From croyston@netcom.com Sun Aug 25 17:03:22 1996 Received: from netcom4.netcom.com (croyston@netcom4.netcom.com [192.100.81.107]) by suburbia.net (8.7.4/Proff-950810) with SMTP id RAA29174 for ; Sun, 25 Aug 1996 17:03:15 +1000 Received: (from croyston@localhost) by netcom4.netcom.com (8.6.13/Netcom) id AAA07190; Sun, 25 Aug 1996 00:02:39 -0700 Date: Sun, 25 Aug 1996 00:02:38 -0700 (PDT) From: Chris Royston Subject: Re: BoS: Gaping Security Hole To: SekrtyXprt@aol.com cc: best-of-security@suburbia.net In-Reply-To: <960825000843_393312675@emout07.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII This was a "feature" of the early beta copies of Windows 95. It allowed a way of killing the screensaver incase of a system lockup. This was fixed in the original "final" version of Windows 95. I guess the workaround is to get a non-beta copy of Windows 95. Chris ----------------------------------------------------------------------------- Chris Royston croyston@netcom.com Go Cowboys!!!!!!!! ----------------------------------------------------------------------------- On Sun, 25 Aug 1996 SekrtyXprt@aol.com wrote: > Problem: > > It has come to my attention that there is a security hole in Windows 95 that > allows any user to bust out of a passworded screen saver. > > Impact: > > Malicious hackers will be able to penetrate the security of computers at > major retailers such as walmart, sears and even best buy and modify/detroy > files. > > Exploit: > > 1. Press and hold the control-alt-delete keys and then release. > 2. Drag the mouse over to the name of the screen saver and click ONCE. > 3. Click on the "End Task" button. (Or you can simple use Alt-E, again, > press and hold "Alt" and "E" and then release.) > > Workaround: > > There is no workaround at this time that I am aware of other than finding a > more secure screen saver or figuring out a way to disable control-alt-delete. > > I plan to send a copy of this to Microsoft on Monday morning so they can fix > it in future versions. > > Salem Chaudez | "640k ought to be enough for anybody." > SekrtyXprt@aol.com | -- Bill Gates > > >