OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Beck, Jared (jbeckIDENTIX.COM)
Date: Wed Aug 08 2001 - 17:49:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Users of Windows 98 and Windows Me May Be Able to Circumvent
    Biometrically "Locked" System When Using Multiple Monitors

    The information in this article applies to:

    * BioLogon(TM) for Windows
      versions 2.00, 2.01, 2.02, 2.03
      running on Windows 98 or Windows Me
     

    SYMPTOMS: A vulnerability exists in the 2.x versions of BioLogon(TM) for
    Windows that could allow a user to gain access to the Windows desktop of
    a "locked" workstation without having to verify their identity.

    On a system with multiple monitors that has been locked by the screen
    saver or BioLogon(TM) tray icon, a user can move the cursor to one of
    the secondary displays and continue to work normally. Only the primary
    display (display 0) remains locked until normal user validation.

    This vulnerability is subject to the following constraints:

    * It only affects computers running Windows 98 or Windows Me with
    multi-monitor support enabled.

    CAUSE: This vulnerability results from the method that was used to
    integrate biometric authentication with the Windows 9x family of
    operating systems. In Windows NT and Windows 2000, third party
    authentication applications can be reliably invoked to unlock a locked
    workstation through the Win32 API via the WlxWkstaLockedSAS() function.
    In Windows 9x, Microsoft has not provided an equivalent integration
    interface. To simulate this functionality in Windows 9x, BioLogon(TM)
    uses standard window "hooks" to determine when the workstation needs to
    be unlocked. Unfortunately, this method is insufficient in a
    multi-monitor environment.

    RESOLUTION: In cases where security is a concern and the combination of
    biometrics and multiple monitors are required, we recommend using
    Windows 2000 along with BioLogon(TM) for Windows 2000.

    Windows 98 and Windows Me users with BioLogon(TM) and multiple monitors
    can still benefit from the convenience of not having to worry about
    passwords. However, they should be aware that there are certain
    characteristics of the underlying operating system that make it a less
    secure platform.

    STATUS: Identix has confirmed that this problem could result in some
    degree of security vulnerability in BioLogon(TM) for Windows, running on
    Windows 98 or Windows Me.

    ADDITIONAL INFORMATION: None available.