Title: 360 Degree Web PlatinumKey Access Control Bypass Information Disclosure Vulnerability
Severity: MODERATE
Description:
PlatinumKey is a SmartCard security application distributed by 360 Degree Web. It is available for some laptops that use Microsoft Windows operating systems.
PlatinumKey fails to properly restrict access to the desktop when SmartCard access control is enabled. Because of this, an attacker may be able to obtain potentially sensitive information.
The problem is in the handling of certain key sequences. When the key sequence Control-Escape is pressed, the Windows task bar is displayed. An attacker could abuse this to gain information about recently run applications and recently accessed documents.
This problem has been reported to occur on the Acer Travelmate 600 and 800 series laptops. It may also affect other laptops using the same software with similar configurations.
Update: Acer Travelmate C300 and 8100 running Platinum Secure are also reported affected by this issue. Furthermore, by using the extra 'Web' button on keyboards, attackers may also gain access to the underlying operating system even if the Control-Escape sequence does not work.
UPDATE (February 15, 2008): Reports indicate that PlatinumKey 1.1.3a is not vulnerable to this issue.
Affected Products:
- 360 Degree Web Platinum Secure
- 360 Degree Web PlatinumKey
References:
- 360 Degree Web: PlatinumKey Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
