SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Security)  >  BioLogon Vendors:  Identix
(Vendor Confirms and Provides Guidance) Re: Identix BioLogon Client for Windows Fails to Secure Screen Saver Logins in Certain Multi-monitor
Date:  Aug 9 2001 20:30 (UTC/GMT)
Impact:  User access via local system
Vendor Confirmed:  Yes  
Version(s): BioLogon 2.0 Client for Windows
Description:  A vulnerability has been reported in Identix's BioLogon client for Windows. It apparently fails to secure the desktop when a screen saver is used in multi-monitor mode, allowing a phycially local user to gain access to the system without requiring biometric authentication.

It is reported that when the software is installed on a system that has more than one video card installed and the system is performing "multi-monitor" with the built in Windows virtual desktop software, the BioLogon client will attempt to harden the screensaver password locking mechanism to require a biometric device to unlock the system.

The software only locks the first screen (screen zero). Access from any other screen (e.g., the virtual desktop) is not blocked. The mouse, keyboard, and screen can reportedly be used while screen zero is locked.
Impact:  A physically local user (i.e., a user with physical access to the system) can access the system without authentication.
Solution:  The vendor has confirmed the condition and recommends that when the combination of
biometrics and multiple monitors are required, Windows 2000 along with BioLogon(TM) for Windows 2000 should be used.
Vendor URL:  www.identix.com/itsecurity/software_prod.html (Links to External Site)
Cause:  Authentication error
Underlying OS:  Windows (Me), Windows (NT), Windows (98), Windows (2000)
Underlying OS Comments:  tested on a Windows 98 SE system with four video cards installed.
Reported By:  "Beck, Jared" <jbeck@IDENTIX.COM>
Message History:   This archive entry is a follow-up to the message listed below.
Aug 3 2001 Identix BioLogon Client for Windows Fails to Secure Screen Saver Logins in Certain Multi-monitor Configurations, Allowing Physically Local Users to Access the System Without Requiring Biometric Authentication


 Source Message Contents
Date:  Wed, 8 Aug 2001 15:49:41 -0700
From:  "Beck, Jared" <jbeck@IDENTIX.COM>
Subject:  Response to Identix BioLogon Client security bug

 

Users of Windows 98 and Windows Me May Be Able to Circumvent
Biometrically "Locked" System When Using Multiple Monitors


The information in this article applies to:

* BioLogon(TM) for Windows 
  versions 2.00, 2.01, 2.02, 2.03
  running on Windows 98 or Windows Me
 

SYMPTOMS: A vulnerability exists in the 2.x versions of BioLogon(TM) for
Windows that could allow a user to gain access to the Windows desktop of
a "locked" workstation without having to verify their identity.  

On a system with multiple monitors that has been locked by the screen
saver or BioLogon(TM) tray icon, a user can move the cursor to one of
the secondary displays and continue to work normally.  Only the primary
display (display 0) remains locked until normal user validation.  

This vulnerability is subject to the following constraints:

* It only affects computers running Windows 98 or Windows Me with
multi-monitor support enabled.


CAUSE: This vulnerability results from the method that was used to
integrate biometric authentication with the Windows 9x family of
operating systems.  In Windows NT and Windows 2000, third party
authentication applications can be reliably invoked to unlock a locked
workstation through the Win32 API via the WlxWkstaLockedSAS() function.
In Windows 9x, Microsoft has not provided an equivalent integration
interface.  To simulate this functionality in Windows 9x, BioLogon(TM)
uses standard window "hooks" to determine when the workstation needs to
be unlocked.  Unfortunately, this method is insufficient in a
multi-monitor environment. 


RESOLUTION: In cases where security is a concern and the combination of
biometrics and multiple monitors are required, we recommend using
Windows 2000 along with BioLogon(TM) for Windows 2000.  

Windows 98 and Windows Me users with BioLogon(TM) and multiple monitors
can still benefit from the convenience of not having to worry about
passwords.  However, they should be aware that there are certain
characteristics of the underlying operating system that make it a less
secure platform.


STATUS: Identix has confirmed that this problem could result in some
degree of security vulnerability in BioLogon(TM) for Windows, running on
Windows 98 or Windows Me.


ADDITIONAL INFORMATION: None available.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC