SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   BioLogon Vendors:   Identix
Identix BioLogon Client for Windows Fails to Secure Screen Saver Logins in Certain Multi-monitor Configurations, Allowing Physically Local Users to Access the System Without Requiring Biometric Authentication
SecurityTracker Alert ID:  1002134
SecurityTracker URL:  http://securitytracker.com/id/1002134
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 3 2001
Impact:   User access via local system
Vendor Confirmed:  Yes  
Version(s): BioLogon 2.0 Client for Windows
Description:   A vulnerability has been reported in Identix's BioLogon client for Windows. It apparently fails to secure the desktop when a screen saver is used in multi-monitor mode, allowing a phycially local user to gain access to the system without requiring biometric authentication.

It is reported that when the software is installed on a system that has more than one video card installed and the system is performing "multi-monitor" with the built in Windows virtual desktop software, the BioLogon client will attempt to harden the screensaver password locking mechanism to require a biometric device to unlock the system.

The software only locks the first screen (screen zero). Access from any other screen (e.g., the virtual desktop) is not blocked. The mouse, keyboard, and screen can reportedly be used while screen zero is locked.
Impact:   A physically local user (i.e., a user with physical access to the system) can access the system without authentication.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.identix.com/itsecurity/software_prod.html (Links to External Site)
Cause:   Authentication error
Underlying OS:   Windows (Me), Windows (NT), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Confirms and Provides Guidance) Re: Identix BioLogon Client for Windows Fails to Secure Screen Saver Logins in Certain Multi-monitor   ("Beck, Jared" <jbeck@IDENTIX.COM>)
The vendor confirms the vulnerability and makes some recommendations.


 Source Message Contents
Date:  Thu, 2 Aug 2001 10:56:28 -0400
Subject:  Identix BioLogon Client security bug


Aug 3rd, 2001
10:56am

Vendor: http://www.identix.com
Software: BioLogon 2.0 Client
see http://www.identix.com/itsecurity/software_prod.html

Security flaw in Indentix BioLogon 2.0 Client for Windows

Identix's BioLogon software is used as the software "glue"
to tie together various biometric devices to the Windows
operating system.  The BioLogon client can be used to
have smart cards, fingerprint readers, and other devices
interact with Windows.

The security vulnerability exists when the software is
installed onto a Windows system that has more than
one video card installed and the system is doing
"multi-monitor" with the built in virtual desktop software
that comes with Windows 98 SE and Windows 2000.

The problem is that the BioLogon client software attempts
to harden the screensaver password locking mechanism so
that a biometric device is needed to unlock the system.
Unfortunately, the software only locks the first screen (screen
zero).  No access is blocked from any other screen (virtual desktop).
Mouse, keyboard, and the screen can be used while screen
zero is locked.  In fact, unless the mouse is on screen zero, the
biometric device will not recognize the fact it should inquire
for input (at least with the Cherry keyboard I was testing with)

This was tested on a Windows 98 SE system with four video
cards installed.  I have not tested the system with Windows 2000.

First contacted the vendor (Identix) June 27th via their
phone support line.  First, I was told that it was an interrupt
problem, then that they did not support third party video drivers.
I was then asked to report the problem via they're email tech
support.  I was contacted a few days after that saying that
the problem was noted and replicated but that it was a very
low priority for them.  When I discussed with them my posting
this problem, they seemed to become much more attentive.
But, I still have not received any fix for this problem.

Thank you for your attention,

Marc DeBonis

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC