Microsoft Admits XP Has Same Bug As Win2K

Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.

Re:stupid

Because you own a machine _now_ doesnt give you access to the encryption keys that was generated in the past.

This PRNG vulnurability does just that. Keys derived from it can be recovered by an attacker who compromises the machine _after_ the key was used and discarded.

Meanwhile, in the *nix

[DrYak]

Meanwhile, free/libre open-source unices like Linux and *BSD have been having a sound random generator that doesn't suck too much for, like, ages...

No, sorry, you can keep Vista for yourself.