Hello, welcome to the Tuesday, January 30th, 2018 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich and the name recording from Miami, Florida.

Sort of the theme of today's podcast is insecurities in security products.

We do have a number of them to report about today, starting with

Lenovo's implementation of its fingerprint scanner. Biometrics in laptops has been around for a while,

and one of the companies that actually, I think, sort of pioneered this somewhat, was Lenovo,

or actually back in the IBM ThinkPad days, fingerprint

scanners were quite common accessories.

More recently, Lenovo introduced Fingerprint Manager Pro.

The application implements a password safe and allows users to log into websites and log into Windows by scanning a fingerprint.

Sadly, the password safe is implemented quite poorly.

Not only does it use a weak algorithm to encrypt the passwords, but you don't even have

to decrypt them.

All it takes is a hard-coded backdoor password to decrypt the data that's stored within Lenovo's fingerprint manager pro.

The vulnerability was disclosed to Lenovo by Jackson Torsami of Security Compass.

Lenovo has released an update last week.

And running Clam AV as an antivirus scanner, it is time to update.

And actually, this is a system that you often see, for example, implemented on mail servers,

not so much on workstations.

Clam AV released an update fixing seven different vulnerabilities.

Some of the vulnerabilities may be used to execute arbitrary code.

Vulnerabilities affect, for example, the PDF parser within this antivirus tool as well as various compressed impact file formats like

...