MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCIBUGTRAQ:082596:01:P1R1 Report Date: 08/25/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ------------------------------------------------------------------------------- Problem: There is a security hole in Windows 95 that allows any user to bypass a password protected screen saver, without the use of a password. Impact: Use of the password protected screen saver for the protection of sensitive files is ineffective. Exploit: 1. Press and hold the control-alt-delete keys and then release. 2. Drag the mouse over to the name of the screen saver and click ONCE. 3. Click on the "End Task" button. (Or you can simple use Alt-E, again, press and hold "Alt" and "E" and then release.) Solution: There is no known fix for this exploit at this time. It is always recommended to employ the use of cryptographic measures to protect sensitive files and data, or make use of commercially tested BOOT-password protected systems. Acknowledgement: This exposure was reported by "SekrtyXprt@aol.com" on the BUGTRAQ mailing list. ===============================================================