COMMAND

    BioLogon

SYSTEMS AFFECTED

    Identix BioLogon 2.00, 2.01, 2.02, 2.03 running on Windows 98 or Windows Me

PROBLEM

    Marc  DeBonis  found  following.   Identix's  BioLogon software is
    used  as  the  software  "glue"  to tie together various biometric
    devices to the Windows operating system.  The BioLogon client  can
    be  used  to  have  smart  cards,  fingerprint  readers, and other
    devices interact with Windows.

    The security vulnerability exists  when the software is  installed
    onto a Windows system that has more than one video card  installed
    and the system is doing "multi-monitor" with the built in  virtual
    desktop software that comes with Windows 98 SE and Windows 2000.

    The  problem  is  that  the  BioLogon  client software attempts to
    harden  the  screensaver  password  locking  mechanism  so  that a
    biometric device is needed  to unlock the system.   Unfortunately,
    the software only locks the first screen (screen zero).  No access
    is  blocked  from  any  other  screen  (virtual  desktop).  Mouse,
    keyboard, and the screen can be used while screen zero is  locked.
    In fact, unless the mouse is on screen zero, the biometric  device
    will not recognize the fact it should inquire for input (at  least
    with the Cherry keyboard that was used for test).

    This was tested on  a Windows 98 SE  system with four video  cards
    installed.

SOLUTION

    Identix  has  confirmed  that  this  problem  could result in some
    degree  of  security  vulnerability  in  BioLogon(TM) for Windows,
    running on Windows 98 or Windows Me.  Not fix at the time.