[tabi] critical security warning for any pc running jaws

  • From: "Allison and Chip Orange" <acorange@xxxxxxxxxxx>
  • To: <tabi@xxxxxxxxxxxxx>
  • Date: Fri, 16 Oct 2009 15:35:20 -0400

hi all,

below is a link to a user's blog, where-in he describes a critical security
flaw he has discovered, for any pc running jaws.  unfortunately, he doesn't
quite spell out the implications of the issue, so I'd like to do so
(assuming he's correct in what happens).

His statement is at:


where-in, he essentially says that any pc you've setup with jaws
automatically starting at bootup, has essentially no password security at
all; anyone can get on such a pc, as an administrator, from the logon
screen, without knowing a user id or a password.

furthermore, while he's only tested this with version 10, it's my guess that
the architecture of this part of jaws has remained unchanged, so that this
security hole will exist in all past versions as well.

using his steps, you can walk up to anyone's pc or server, reboot it if it's
running, and with a few keystrokes be on as the administrator.

this is very unfortunate for any IT employee, who is using jaws, and has it
installed on servers or pcs which are supposed to be password protected.  an
employer should really ask the user to change the arrangement so that jaws
is only started running after the login.

for your average home user, this probably has no practical effect (it's
seldom you rely on your password for your home pc to keep others out; you
rely usually on your physical security to do that).


Check out the TABI resource web page at http://acorange.home.comcast.net/TABI
and please make suggestions for new material.

if you'd like to unsubscribe you can do so through the freelists.org web 
interface, or by sending an email to the address tabi-request@xxxxxxxxxxxxx 
with the word "unsubscribe" in the subject.

Other related posts: