COMMAND

    screen saver

SYSTEMS AFFECTED

    Windows 98

PROBLEM

    Ollie  Whitehouse  found  following.   This  is only a preliminary
    assessment of the problem.  It was tested on following platform:

        OS : Windows 98
        Patches : All except the virtual machine update
        Screensaver : Scrolling Marquee

    Here's the tested enviroment.  Say you got a open dos box  running
    a copy of  dos edit (focus  under Windows is  placed on this)  and
    when  you  come  back  and  type  in the password the screen saver
    password box does not pop up  after the first key press to  accept
    this password (strange  yes, but by  which time you  had typed the
    password). Now, if  you move the  mouse the box  will pop up,  you
    will nicely type in  your password and all  will be fine.   BUT!!!
    If you instead take a look  in the DOS window guess what  will you
    see?   Your screensaver  password which  you had  typed the  first
    time.   Strange but  true... seems  to be  a problem  with the way
    Windows executes the screensaver.   This was also seen  especially
    in the case of Instant Messenger.  If your screensaver is  running
    and  you  receive  an  Instant  Message,  when  you  type  in your
    password, it goes into the instant message instead.

    Shaman2001 added more valuable  info here.  Screensavers  are just
    normal win32 progs  that are named  *.scr in the  windows dir (try
    clicking  on  one).   Windows  runs  them  using  commandline's to
    perform different  things (ie.  screensaver.scr /A  to change  the
    passwd).  As it is a normal program, it is upto it to disable  the
    special  windows  keys  (ctrl-alt-del   etc)  and  stay  on   top.
    Unfortunatly,  most  screensavers  do  not  watch to see that they
    still have focus, and therefore, any program that makes a  windows
    call to gain focus will recieve any keystrokes, despite not  being
    on top/visible.   In conclusion to  this... it's the  screensavers
    fault.   All  screensavers  have  this  problem.   Few interesting
    questions:

        * the screensaver  itself is in  charge of calling  the passwd
          auth/changing dialog box (guess is that trojan is possible),
        * do virus scanners scan *.scr files normally?
        * screen savers  can bind a  socket and allow  people in while
          the screensaver  is active  and drop  connections when  it's
          not...  which means poeple can gain access, knowing your not
          watching,
        * windows screensavers are normal processes and therefore  can
          be killed by other programs (cd's still working when scr  is
          active)

SOLUTION

    Nothing yet.  Well, don't use those *.scr.