Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Admits XP Has Same Bug As Win2K

Posted by kdawson on from the not-a-security-flaw-no-really dept.

Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.

11 of 161 comments (clear)

  1. stupid by Anonymous Coward · · Score: 4, Insightful

    if you already have admin access via another "exploit" why would you bother attacking via random number generator, seems like its a lot of fuss over nothing, Windows has alwayss been vunerable locally (luckily for admins whose users forget passwords etc) so the most worry is over a remote exploit which this flaw isnt. But iam sure some million dollar company will sell a solution for this, paranoia is a great sales tool in the murky world of snake oil, cough i mean computer security

    1. Re:stupid by Anonymous Coward · · Score: 4, Informative

      Because you own a machine _now_ doesnt give you access to the encryption keys that was generated in the past.

      This PRNG vulnurability does just that. Keys derived from it can be recovered by an attacker who compromises the machine _after_ the key was used and discarded.

  2. I have to agree with MS on this one... by Blakey+Rat · · Score: 4, Insightful

    If you have admin access, the battle's already lost. What's the point of running a complex process to obtain their password when you have full access to everything on their computer? Might as well just drop in a keylogger and get the same info much easier.

    --
    Comment of the year
    1. Re:I have to agree with MS on this one... by xaoslaad · · Score: 4, Insightful

      Granted, I agree with this for the most part. However, it always seems like there is that one person that looks at a problem like this in a way that no one else had prior and manages something completely expected. It's only at the point that a virus is running amok across half the corporate networks in the world that we find out you did not really need administrative priveleges if you did x, y, z first...

      History is full of examples, probably both within and out of the computing field where people thought that 'that' was impossible...

    2. Re:I have to agree with MS on this one... by abigsmurf · · Score: 5, Funny

      But to say that is to deny our ability to flame MS! Clearly it's an example of MS' incompetence that a random number generator that's 7+ years old has been broken by recent maths and it can be exploited to gain full access when you already have full access!

    3. Re:I have to agree with MS on this one... by mosch · · Score: 5, Insightful

      If you truly agree with MSFT, then you should quit working in computers right now, for everybody's sake.

      Many corporate computers have local admin accounts that are likely to share a user/password combo across large numbers of machines. A keylogger might not get you these credentials, but the ability to crack these credentials could get you admin access to a huge number of other computers.

      It is people like you who make sure that security consultants will never want for work.

  3. At last... by EsbenMoseHansen · · Score: 5, Funny

    A reason to upgrade to Vista! ;)

    --
    Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
  4. THe paper refered to. by leuk_he · · Score: 4, Insightful

    This article refers to this summary of this paper

    I fail to see why you would need administative privelidges however. You would only need to run in the userspace of the process that did run the random number generator before. Having administrative privs would be nice to inject code into that userspace, but is not needed i think.

    It can get even worse if from a public key part the random number that was used to generate it can be extracted, what was done in early ssl implementation attacks.

  5. Article by cbart387 · · Score: 5, Interesting

    Here is the original article on the ACM.

    Very brief summary of article
    Each process has their own instance of the generator, and the refresh of the internal state is done after 128 kbs of output from the generator (roughly 600-1200 SSL connections with IE). Not only that, it is run in the userspace so it is not a security violation to examine the internal state of the generator. The function used is not one-way which provides a means looking at past transactions of a user (within the 128 kbs of data).

    --
    Lack of planning on your part does not constitute an emergency on mine.
  6. Open crypto algorithms; no fix for Win2K by compumike · · Score: 5, Insightful

    While in general I think open-source and closed-source software can coexist, I think this is a pretty good example of why anything related to crypto should be open. All of public key cryptography relies on the secrecy of private keys, not on the secrecy of the algorithm itself. And while they might have faithfully implemented the algorithm, who knows what kinds of arguments/whatever to the crypto functions might cause undesired results -- it's just too hard to test.

    In any case, the thing that surprised me most from the article was that Windows 2000 users would be left out in the cold: "Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch [for Win2K]." Wow. Especially when it's something this easy to fix. This bug also solves any attacker's problem of trying to sort valuable from non-valuable information, since presumably any valuable information (credit cards used online, etc) will use encryption. And while someone suggested that a program should use its own random number generator, there is a problem because, in general, your application (not running as Admin) shouldn't have access to nearly the same amount of entropy sources (like network activity, GUI inputs, etc).

    --
    Educational microcontroller kits for the digital generation -- great gift!

  7. This is Why Open Source is Good. by Stephen+Samuel · · Score: 4, Insightful
    If this bug was in RedHat 5.2, there would be no issue about getting this critical bug fixed. If nothing else, I could just fix it myself -- and put the necessary patches to the source packages on my website.

    No worries about whether or not it's even legal to fix a machine that I'm using to run my business.

    --
    Free Software: Like love, it grows best when given away.