Slashdot Mirror


Microsoft Admits XP Has Same Bug As Win2K

Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.

3 of 161 comments (clear)

  1. Maybe the best solution is your own RNG? by mlts · · Score: -1, Redundant

    If I were writing a crypto app for Windows, I'd use my own RNG, and use Windows's as one of the inputs, but not the definitive input. Perhaps have the user wiggle the mouse briefly in a screen to seed a random number pool in RAM, then mix that with other non-periodic sources.

    I know TrueCrypt does this, where it uses its own RNG, and uses the OS's (be it Windows or Linux) as input, but not the RNG.

    In any case, if an attacker had administrator access, having them guess the output of the RNG is the least of one's worries.

  2. Re:Some food for thought for Vista haters by B3ryllium · · Score: 1, Redundant

    This is the same company that initially said that XP was not vulnerable. How much do you trust that statement, in light of this?

  3. Re:stupid by iago-vL · · Score: 1, Redundant

    The biggest danger I can think of that this could potentially cause is the ability for an attacker to reproduce encryption keys. Having administrator access doesn't necessarily mean having access to the users' encrypted data./P.