[tabi] Re: critical security warning for any pc running jaws
- From: "Mister Blackjack" <misterblackjack2@xxxxxxxxx>
- To: <tabi@xxxxxxxxxxxxx>
- Date: Fri, 16 Oct 2009 18:18:19 -0400
Hi, I don't think this is a big problem or at least till now. Most people
does not know this or how to do it. Most people was or is not that tetchy.
But now that you put it out all over the world how to do it, it now has
become a problem. Also if anyone tells their ITS department they will more
than likely stop you from using jaws till Freedom Scientific fixes this
problem. They are going to say they are not changing their system there is
nothing wrong with it. It is your software that has the whole in it. This
will also make them start checking Jaws for other wholes. So I would
recommend sending this problem to Freedom scientific to be fix. They may be
able to do this before the final release of Jaws 11. This in my opinion
should have never been blog till it was fixed. While he was at it as well as
you for putting it out on the list to give it even more expose just give
everyone email address name and what ever else you can find and put it out
for the whole world. This is exactly why I don't give more info about my
self on email list. Just my thoughts. Oh by the way I am now taking jaws off
of auto start up. I have just enough vision in my right eye to tell when the
log on screen comes up. But if this had not got out all over the world I
would have not had to do this. I for one am not telling my ITS department
about it. Because I know what will happen. Just more of my thoughts.
Thanks,
Blackjack
misterblackjack2@xxxxxxxxx
-----Original Message-----
From: tabi-bounce@xxxxxxxxxxxxx [mailto:tabi-bounce@xxxxxxxxxxxxx] On Behalf
Of Allison and Chip Orange
Sent: Friday, October 16, 2009 3:35 PM
To: tabi@xxxxxxxxxxxxx
Subject: [tabi] critical security warning for any pc running jaws
hi all,
below is a link to a user's blog, where-in he describes a critical security
flaw he has discovered, for any pc running jaws. unfortunately, he doesn't
quite spell out the implications of the issue, so I'd like to do so
(assuming he's correct in what happens).
His statement is at:
http://tspivey.wordpress.com/2009/10/16/critical-security-flaw-in-jaws/
where-in, he essentially says that any pc you've setup with jaws
automatically starting at bootup, has essentially no password security at
all; anyone can get on such a pc, as an administrator, from the logon
screen, without knowing a user id or a password.
furthermore, while he's only tested this with version 10, it's my guess that
the architecture of this part of jaws has remained unchanged, so that this
security hole will exist in all past versions as well.
using his steps, you can walk up to anyone's pc or server, reboot it if it's
running, and with a few keystrokes be on as the administrator.
this is very unfortunate for any IT employee, who is using jaws, and has it
installed on servers or pcs which are supposed to be password protected. an
employer should really ask the user to change the arrangement so that jaws
is only started running after the login.
for your average home user, this probably has no practical effect (it's
seldom you rely on your password for your home pc to keep others out; you
rely usually on your physical security to do that).
Chip
Check out the TABI resource web page at
http://acorange.home.comcast.net/TABI
and please make suggestions for new material.
if you'd like to unsubscribe you can do so through the freelists.org web
interface, or by sending an email to the address tabi-request@xxxxxxxxxxxxx
with the word "unsubscribe" in the subject.
Check out the TABI resource web page at http://acorange.home.comcast.net/TABI
and please make suggestions for new material.
if you'd like to unsubscribe you can do so through the freelists.org web
interface, or by sending an email to the address tabi-request@xxxxxxxxxxxxx
with the word "unsubscribe" in the subject.
Other related posts:
