A number of vulnerabilities exist in HM Software S to Infinity, a security access control, desktop lockdown and transparent encryption application. Intended features include restriction of access to folders, files, floppy and CD-ROM drives, etc. Early versions of S to Infinity allows the capability of any user to rename files and directories which opens up the possibility of a number of exploits: - Renaming the S to Infinity directories in /Program Files and /Winnt/System will cause the program to cease to function. - S to Infinity implicitly trusts any allowed program on the system. However, it can be configured to set *.exe to read-only. Therefore, a user can run any application by copying the executable program to something.txt and then renaming that copy to a trusted executable like notepad.exe. Other security flaws present in S to Infinity: - The drive invisibility mechanism can be bypassed by using Find, Internet Explorer, or Open and Save Dialogue boxes. Searching for the...
A number of vulnerabilities exist in HM Software S to Infinity, a security access control, desktop lockdown and transparent encryption application. Intended features include restriction of access to folders, files, floppy and CD-ROM drives, etc. Early versions of S to Infinity allows the capability of any user to rename files and directories which opens up the possibility of a number of exploits: - Renaming the S to Infinity directories in /Program Files and /Winnt/System will cause the program to cease to function. - S to Infinity implicitly trusts any allowed program on the system. However, it can be configured to set *.exe to read-only. Therefore, a user can run any application by copying the executable program to something.txt and then renaming that copy to a trusted executable like notepad.exe. Other security flaws present in S to Infinity: - The drive invisibility mechanism can be bypassed by using Find, Internet Explorer, or Open and Save Dialogue boxes. Searching for the hidden drive letter and a known file in Find will allow access to files on the hidden drive. A user can open a hidden drive in Internet Explorer by clicking on a link that refers to the particular drive (eg. <a href="c:\">Link</a>). - File and directory attributes can be modified using the DOS attrib command. StoI file-level protection does not rely on DOS file attributes, so this will not affect StoI settings.
