Security issue - Page 4

Dale · 01-23-2009, 12:07 PM

Originally posted by Jim Sachs:

Yeah, but it's broken on XP. Edgar has a fix, which I'll post as soon as he's done with a different bug.

\
8h (and 8i) properly go to the website, after password prompt, on XP Pro.

On Vista Ultimate 32-bit, 8i still works properly.

However note (Vista): When exiting the screensaver mode, a "black" window pops open for a moment. That seemingly occurs regardless of how I get out of the screensaver (move mouse, etc.), and regardless of whether the "password" option is turned on or off. [Not thoroughly explored, but it has happened enough times to be reported as an annoyance]

Jim Sachs · 01-23-2009, 12:15 PM

That's to prevent all the full-screen black flashes that everyone had been reporting a couple of months ago. By switching to windowed mode an instant before exiting, most of the drama in Vista is avoided.

Dale · 01-24-2009, 10:25 PM

Originally posted by Jim Sachs:

That's to prevent all the full-screen black flashes that everyone had been reporting a couple of months ago. By switching to windowed mode an instant before exiting, most of the drama in Vista is avoided.

...however, it also does that on XP, providing additional drama for XP.

I'm not sure it's worth fixing, but I did want to make sure it's known.

cjmaddy · 01-25-2009, 07:33 AM

https://www.feldoncentral.com/forums...18&#post108518

rps · 01-26-2009, 11:59 AM

Originally posted by Dale:

For the info of folks watching this thread - essentially all that script does is "http://www.serenescreen.com" (with the appropriate amount of fiddling to get the environment right).

This is clearly done in "user" context, after a correct password has been supplied.

Ok, I have to ask: how does a process in the null session get a .js to launch in another session? It doesn't seem like that should even be possible under Windows' security rules.

~Ralph S.

Shinsa · 02-01-2009, 01:43 PM

Remember, Microsoft says, "If someone has physical access to your computer, then it is not secure". In other words, they won't fix bugs in their OS that someone can only take advantage of by being at your machine (i.e. accessing a Win XP machines users files by booting with a Windows 2000 Professional CD).

Edgar · 02-01-2009, 02:11 PM

Their scripting engine called WScript has a method to impersonate the original user that ran the screensaver. Otherwise, I would have given up with the WebSite button for Vista.
What was weird is that in XP, it doesn't seem to matter that it came from a null session. I really did need the WScript but to make it work the same on all the Windows as possible, it calls the same script.

01-23-2009, 12:15 PM	#62
Jim Sachs Developer Join Date: Dec 2000 Location: Southern Oregon Posts: 9,791	That's to prevent all the full-screen black flashes that everyone had been reporting a couple of months ago. By switching to windowed mode an instant before exiting, most of the drama in Vista is avoided. Jim Sachs Creator of SereneScreen Aquarium

02-01-2009, 01:43 PM	#66
Shinsa Registered Join Date: Apr 2001 Location: Fayetteville, NC Posts: 407	Remember, Microsoft says, "If someone has physical access to your computer, then it is not secure". In other words, they won't fix bugs in their OS that someone can only take advantage of by being at your machine (i.e. accessing a Win XP machines users files by booting with a Windows 2000 Professional CD). Bob "When you have excluded the impossible, whatever remains, however improbable, must be the truth." _______________________________________________

02-01-2009, 02:11 PM	#67
Edgar Prolific/SereneScreen Developer Join Date: Mar 2003 Location: Norwalk, CA Posts: 513	Their scripting engine called WScript has a method to impersonate the original user that ran the screensaver. Otherwise, I would have given up with the WebSite button for Vista. What was weird is that in XP, it doesn't seem to matter that it came from a null session. I really did need the WScript but to make it work the same on all the Windows as possible, it calls the same script. *Edgar Tolentino* Prolific Developer www.prolific.com www.LifeGlobe.com

01-23-2009, 12:07 PM	#61
Dale Banned Join Date: Jun 2005 Location: Western Missouri Posts: 960	Originally posted by Jim Sachs: Yeah, but it's broken on XP. Edgar has a fix, which I'll post as soon as he's done with a different bug. \ 8h (and 8i) properly go to the website, after password prompt, on XP Pro. On Vista Ultimate 32-bit, 8i still works properly. However note (Vista): When exiting the screensaver mode, a "black" window pops open for a moment. That seemingly occurs regardless of how I get out of the screensaver (move mouse, etc.), and regardless of whether the "password" option is turned on or off. [Not thoroughly explored, but it has happened enough times to be reported as an annoyance]

01-24-2009, 10:25 PM	#63
Dale Banned Join Date: Jun 2005 Location: Western Missouri Posts: 960	Originally posted by Jim Sachs: That's to prevent all the full-screen black flashes that everyone had been reporting a couple of months ago. By switching to windowed mode an instant before exiting, most of the drama in Vista is avoided. ...however, it also does that on XP, providing additional drama for XP. I'm not sure it's worth fixing, but I did want to make sure it's known.

01-25-2009, 07:33 AM	#64
cjmaddy Registered Join Date: Nov 2001 Location: Lancashire, UK Posts: 7,854	https://www.feldoncentral.com/forums...18&#post108518

01-26-2009, 11:59 AM	#65
rps Registered Join Date: Oct 2008 Posts: 57	Originally posted by Dale: For the info of folks watching this thread - essentially all that script does is "http://www.serenescreen.com" (with the appropriate amount of fiddling to get the environment right). This is clearly done in "user" context, after a correct password has been supplied. Ok, I have to ask: how does a process in the null session get a .js to launch in another session? It doesn't seem like that should even be possible under Windows' security rules. ~Ralph S.