Security Feature or Bug?

[aphasia]

I have already posted some of this in a previous thread but have created a new topic so that this issue can be discussed further.

Firstly we are using a dual screen workstation running windows 2000 in a domain environment but am unsure if the issue is limited to this setup. (I plan to test this further with a single screen and different OS version probably XP)

If an administrator or any user were to lock their workstation and await the screensaver to display. Press F1 and when the browser launches it is launched under the logged on users account. Simply using the address bar you could type in any valid network share and it would open in the browser.
Under a standard users account their home drive, or any other shares they have access to, would be available. Under an administrators account the access could potentially be very dangerous or a security risk.

In the other post it states:

there was a bug in windows that did not permit launching URLs during screensaver action when F1 is pressed, so we found a workaround that allowed us to execute Internet Explorer.

Surely the fact that windows will not allow a browser to be launched is not a bug but a security feature?

The OS allowing you to work around this at all is the real bug / security hole.

Or am I really confused here? It is getting late now and perhaps I should rest!

[Karlis]

The problem is that F1 feature did not work at all until we switched from "default" browser to Internet Explorer. It did not work even in unlocked state. For some reason, when a screensaver is running Windows does not want to allow you to launch default web browser, but it trusts if you force it to use Internet Explorer.

I do believe, that developers from Microsoft have covered the possible security issues. However, out of curiosity I would like you to try accessing the network drives and let me know whether you are able to.

[MikeyB]

Hi,

I did read aphasia post on Friday and thought that if what was said is possible, it's a big security problem.

Using Windows XP Pro on our network at work.
I just downloaded The Colors of Summer sample screen saver, locked the computer (Ctrl-Alt-Delete - Lock computer) and waited for the screen saver to kick in.

Pressed F1 and IE came up with the Blmentals website.
I could from there put c:\ and see the contents of my local C: drive.
I could also put the drive letter of any mapped network drive, and also the UNC (\\server\sharename) of any network share and had my normal access to them (some I have administrator access on!)
Also could go to any website, imagine the implications of someone coming along and going to some "inappropriate" website on my work PC while my PC is locked by simply pressing F1 while the screen saver is on.

So this is certainly a big security hole with the screen savers.

Mike

[aphasia]

Karlis,

Yes we can access network drives, as MikeyB confirms in his post also, this is definately the case.

Your thoughts on this?

[Scorpius]

Surely the fact that windows will not allow a browser to be launched is not a bug but a security feature?

I'm not sure I follow your point.

1. Windows does not restrict a browser from launching, as IE launches just fine. Its other browsers that have been restricted. If this is a security feature, its working as planned. IE launches, other browsers do not. Since MS bundles IE with windows, surely they would know how to restrict their own browser from launching.

2. Why this bug/feature is being brought to the attention of Blumentals is also unclear. MS seems to be the correct party to contact. I doubt Blumentals jumped through any hoops to execute this behavior. Probably just called IE instead of the normal browser hook.

3. If an admin is relying on a screen saver to provide security of some kind, perhaps they should develop their own or test what is being installed. Lets not forget that an scr is a full fledged EXE with all the risks that go with it.

Just my 2 cents

Karlis...
I discovered a screen saver program that I registered does allow the default browser to launch from the screen saver. It features a clickable banner. I'm unclear how this is accomplished, it seems to wait until the screen saver ends before the url is launched. It also addresses the two issues above. Uses the default browser, and won't work if the workstation is locked.

If you want more information, please PM me.

[aphasia]

Scorpius

Thanks for replying with your views on this post.

1. Windows does not restrict a browser from launching, as IE launches just fine. Its other browsers that have been restricted. If this is a security feature, its working as planned. IE launches, other browsers do not. Since MS bundles IE with windows, surely they would know how to restrict their own browser from launching.

Karlis did write in another post

there was a bug in windows that did not permit launching URLs during screensaver action when F1 is pressed, so we found a workaround that allowed us to execute Internet Explorer.

If Windows did not permit lauching URL's this was probably an attempt to secure the screensavers. Surely Microsoft would not necessarily know how to restrict various security vunerabilities, how many patches etc. are realeased to overcome these type of exploits in there OS's.

2. Why this bug/feature is being brought to the attention of Blumentals is also unclear. MS seems to be the correct party to contact. I doubt Blumentals jumped through any hoops to execute this behavior. Probably just called IE instead of the normal browser hook.

I have raised this here initially, as this is an advertised feature of their software. However I can contact Microsoft and pass this information on. If they release some form of patch to overcome this action from within a screensaver then this may affect Blumentals sales of this product. I thought it only fair to give them the oppertunity to reply on this.

3. If an admin is relying on a screen saver to provide security of some kind, perhaps they should develop their own or test what is being installed. Lets not forget that an scr is a full fledged EXE with all the risks that go with it.

Developing our own screen saver would certainly cost more man hours in money than the purchase price of this software or many other off the shelf solutions. I have tested what was going to be installed before rolling this product out to our users , hence the post.

Could you supply me with details of the product you mentioned in your post? Launching the browser after the user has logged back on to the workstation seems to be a way to keep some form of security in place on the workstation.

Thanks again for adding your thoughts to this discussion.

[MikeyB]

Scorpius, this security bug should be brought to Blumentals attention as it's a feature of the screen savers produced with their software.

I don't think Karlis found a bug when he was trying to launch a web browser, but infact it is a security feature, and as he said he managed to find a way round it. A clever bit of programming, but it's opened a security hole.

3. If an admin is relying on a screen saver to provide security of some kind, perhaps they should develop their own or test what is being installed. Lets not forget that an scr is a full fledged EXE with all the risks that go with it.

As I said in my test, I locked Windows XP first.
Our security policy on all PCs is that Windows XP locks itself (same as Ctrl-Alt-Delete > Lock Computer) after a couple of minutes, then the screen saver comes on after 10 minutes, and also screen savers are set to "On resume password protect".
This security policy cannot be changed by users.

If I walk away and leave my PC it will lock iteslef which is fine as only I or an admin can login.
Then the screen saver comes on and anyone can simply press F1 and browse to any website or any file on my local drive or network that I have access to.
This is a massive security hole.

Karlis...
I discovered a screen saver program that I registered does allow the default browser to launch from the screen saver. It features a clickable banner. I'm unclear how this is accomplished, it seems to wait until the screen saver ends before the url is launched. It also addresses the two issues above. Uses the default browser, and won't work if the workstation is locked.

If you want more information, please PM me.

Karlis, personally I would say this feature of the screen savers should be completely removed. I know nothing can be done about screen savers that have already been make and installed, but future versions of the software should not allow a web browser to be launched.
A simple "about box" would do rather than launching a web browser.

[Scorpius]

This is an interesting discussion and I see both of your points...but

(Since both of you hold the same opinion, consider this a reply to both.)

I don't think its been established if this is a bug or security feature. I'm also unsure if any "clever bit of programming" was involved. I suspect Karlis may have just hard coded IE to handle url's here. If I'm wrong, I'm sure Karlis will correct me. It would be helpful to know if there is a MSDN article that covers this.

In any case, I strongly disagree this feature should be removed. Perhaps modified. Its a valuable way to direct a user to registration or promotional page. This is not something that is enabled by default. You must enter a url to have this feature active.

I'm also of the opinion that if you're concerned about security, and are using a screen saver as part of your strategy, the screen saver should be one that is included with the OS. Failing that, the program should be something the Admin implicitly trusts and is familiar with. Installing the software alone is opening a huge security risk, as installers are typically elevated to admin privileges.

Simply put, either create the saver with SSF4 with F1 support disabled, use software you strictly trust, or stick with the ones included with Windows.

aphasia

If you'd like more information about the other product I mentioned, please PM me. I think it may be disrespectful to post rival software on Karlis' forum.

[MikeyB]

Scorpius,

You have some very valid points in your post.

Some further thoughts from myself.

I wouldn't class it as a bug as the software is doing excatly what it was designed to do.

Our security policy here at work does restrict users from installing software, screen savers included (I can do it on my PC as I'm a local admin, not a "normal user") and everyone has the same screen saver (in fact one I wrote in VB6) and "On resume, password protect" is always on, so Windows always asks for the password to do anything else.
The screen saver itself does not play a big part in security from the aspect of unauthorised access as when the mouse is moved or any key is pressed the normal windows logon box is presented, this (I thought) was pretty much a standard thing for screen savers to do.

I can see the advantages of launching a browser from a screen saver as you say for promotional pages, but I can also see the security problems, not only at work but also for a home user.
Quick example for a home user:
Say you have different Windows logons setup for your kids with restricted web access & computer access, and your own logon in unrestricted.
You are using the PC and wander away, screen saver comes on and the kids only have to press F1 to get access to the whole web as they are logged on as you, who knows where they could go and see.
Not only that but they could then browse all of YOUR files on the hard drive that they wouldn't normally see when they are logged on.

I only say "A clever bit of programming" because of Karlis post http://forums.blumentals.net/viewtopic. ... workaround (4th post) where he says they found a workaround to launching the browser, it certainly think they found a way around a Windows security feature that was there to stop the problems I make above.

There are a couple of ways I can think of to modify this feature:
* Acting like the other screen saver you found where the URL is not launched till after password.

* One way it could be modified would be to rather than opening the web browser, use an emended one in a windows form without any web controls (i.e. address box etc) which would be a bit more secure, but then if there's a link to say Google from that page then there's no stopping that.

* Or how about not allowing F1 if the screen saver password option is set?

Obviously if no screen saver password is set then all of this is irrelevant!

Just my personal thoughts.

[Scorpius]

MikeyB,
Some very valid points. I didn't consider the problem this could cause for home users.

A couple of things to note. I found two other programs that allow a browser to be launched from a running screensaver, so this is not something limited to blumentals.

I also discovered an MSDN article that shows how to launch a browser from a running screen saver. It includes code that does exactly what has both of you concerned along with a solution.

The code is C#, but perhaps Karlis may look at it for ideas.

I also now agree that perhaps a "If desktop is locked, don't launch browser" check may be a good idea.

Here is a link to the MSDn article
http://msdn2.microsoft.com/en-us/library/ms686421.aspx

Again, my personal opinions also.

P.S.
I know this is off topic, but I think having RSS in a screensaver is a great way to deliver corporate intranet news to every desktop. Just a thought for future improvements.

[MikeyB]

So it seems like others have done this too, and there is code available to "fix the problem"

I do think that Karlis should consider changing the way F1 works in future versions.

P.S.
I know this is off topic, but I think having RSS in a screensaver is a great way to deliver corporate intranet news to every desktop. Just a thought for future improvements.

That is what the screensaver I wrote does, displays intranet news items.
Doesn't use an RSS feed, goes directly to an SQL server, but I wish I did think of the RSS route, would have saved me a few headaches I bet... might have to change it I think...

[Karlis]

Ok, I will check this. As for now, you should not use F1 feature if you are afraid that it could have negative effects. You can do so by not entering the F1 web link.

Also please be aware that though we may update this feature to favor the security, there are planty of other products that would not allow this. So if you allow anybody to install anything on your computers, this is still an open issue that should be addressed by Microsoft. Gee... I have never thought that we are smart enough to uncover security vunerabilities as it is more a dark-hacker thingy

So to sum up, if this is an issue for you, do not use F1 feature and do not allow anybody to install anything on your computers, because Windows ahs this (possible) vunerability.