Microsoft Windows Vista
A security researcher said that the StickyKeys function in Vista and XP could allow a user to bypass the login system

Windows StickyKeys could pose security risk

Microsoft dismisses claims of vulnerability in software component

Shaun Nichols in California

A Windows component designed to help disabled users could serve as a backdoor for unauthorised system access, according to a security expert.

McAfee researcher Vinoo Thomas said in an article posted to the company's security research blog that the StickyKeys function in Windows Vista and XP can be exploited to allow a user to bypass the login system. 

Advertisement

StickyKeys allows users to enter key combinations without having to hold and press keys simultaneously. It is launched by pressing the 'shift' key five times in succession.

Thomas pointed out that the component responsible for launching StickyKeys is vulnerable to tampering.

A user could replace the StickyKeys executable (.exe) with a copy of the command prompt (cmd.exe) and launch the prompt by pressing the 'shift' key five times.

This would allow a user to open the command prompt in the Windows log-in screen and tell the machine to load Windows Explorer.

The user would then have complete access to the system with administrator-level privileges without needing the administrator's password.

Microsoft shrugged off the reports in a statement provided to vnunet.com and said that it did not consider the StickyKeys backdoor to be a vulnerability of any sort. 

The company pointed out that, in order to make the edits, a user must already be on an administrator account, thus mitigating the need for a backdoor in the first place.

Thomas acknowledged that administrator access is required, but pointed out that up to 27 per cent of all unauthorised access is committed by internal employees.

Users who had administration rights, or who temporarily found themselves with administrator access, could set up the backdoor and use it later for malicious purposes.

The researcher also pointed out that the StickyKeys trick worked with the remote desktop feature, allowing a user to take control of an affected system from a remote location.

Again, this is a feature that could lend itself to the wrath of disgruntled employees, according to Thomas.

The researcher urged users wishing to mitigate the risk of the StickyKeys feature to uninstall the accessibility options component in Windows.

  • Have your say
  • Send to a friend
  • Print
  • Digg
  • Reddit
  • Share

Tags:

Do you agree?

Related whitepapers

Related jobs

Most watched

V3.co.uk weekly debrief, 13 Nov 09

This week we discuss the inaugural V3.co.uk Summit

Summit: Salesforce.com on SaaS and information overload

How web services contribute to data headaches

Analysis and Reports

Remote access - Three steps to getting connected

3.4 million UK professionals now work from home – is your company equipped?

Cost benefits of a global collaboration network

This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications

Poll

Impact of Information Overload poll

Impact of Information Overload poll

What is the biggest problem your firm faces as a result of the data explosion?

View poll results

Advertisement

White paper library

Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Job of the week

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Advertisement

Spotlight

V3.co.uk weekly debrief, 13 Nov 09

This week we discuss the inaugural V3.co.uk Summit

Fingers on keyboard

New Flash vulnerability discovered

Web sites could be vulnerable to Flash attacks

Chris Adams

Summit: Microsoft Office to the rescue

Chris Adams, Office Client product manager for Microsoft UK, explains...

Illegal downloader

Industry and human rights campaigners united in opposition to "three strikes" plan

Critics says government proposals to curb illegal downloading are unworkable...

Primary Navigation