SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Security)  >  BioLogon Vendors:  Identix
Identix BioLogon Client for Windows Fails to Secure Screen Saver Logins in Certain Multi-monitor Configurations, Allowing Physically Local Users to Access the System Without Requiring Biometric Authentication
Date:  Aug 3 2001 02:33 (UTC/GMT)
Impact:  User access via local system
Vendor Confirmed:  Yes  
Version(s): BioLogon 2.0 Client for Windows
Description:  A vulnerability has been reported in Identix's BioLogon client for Windows. It apparently fails to secure the desktop when a screen saver is used in multi-monitor mode, allowing a phycially local user to gain access to the system without requiring biometric authentication.

It is reported that when the software is installed on a system that has more than one video card installed and the system is performing "multi-monitor" with the built in Windows virtual desktop software, the BioLogon client will attempt to harden the screensaver password locking mechanism to require a biometric device to unlock the system.

The software only locks the first screen (screen zero). Access from any other screen (e.g., the virtual desktop) is not blocked. The mouse, keyboard, and screen can reportedly be used while screen zero is locked.
Impact:  A physically local user (i.e., a user with physical access to the system) can access the system without authentication.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.identix.com/itsecurity/software_prod.html (Links to External Site)
Cause:  Authentication error
Underlying OS:  Windows (Me), Windows (NT), Windows (98), Windows (2000)
Underlying OS Comments:  tested on a Windows 98 SE system with four video cards installed.
Reported By:  Marc DeBonis <Marc.DeBonis@VT.EDU>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 9 2001 (Vendor Confirms and Provides Guidance) Re: Identix BioLogon Client for Windows Fails to Secure Screen Saver Logins in Certain Multi-monitor   ("Beck, Jared" <jbeck@IDENTIX.COM>)
The vendor confirms the vulnerability and makes some recommendations.


 Source Message Contents
Date:  Thu, 2 Aug 2001 10:56:28 -0400
From:  Marc DeBonis <Marc.DeBonis@VT.EDU>
Subject:  Identix BioLogon Client security bug

 

Aug 3rd, 2001
10:56am

Vendor: http://www.identix.com
Software: BioLogon 2.0 Client
see http://www.identix.com/itsecurity/software_prod.html

Security flaw in Indentix BioLogon 2.0 Client for Windows

Identix's BioLogon software is used as the software "glue"
to tie together various biometric devices to the Windows
operating system.  The BioLogon client can be used to
have smart cards, fingerprint readers, and other devices
interact with Windows.

The security vulnerability exists when the software is
installed onto a Windows system that has more than
one video card installed and the system is doing
"multi-monitor" with the built in virtual desktop software
that comes with Windows 98 SE and Windows 2000.

The problem is that the BioLogon client software attempts
to harden the screensaver password locking mechanism so
that a biometric device is needed to unlock the system.
Unfortunately, the software only locks the first screen (screen
zero).  No access is blocked from any other screen (virtual desktop).
Mouse, keyboard, and the screen can be used while screen
zero is locked.  In fact, unless the mouse is on screen zero, the
biometric device will not recognize the fact it should inquire
for input (at least with the Cherry keyboard I was testing with)

This was tested on a Windows 98 SE system with four video
cards installed.  I have not tested the system with Windows 2000.

First contacted the vendor (Identix) June 27th via their
phone support line.  First, I was told that it was an interrupt
problem, then that they did not support third party video drivers.
I was then asked to report the problem via they're email tech
support.  I was contacted a few days after that saying that
the problem was noted and replicated but that it was a very
low priority for them.  When I discussed with them my posting
this problem, they seemed to become much more attentive.
But, I still have not received any fix for this problem.

Thank you for your attention,

Marc DeBonis

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC