Reported August 2, 2001, by Marc DeBonis.
· Identix BioLogon 2.0.0 through 2.0.3 for Windows Me
· Identix BioLogon 2.0.0 through 2.0.3 for Windows 9x
A vulnerability exists in Identix BioLogon for 2.0.0 through 2.0.3 for Windows Me and Win9x that lets users gain access to the Windows desktop of a locked workstation without having to verify their identity. On a system with multiple monitors that the screen saver or BioLogon system tray icon has locked, a user can move the cursor to one of the secondary displays and continue to work. Only the primary display (display 0) remains locked until user validation.
The vendor, Identix, issued the following response to this issue:
“This vulnerability results from the method that was used to integrate biometric authentication with the Windows 9x family of operating systems. In Windows 2000 and NT, third-party authentication applications can be reliably invoked to unlock a locked workstation through the Win32 API via the WlxWkstaLockedSAS() function. In Windows 9x, Microsoft has not provided an equivalent integration interface. To simulate this functionality in Windows 9x, BioLogon uses standard window "hooks" to determine when the workstation needs to be unlocked. Unfortunately, this method is insufficient in a multi-monitor environment. In cases where security is a concern and the combination of biometrics and multiple monitors are required, we recommend using Windows 2000 along with BioLogon for Windows 2000.”
Discovered by Marc DeBonis.