vulnerability exists when the software is
    installed onto a Windows system that has more than
    one video card installed and the system is doing
    "multi-monitor" with the built in virtual desktop software
    that comes with Windows 98 SE and Windows 2000.

    The problem is that the BioLogon client software attempts
    to harden the screensaver password locking mechanism so
    that a biometric device is needed to unlock the system.
    Unfortunately, the software only locks the first screen (screen
    zero). No access is blocked from any other screen (virtual desktop).
    Mouse, keyboard, and the screen can be used while screen
    zero is locked. In fact, unless the mouse is on screen zero, the
    biometric device will not recognize the fact it should inquire
    for input (at least with the Cherry keyboard I was testing with)

    This was tested on a Windows 98 SE system with four video
    cards installed. I have not tested the system with Windows 2000.

    First contacted the vendor (Identix) June 27th via their
    phone support line. First, I was told that it was an interrupt
    problem, then that they did not support third party video drivers.
    I was then asked to report the problem via they're email tech
    support. I was contacted a few days after that saying that
    the problem was noted and replicated but that it was a very
    low priority for them. When I discussed with them my posting
    this problem, they seemed to become much more attentive.
    But, I still have not received any fix for this problem.

    Thank you for your attention,

    Marc DeBonis

    ----------------------------------------------------------------------------
    Delivery co-sponsored by Trend Micro
    ============================================================================
    TREND MICRO REAL-TIME VIRUS ALERTS
    If you would like to know about a virus outbreak before CNN and ZDNet get
    Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
    code to give your visitors a real-time top 10 list and the latest virus
    advisories. Setup takes just 10 minutes and requires no server-side code on
    your Web site. All content is updated automatically from Trend Micro's Web
    site.
    http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
    vinfo/
    ----------------------------------------------------------------------------