What is the "critical flaw" in this one, the fact that you can control Windows as an administrator, or what?
--- Contact info: Skype: parham-d MSN: fire_lizard16 at hotmail dot com GoogleTalk: parham90@xxxxxxxxx Twitter: PD90 email: parham90 at GMail dot com----- Original Message ----- From: "Tyler Spivey" <tspivey8@xxxxxxxxx>
To: <jfw@xxxxxxxxxxxxx> Cc: <jawslite@xxxxxxxxxxxxx>; <blindtech@xxxxxxxxxxxxxxx> Sent: Sunday, October 18, 2009 4:41 AM Subject: Critical security flaw in JAWS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Posted to all the lists that I knew of. Please repost to any others that apply. - From my post at: http://tspivey.wordpress.com/2009/10/16/critical-security-flaw-in-jaws/ I have found a critical security flaw in the JAWS Screen reader that allows an attacker to gain full system-level access to the machine. I have tested this on 32-bit Windows Vista with JAWS 10.0.1154 and 32-bit Windows 7 with JAWS 11.0.611 Beta. Instructions: 1. From the Windows logon screen with JAWS running, press insert+f2. Run JAWS Manager will appear. 2. Select Settings Packager, and press ok. Settings Packager will open. 3. From Settings Packager, go to File menu > Open, or press ctrl+o. 4. In the open dialog, type "%windir%\system32\*.exe" into the file name field (without the quotes) and press enter. 5. In the list of files, find cmd. Right click on it, or press the applications key and select Run as Administrator. A system-level command prompt should open. To get out of it, type exit and press enter, then close the Settings Packager. Update 2009-10-17: updated contact info with secondary email address. Please send any mail there until this note is removed. Contact information: tyler Spivey Email: tspivey8@xxxxxxxxx, PGP key: 0x048C58A4 Twitter: tspivey - -- Tyler Spivey - PGP Key ID: 048C58A4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkraayYACgkQTsjaYASMWKSrfwCgg4gLF6VP/S/I2htRy7Z/uEVe kQwAn2tUvsSOWiGg5EZY9PRAFeWW5v+5 =JF7L -----END PGP SIGNATURE----- -- JFW related links: JFW homepage: http://www.freedomscientific.com/Scripting mailing list: http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.comJFW List instructions: To post a message to the list, send it to jfw@xxxxxxxxxxxxxTo unsubscribe from this mailing list, send a message to jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.Archives located at: //www.freelists.org/archives/jfwAlternative archives located at: http://n2.nabble.com/JAWS-for-Windows-f2145279.htmlIf you have any concerns about the list, post received from the list, or the way the list is being run, do not post them to the list. Rather contact the list owner at jfw-admins@xxxxxxxxxxxxxx
-- JFW related links: JFW homepage: http://www.freedomscientific.com/ Scripting mailing list: http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com JFW List instructions: To post a message to the list, send it to jfw@xxxxxxxxxxxxx To unsubscribe from this mailing list, send a message to jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line. Archives located at: //www.freelists.org/archives/jfw Alternative archives located at: http://n2.nabble.com/JAWS-for-Windows-f2145279.html If you have any concerns about the list, post received from the list, or the way the list is being run, do not post them to the list. Rather contact the list owner at jfw-admins@xxxxxxxxxxxxxx