just continuing to test to see what comes out of these posts if they actually start properly appearing on twitter.
Archives for October 2009
continuing to test
just continuing to test to see what comes out of these posts if they actually start properly appearing on twitter.
Mirrored from shane's rants!.
playing with plugins
Just writing as I play with plugins to see if this thing actually shows up on twitter with title and link.
I’ll write more later.
playing with plugins
Just writing as I play with plugins to see if this thing actually shows up on twitter with title and link.
I’ll write more later.
Mirrored from shane's rants!.
follow up to: is freedom scientific losing their touch?
This will be a short post
I received the following e-mail from grant hardy, of freedom scientific technical support
Dear Shane:
Thank you for contacting Freedom Scientific Support.
Thanks for letting us know, product management is aware of it, and we are working on it.
Thank you for choosing Freedom Scientific!
If replying to this message, Be sure to include all previous correspondence pertaining to this issue so that we might more quickly assist you.
Regards,
Grant Downey
Technical Support Specialist
Freedom Scientific
Phone support: 727 803 8600, option #2
E-mail Support: [email protected]
Visit our website at:
http://www.freedomscientific.com
Our Mission
To develop, manufacture and market innovative technology-based products
and services that those with vision impairments and learning
disabilities use to change their world.
Is this really a response to the threat these security wholes present?
The comment boards await you.
Is freedom scientific finally losing their touch?
Hello fellow blog readers
It’s been awhile since I posted something of major substance to the blind community here.
On
this blog
We have some very interesting posts to reference.
I’m going to post each of them below, exactly as posted, and I’ll follow each one of them up with my comments.
The first one is entitled
Critical security flaw in JAWS
and was posted on october 16, 2009.
Critical security flaw in JAWS
October 16, 2009 by Tyler Spivey
I have found a critical security flaw in the JAWS Screen reader that allows an attacker to gain full system-level access to
the machine. I have tested this on 32-bit Windows Vista
with JAWS 10.0.1154 and 32-bit Windows 7 with JAWS 11.0.611 Beta.
Instructions:
1. From the Windows logon screen with JAWS running, press insert+f2. Run JAWS Manager will appear.
2. Select Settings Packager, and press ok. Settings Packager will open.
3. From Settings Packager, go to File menu > Open, or press ctrl+o.
4. In the open dialog, type “%windir%\system32\*.exe” into the file name field (without the quotes) and press enter.
5. In the list of files, find cmd. Right click on it, or press the applications key and select Run as Administrator.
A system-level command prompt should open. To get out of it, type exit and press enter, then close the Settings Packager.
my comments on this one
Note that this was during the last public beta build of jaws 11, build 611. I was able to varrify this issue with this build of jaws on all machines I have access to. After build 729 the final release to the public on DVD version of jaws came out on october 19 2009, tyler reported in his next post, see below, had been fixed. but as this next will show, this problem still exists using a different set of varrifiable instructions.
The next post entitled
JAWS security flaw, round 2
has this to say.
JAWS security flaw, round 2
October 19, 2009 by Tyler Spivey
In my First Post, I described a security vulnerability that allowed local users to gain system-level access to a machine. A quick test with JAWS 11.0.729, the release build of JAWS 11, reveals that it is fixed. Here is a slightly different set of instructions that will do the same thing.
1. From the login screen, press insert+j, and navigate to utilities/configuration manager.
2. When configuration manager opens, press control+o.
3. press the Import button. The open dialog will appear.
4. On my Windows 7 test machine, I got an error box that can safely be dismissed. Once done, type %windir%\system32\*.exe into the open dialog.
5. find cmd in the list, and press the applications key on it. Select Run as administrator if it appears. If not, keep following these steps.
6. From cmd’s context menu, pick select. answer no to the question asking you to overwrite settings files, if it comes up.
7. press import, and pick cmd from the list again. Activate the context menu, and select Run as administrator.
If done correctly, you should have an administrative command prompt
I took that set of instructions and again tested them on as many systems as possible, and low and behold, I received an administrative command prompt.
But the ensanity doesn’t end there.
On the same day, this post
Gathering passwords with the JAWS builtin keylogger
hit his blog.
The text is below.
Gathering passwords with the JAWS builtin keylogger
October 19, 2009 by Tyler Spivey
JAWS so helpfully contains a built-in script that logs all keys pressed on the keyboard. This method has a better chance of working on XP than the others. You must have a user account on the machine to make this work.
1. Open Keyboard manager, and open the default file. Add a key to the “ToggleKeyboardLogging” script.
2. Once done, log out of the machine. Your profile will still be loaded. Press that key. The only thing JAWS will say is “enabled”. Log into the machine, then open keystrokes.log in your jaws program directory. all keys pressed will be there, from the last time the script was enabled
At the time of writing, do to my keyboard manager acting up, I have not been able to test this particular vulnerability relating to the keylogger.
At the time this went to press, Freedom scientific LLC,
http://www.freedomscientific.com
was closed.
But the following e-mail was dispatched to both the support and info addresses.
subject: freedom scientific’s response to the security wholes found in jaws 11?
To whom this may concern,
I am writing this message in reference to three blog posts available at:
http://tspivey.wordpress.com/
and who’s text and my comments were placed on my own blog at
http://stickbear.me/blog
To summarize these posts, it was discovered that not only can system level access to the computer be gained using your software, but your program includes a hidden keylogger that isn’t even documented that logs all keystrokes entered and can gain sensative information from a users computer?
These keys hense are logged to keystrokes.log.
I would like to ask, what is freedom scientifics stand on these issues, and is freedom scientific willing to comment publicly for airing on ACBRadio’s main menu and in other public venues regarding these security wholes?
I Thank you for your time.
Sincerely,
Shane Davidson
We shall see what comes of this.
until then.
piece yall.
Is freedom scientific finally losing their touch?
Hello fellow blog readers
It’s been awhile since I posted something of major substance to the blind community here.
On
this blog
We have some very interesting posts to reference.
I’m going to post each of them below, exactly as posted, and I’ll follow each one of them up with my comments.
The first one is entitled
Critical security flaw in JAWS
and was posted on october 16, 2009.
Critical security flaw in JAWS
October 16, 2009 by Tyler Spivey
I have found a critical security flaw in the JAWS Screen reader that allows an attacker to gain full system-level access tothe machine. I have tested this on 32-bit Windows Vista
with JAWS 10.0.1154 and 32-bit Windows 7 with JAWS 11.0.611 Beta.Instructions:
1. From the Windows logon screen with JAWS running, press insert+f2. Run JAWS Manager will appear.
2. Select Settings Packager, and press ok. Settings Packager will open.
3. From Settings Packager, go to File menu > Open, or press ctrl+o.
4. In the open dialog, type “%windir%\system32\*.exe” into the file name field (without the quotes) and press enter.
5. In the list of files, find cmd. Right click on it, or press the applications key and select Run as Administrator.
A system-level command prompt should open. To get out of it, type exit and press enter, then close the Settings Packager.
my comments on this one
Note that this was during the last public beta build of jaws 11, build 611. I was able to varrify this issue with this build of jaws on all machines I have access to. After build 729 the final release to the public on DVD version of jaws came out on october 19 2009, tyler reported in his next post, see below, had been fixed. but as this next will show, this problem still exists using a different set of varrifiable instructions.
The next post entitled
JAWS security flaw, round 2
has this to say.
JAWS security flaw, round 2
October 19, 2009 by Tyler Spivey
In my First Post, I described a security vulnerability that allowed local users to gain system-level access to a machine. A quick test with JAWS 11.0.729, the release build of JAWS 11, reveals that it is fixed. Here is a slightly different set of instructions that will do the same thing.
1. From the login screen, press insert+j, and navigate to utilities/configuration manager.
2. When configuration manager opens, press control+o.
3. press the Import button. The open dialog will appear.
4. On my Windows 7 test machine, I got an error box that can safely be dismissed. Once done, type %windir%\system32\*.exe into the open dialog.
5. find cmd in the list, and press the applications key on it. Select Run as administrator if it appears. If not, keep following these steps.
6. From cmd’s context menu, pick select. answer no to the question asking you to overwrite settings files, if it comes up.
7. press import, and pick cmd from the list again. Activate the context menu, and select Run as administrator.
If done correctly, you should have an administrative command prompt
I took that set of instructions and again tested them on as many systems as possible, and low and behold, I received an administrative command prompt.
But the ensanity doesn’t end there.
On the same day, this post
Gathering passwords with the JAWS builtin keylogger
hit his blog.
The text is below.
Gathering passwords with the JAWS builtin keylogger
October 19, 2009 by Tyler Spivey
JAWS so helpfully contains a built-in script that logs all keys pressed on the keyboard. This method has a better chance of working on XP than the others. You must have a user account on the machine to make this work.1. Open Keyboard manager, and open the default file. Add a key to the “ToggleKeyboardLogging” script.
2. Once done, log out of the machine. Your profile will still be loaded. Press that key. The only thing JAWS will say is “enabled”. Log into the machine, then open keystrokes.log in your jaws program directory. all keys pressed will be there, from the last time the script was enabled
At the time of writing, do to my keyboard manager acting up, I have not been able to test this particular vulnerability relating to the keylogger.
At the time this went to press, Freedom scientific LLC,
http://www.freedomscientific.com
was closed.
But the following e-mail was dispatched to both the support and info addresses.
subject: freedom scientific’s response to the security wholes found in jaws 11?
To whom this may concern,
I am writing this message in reference to three blog posts available at:http://tspivey.wordpress.com/
and who’s text and my comments were placed on my own blog at
http://stickbear.me/blog
To summarize these posts, it was discovered that not only can system level access to the computer be gained using your software, but your program includes a hidden keylogger that isn’t even documented that logs all keystrokes entered and can gain sensative information from a users computer?
These keys hense are logged to keystrokes.log.
I would like to ask, what is freedom scientifics stand on these issues, and is freedom scientific willing to comment publicly for airing on ACBRadio’s main menu and in other public venues regarding these security wholes?
I Thank you for your time.
Sincerely,
Shane Davidson
We shall see what comes of this.
until then.
piece yall.
Mirrored from shane's rants!.