[12110] in bugtraq
Weakness In "The Matrix" Screensaver For Windows
daemon@ATHENA.MIT.EDU (Boyce, Nick)
Tue Oct 5 13:08:12 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <C1B2296C5D3ED11182DB00805F9A097ED302B0@GBHBM001>
Date: Mon, 4 Oct 1999 16:26:04 +0100
Reply-To: "Boyce, Nick" <nick.boyce@EDS.COM>
From: "Boyce, Nick" <nick.boyce@EDS.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Summary: "The Matrix" Windows 9.x/NT screensaver password protection
doesn't work.
This is *not* a major problem, especially for those folks who stick
to guidelines and never install any screensavers that weren't supplied
by Microsoft with Windows ;-). In fact it hardly seems worth bothering
Bugtraq with it, except that so many admins seem to be quite taken
with "Matrix theory" ...
[ I tried informing the owners of this "product" by emailing
webmaster@whatisthematrix.com, but my email was bounced (connection
refused), so they've had their chance - other folks need to know. ]
Copy of what I emailed to the authors of the "Matrix" screensaver available
at http://www.whatisthematrix.com :
======================< cut >=======================
Dear Whoever-runs-your-website,
I just downloaded your Matrix screensaver for Windows 95/NT (for which :
thanks) and having now tried it I feel I must bring to your attention a
*serious* security bug in the screensaver :-
Running on Windows 95 OSR2, if I set the "Password protected" screensaver
option, then when the screen saver is running, if I move the mouse or press
a key to wake the screensaver up, a password prompt appears as it should,
but I can then simply press the "Escape" keyboard key and the screensaver
terminates with no password required - aaaaggghh !
Given the popularity of the Matrix film among computer industry people, I
imagine many people are running the screensaver, and therefore are
subjecting themselves to a significant risk of unauthorised access to
their PCs. I decided I should inform you of the bug, to give you a chance
to fix it, before I start publicising the risk in the regular security
forums on
the Internet.
======================< cut >=======================
> Nick Boyce
> Systems Team, EDS Healthcare, Bristol, UK
>
