Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Admits XP Has Same Bug As Win2K

Posted by kdawson on from the not-a-security-flaw-no-really dept.

Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.

5 of 161 comments (clear)

  1. Re:At last... by muldy · · Score: 1, Interesting

    And it will be "technologically impossible" to correct XP. Vista will get a "steath update" for this.

  2. Article by cbart387 · · Score: 5, Interesting

    Here is the original article on the ACM.

    Very brief summary of article
    Each process has their own instance of the generator, and the refresh of the internal state is done after 128 kbs of output from the generator (roughly 600-1200 SSL connections with IE). Not only that, it is run in the userspace so it is not a security violation to examine the internal state of the generator. The function used is not one-way which provides a means looking at past transactions of a user (within the 128 kbs of data).

    --
    Lack of planning on your part does not constitute an emergency on mine.
  3. Re:I have to agree with MS on this one... by joss · · Score: 2, Interesting

    The point is that people often use the same passwords
    on multiple systems. If you can crack them you can
    very likely gain access to other systems without having
    to wait for uses to login at a time when you dont know
    how long you have control of the system

    --
    http://rareformnewmedia.com/
  4. Re:Naw. You just have to take a different approach by UncleTogie · · Score: 3, Interesting

    Microsoft claims this is not a "security vulnerability"...

    Thanks for the flashback to l0pht's old page....! For those who don't remember it before it got rolled into @stake:

    "'That vulnerability is entirely theoretical.'-- Microsoft;
    L0pht, making the theoretical practical since 1992."
    --
    Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
  5. No hotfix ? by Anonymous Coward · · Score: 3, Interesting

    >Microsoft said that XP SP3, due in the first half of next year, will fix the bug.

    It should be an offence to know and state you know about a bug but sit on the fix for months. This is a really stupid MS position and will push people more towards alternatives like GNU/Linux.
    It should be a hot fix right now.