Identix BioLogon for Windows Me and Windows 9x Multimonitor Vulnerability

Reported August 2, 2001, by Marc DeBonis.

VERSIONS AFFECTED

·        Identix BioLogon 2.0.0 through 2.0.3 for Windows Me

·        Identix BioLogon 2.0.0 through 2.0.3 for Windows 9x

DESCRIPTION
Avulnerability exists in Identix BioLogon for 2.0.0 through 2.0.3 for Windows Meand Win9x that lets users gain access to the Windows desktop of a lockedworkstation without having to verify their identity. On a system with multiplemonitors that the screen saver or BioLogon system tray icon has locked, a usercan move the cursor to one of the secondary displays and continue to work. Onlythe primary display (display 0) remains locked until user validation.

VENDOR RESPONSE

Thevendor, Identix, issued the followingresponse to this issue:

“Thisvulnerability results from the method that was used to integrate biometricauthentication with the Windows 9x family of operating systems. In Windows 2000and NT, third-party authentication applications can be reliably invoked tounlock a locked workstation through the Win32 API via the WlxWkstaLockedSAS()function. In Windows 9x, Microsoft has not provided an equivalent integrationinterface. To simulate this functionality in Windows 9x, BioLogon uses standardwindow "hooks" to determine when the workstation needs to be unlocked.Unfortunately, this method is insufficient in a multi-monitor environment. Incases where security is a concern and the combination of biometrics and multiplemonitors are required, we recommend using Windows 2000 along with BioLogon forWindows 2000.”

CREDIT
Discovered by MarcDeBonis.