From shadixdl@gccs.cpf.navy.mil Mon Aug 26 03:07:04 1996 Received: from gccs-fw.cpf.navy.mil (gccs-fw.cpf.navy.mil [198.55.6.40]) by suburbia.net (8.7.4/Proff-950810) with SMTP id DAA05737 for ; Mon, 26 Aug 1996 03:06:57 +1000 Received: (from uucp@localhost) by gccs-fw.cpf.navy.mil (8.6.12/8.6.9) id RAA02789 for ; Sun, 25 Aug 1996 17:06:33 GMT Received: from gccs.cpf.navy.mil(204.34.183.2) by gccs-fw.cpf.navy.mil via smap (V1.3) id sma002787; Sun Aug 25 17:06:13 1996 Received: from gccs25.gccs.cpf.navy.mil (gccs25.gccs.cpf.navy.mil [204.34.183.25]) by gccs.cpf.navy.mil (8.7.5/8.6.9) with ESMTP id HAA00943 for ; Sun, 25 Aug 1996 07:05:57 -1000 Message-Id: <199608251705.HAA00943@gccs.cpf.navy.mil> From: "Danny L. Shadix" To: Subject: Re: Gaping Security Hole Date: Sun, 25 Aug 1996 07:05:43 -1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit This only works for Windows 3.1 type screensavers. The new screensavers that come with Windows 95 just pop up the password verification dialog. Of course, this was never meant as a REAL security feature, just as a means to let you lock the screen while you go to the bathroom. In conjunction with a passworded bios powerup it's good enough to stop the casual passerby. BTW, I like the moniker :-) ---------- > From: SekrtyXprt@aol.com > To: best-of-security@suburbia.net > Subject: BoS: Gaping Security Hole > Date: Saturday, August 24, 1996 6:08 PM > > Problem: > > It has come to my attention that there is a security hole in Windows 95 that > allows any user to bust out of a passworded screen saver. > > Impact: > > Malicious hackers will be able to penetrate the security of computers at > major retailers such as walmart, sears and even best buy and modify/detroy > files. > > Exploit: > > 1. Press and hold the control-alt-delete keys and then release. > 2. Drag the mouse over to the name of the screen saver and click ONCE. > 3. Click on the "End Task" button. (Or you can simple use Alt-E, again, > press and hold "Alt" and "E" and then release.) > > Workaround: > > There is no workaround at this time that I am aware of other than finding a > more secure screen saver or figuring out a way to disable control-alt-delete. > > I plan to send a copy of this to Microsoft on Monday morning so they can fix > it in future versions. > > Salem Chaudez | "640k ought to be enough for anybody." > SekrtyXprt@aol.com | -- Bill Gates >