Logitech Keyboard Insecurity

[<keyboardhacker () hotmail com>]

Risk: Rather Low

 Logitech has a piece of software available with their
iTouch line of keyboards (cordless ones included) that
allows you to press one button and run a program, control
volume, jump to a URL, or shut down the PC.

 When you lock a computer, (with NT/2000/XP/etc.) however,
these buttons still function. While the programs do not
appear in the foreground, they still run on the computer
behind the "Computer Locked" window.

 Thusly, a DoS attack can be performed, just by pressing one
of the buttons numerous amounts of times, easily opening 100
copies of whatever program they have been assigned to. By
default they are mainly assigned to run IE. Other things are
possible if you use your imagination. None of them appear
that great though, unless the user has linked these buttons
to other programs, ones that are possibly insecure and left
unrunning otherwise. Or you can always stop someone's music
from playing even when they have "locked" their PC.

 Logitech has been contacted about 1 month ago and they have
confirmed it is indeed a problem with their software, but a
fix is not yet out. A 'locked' computer should indeed be
locked, and not accessible via any means. While this bug is
a low risk, it shows how *obvious* flaws go undetected. It
totally bypasses GINA (Graphical Identification aNd
Authentication), which is supposed to keep the PC secure (to
the extend of requireing Ctrl-Alt-Delete to login).

Thank you,

Phktsk