Password protection bypassed. [M134]1[M219] [v6]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- What actually happened or U actually saw: Password settings ignored and bypassed.

  • If not obvious, what U expected to happen or see: I expected to see a prompt for the password.
  • Can U reproduce the problem & if so how reliably?:Yes reliably.
  • If you can, precise steps to reproduce it. If not say what you did before it happened:
  1. Enable password protection.
  2. Go to the Program Files\COMODO\COMODO Internet Security folder and double click on the virtkiosk file (or create shortcut to file and click on the shortcut), the password is bypassed.
  3. Also bypassed if the widget is showing you can click on unrecognized files (Screenshot1), this allows access to the advanced settings including the ability to disable the password protection.
  • If a software compatibility problem have U tried the conflict FAQ?:N/A
  • Any software except CIS/OS involved? If so - name, exact version, & download link:N/A.
  • Any other information, eg your guess at the cause, how U tried to fix it etc:My guess is a design flaw.
  • Always attach: Diagnostics file, Killswitch processes, dump (if freeze/crash). If complex: CIS logs & config, screenshots, video.
    [/ol]

B. YOUR SETUP (Likely the same from issue to issue, users can copy forward)
[ol]- CIS version & configuration:V6.0.260739.2674, proactive.

  • Modules enabled & level. Defense+/HIPS, Autosandbox/BBlocker, Firewall, & AV:CIS proactive defaults.
  • Have U updated (without uninstall) from a previous version of CIS:No.
    [li]if so, have U tried a a clean reinstall - if not please do?:N/A.
    [/li]- Have U imported a config from a previous version of CIS:No.
    [li]if so, have U tried a standard config - if not please do:N/A.
    [/li]- Have U made any other major changes to the default config? (egs here.):No.
  • OS version, SP, 32/64 bit, UAC setting, account type, & virtual machine used :Win 7, No SP, 32Bit, UAC off, Admin, No VM.
  • Other security & sandbox software a) currently installed b) installed since last OS install:Previous versions of CIS.
    [/ol]

[attachment deleted by admin]

Seems to be with all functions that run of an .exe…
i tried killswitch samething. i guess they need a global exe or shorcut deny with password enabled.
Im on Windows 8 x64 with UAC off. Same thing. Glad this was found early. could be fashioned in some form as an exploit obviously…

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

This bug is partially fixed.
Password is no longer bypassed from the widget as stated in A-4-3 (Fixed).

Password can be bypassed from the widget to open kill switch via the running in sandbox button, which I am not sure if this happened previously or not.
Password can still be bypassed to open kiosk from a desktop shortcut or direct from the virtkiosk.exe file.

Thanks ver much for telling me this.

Could you make out another bug report for bypass via sandboxed files, as it is in effect another issue.

I’ll hold this in format verified until M219 (virtkiosk) is resolved.

Best wishes

Mouse

Hi Captain, just wondering if this is fixed for you in 2801. Apols if I have missed a notification.

Specifically: “desktop shortcut or direct from the virtkiosk.exe”

Mouse

Hi Mike,
Apologies for not following up.

Password can still be bypassed to open kiosk from a desktop shortcut or direct from the virtkiosk.exe file in _2801. Not fixed.

Password bypass is no longer possible through the widget for any action in _2801. Fixed.

Ta Captain, no problem, will mark up in tracker

Not fixed in _2813.
Password can still be bypassed to open kiosk from a desktop shortcut or direct from the virtkiosk.exe file.

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

This could probably be moved to resolved/outdated.

The non resolved part of this bug report is already discussed in a separate report that has been mentioned in our ■■■.

Okay, I will move this to Resolved.

However, if it turns out that it should not be flagged as fixed please notify me via PM and I will move it back.

Thank you.