Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Admits XP Has Same Bug As Win2K

kdawson posted more than 6 years ago | from the not-a-security-flaw-no-really dept.

Security 161

Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.

cancel ×

161 comments

Sorry! There are no comments related to the filter you selected.

nose?! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21446435)

thats not what i think...

stupid (4, Insightful)

Anonymous Coward | more than 6 years ago | (#21446445)

if you already have admin access via another "exploit" why would you bother attacking via random number generator, seems like its a lot of fuss over nothing, Windows has alwayss been vunerable locally (luckily for admins whose users forget passwords etc) so the most worry is over a remote exploit which this flaw isnt. But iam sure some million dollar company will sell a solution for this, paranoia is a great sales tool in the murky world of snake oil, cough i mean computer security

Re:stupid (1, Redundant)

iago-vL (760581) | more than 6 years ago | (#21446839)

The biggest danger I can think of that this could potentially cause is the ability for an attacker to reproduce encryption keys. Having administrator access doesn't necessarily mean having access to the users' encrypted data./P.

Re:stupid (3, Insightful)

smallfries (601545) | more than 6 years ago | (#21446923)

It does if the data is accessed during the period that you have admin access. The process using the data has to manipulate the keys at some point, and if you can access their memory space then any security is toast. This is exactly how the drm on the new drm for blueray / hddvd was cracked.

This was the point of palladium, that the keys would be locked up inside a separate box, segregated from the processor. Each process would only manipulate opaque handles to the keys.

One nice aspect of this attack is that if you gain admin access after key generation, but before the entropy pool is refreshed then you can play back the state of the random number generator to recreate the keys after the fact. But this just extends the window slightly, you still need an exploit to get admin first.

Re:stupid (4, Informative)

Anonymous Coward | more than 6 years ago | (#21446975)

Because you own a machine _now_ doesnt give you access to the encryption keys that was generated in the past.

This PRNG vulnurability does just that. Keys derived from it can be recovered by an attacker who compromises the machine _after_ the key was used and discarded.

Re:stupid (2, Informative)

lgw (121541) | more than 6 years ago | (#21447421)

Because you own a machine _now_ doesnt give you access to the encryption keys that was generated in the past.
Except that it pretty much does for Windows NTFS encryption. Thank you "key recovery account". For that matter, on a Windows machine not in a domain with default settings, you can get the NTFS encryption keys with no accounts at all, just stick the drive in your machine and "recover" the keys with the local admin account. Checkbox feature for the win!

And if you're using real encryption instead, you're not caring about the Windows RNG I hope.

Re:stupid (1)

Henry V .009 (518000) | more than 6 years ago | (#21447385)

Windows has alwayss been vunerable locally (luckily for admins whose users forget passwords etc)
Ah...no. You can edit the administrator password directly on the hard drive, but you can do the same for Unix systems. You are confusing physical access with privilege escalation flaws.

You use the same password on other machines (2, Insightful)

goombah99 (560566) | more than 6 years ago | (#21447437)

Knowing someone's password can be handy. Most folks use the same password on multiple machines or entire networks. Moreover they seldom change them.

Re:stupid (0)

Anonymous Coward | more than 6 years ago | (#21447521)

"paranoia is a great sales tool in the murky world of snake oil, cough i mean computer security" - by Anonymous Coward on Thursday November 22, @11:05AM (#21446445)
This isn't "snake oil" though & everyone ought to know it, + apply it to their Windows rigs:

http://www.security-forums.com/viewtopic.php?p=273323&sid=5665cc148e4d788ff5a1c4b0d4e38e56#273323 [security-forums.com]

It just works... & paranoia,especially online today??

Paranoia:= 'GOOD THING'; //(Delphi) {*Pascal*}

Especially in today's online world, riddled with spyware/trojans/virus (malware in general)!

(& yes, "Pro-*NIX" people here @ /. (the majority of you imo) - especially for Windows users (the most used, & thus, the most attacked, no questions asked - greater attack vector 'surface area' & all that!))

IF you use a Windows NT-based OS variant, DO take 1-3 hours of your time, try applying the points from that URL above to your system yourself, if you use Windows 2000/XP/Server 2003, or yes, even VISTA (a good 90% of its principles (or better) still apply in VISTA even).

APK

P.S.=> VISTA's got some really GOOD ideas for security (Address Space Randomization Layer for executables) that Windows Server 2003 doesn't have, but, it's got its share of hassles (@ least until SP #1 or 2 imo, just as NT/2000/XP did before it), but I know that VISTA's built off the foundation of Windows Server 2003's core code, & that makes VISTA @ least have potential imo! apk

I have to agree with MS on this one... (4, Insightful)

Blakey Rat (99501) | more than 6 years ago | (#21446449)

If you have admin access, the battle's already lost. What's the point of running a complex process to obtain their password when you have full access to everything on their computer? Might as well just drop in a keylogger and get the same info much easier.

Re:I have to agree with MS on this one... (4, Insightful)

xaoslaad (590527) | more than 6 years ago | (#21446513)

Granted, I agree with this for the most part. However, it always seems like there is that one person that looks at a problem like this in a way that no one else had prior and manages something completely expected. It's only at the point that a virus is running amok across half the corporate networks in the world that we find out you did not really need administrative priveleges if you did x, y, z first...

History is full of examples, probably both within and out of the computing field where people thought that 'that' was impossible...

Re:I have to agree with MS on this one... (5, Funny)

abigsmurf (919188) | more than 6 years ago | (#21446519)

But to say that is to deny our ability to flame MS! Clearly it's an example of MS' incompetence that a random number generator that's 7+ years old has been broken by recent maths and it can be exploited to gain full access when you already have full access!

Re:I have to agree with MS on this one... (-1, Flamebait)

El Lobo (994537) | more than 6 years ago | (#21446635)

Well, guess waht? Until now everybody including the researcher that found the bug though that the generator was Ok. So if nowbody had found the bug, everything would be fine and dandy even today. That's why it took 7 years. No bug discovered, no problem.

Or you really think that there are no sleeping bugs somewhere in the Linuzzz kernel or in Abbles OS that are 5 or 10 years old? When somebody discovers that there is indeed a bug, it may get fixed, but you have no right to bitch about a 10 years old unfixed bug if nobody knew it existed. (not that anybody would bitch about a Linuzzz or Abble's bug here in /., but MS is different, it seems to me).

Re:I have to agree with MS on this one... (3, Insightful)

webmaster404 (1148909) | more than 6 years ago | (#21446905)

The fact though still remains that Windows is a proprietary, closed-source operating system. If it was open-source much like Linux or BSD, the bug would have been fixed sooner and you could patch your own system, if MS doesn't see it is a security threat it won't get patched. Also, who is to say that crackers haven't found the bug out earlier? If it was Linux, the potential would be very minor for widespread devastation due to differing kernel versions and different patches for different kernel versions. About the only way for a sure-fire attack on the Linux kernel is to attack a distro without any patches but even the most popular distro still has 3 versions still receving support (7.10, 7.04 and LTS) (Ubuntu) and that would make an attack very hard if only 2 of the 3 had it and a patch was released quickly. Its the danger of a propriatary operating system, you never know who knows what and even if you will receive a patch, Linux you can audit the code yourself and rely on the community if you so choose.

Re:I have to agree with MS on this one... (3, Funny)

ScrewMaster (602015) | more than 6 years ago | (#21446939)

You're wasting your breath having a dialog with someone who refers to two of the major operating systems on the market as "Linuzzz" and "Abbles OS".

Re:I have to agree with MS on this one... (2, Funny)

empaler (130732) | more than 6 years ago | (#21447163)

I believe the words you were looking for are:
YHBT. YHL. HAND.

Re:I have to agree with MS on this one... (1)

Nossie (753694) | more than 6 years ago | (#21447225)

So why werent people saying that when the mac virus came out that you needed admin rights to install?

this sounds like a bad ass case of pot, kettle, black.

Re:I have to agree with MS on this one... (1)

empaler (130732) | more than 6 years ago | (#21447265)

...
I think you hit reply at the wrong place. My point was that someone who writes 'Abble' and 'Linuzzz' is so obviously a troll, that you shouldn't reply. That's... sort of not in vein with what you replied...

Re:I have to agree with MS on this one... (1)

Nossie (753694) | more than 6 years ago | (#21447337)

ack, yeah I did :-O apologies...

ahh well

Re:I have to agree with MS on this one... (3, Insightful)

El Lobo (994537) | more than 6 years ago | (#21447819)

Hmm... so if somebody writes M$ that makes him obviously a troll? OK, so 5/6 of the posts here are trolls then if you are right.

Re:I have to agree with MS on this one... (0)

Anonymous Coward | more than 6 years ago | (#21447809)

I was wondering how far down I would have to scroll to find a reply that would invoke Linux/Open Source! "My car won't start" "You should use Ubuntu."

Re:I have to agree with MS on this one... (1)

chawly (750383) | more than 6 years ago | (#21447565)

And good for you - left me with a smile.

Naw. You just have to take a different approach. (3, Insightful)

khasim (1285) | more than 6 years ago | (#21446645)

Microsoft claims this is not a "security vulnerability" because the machine has to already have been cracked to exploit it.

That is not 100% correct.

It is still a "security vulnerability".

It just cannot be exploited to increase your access on that machine.

That we know of. Today. So the code still needs to be patched. Security is not an "either / or" situation. You have to reduce the effectiveness of threats.

Re:Naw. You just have to take a different approach (3, Interesting)

UncleTogie (1004853) | more than 6 years ago | (#21446743)

Microsoft claims this is not a "security vulnerability"...

Thanks for the flashback to l0pht's old page....! For those who don't remember it before it got rolled into @stake:

"'That vulnerability is entirely theoretical.'-- Microsoft;
L0pht, making the theoretical practical since 1992."

Re:Naw. You just have to take a different approach (2, Informative)

fatphil (181876) | more than 6 years ago | (#21446987)

One concrete weakness of this attack is that it permits you to reverse-engineer "secure" sessions _before_ you got admin privilege, as the random number generator can be 'rewound'.

So-called forward security (yes, looking at things in the past is 'forward' :-) ) is an important trait, and MS's scheme is missing it.

Re:I have to agree with MS on this one... (2, Insightful)

John Betonschaar (178617) | more than 6 years ago | (#21446551)

If you have admin access, the battle's already lost. What's the point of running a complex process to obtain their password when you have full access to everything on their computer? Might as well just drop in a keylogger and get the same info much easier.

Most of the other ways to get to the passwords would leave a detectable trace, especially keyloggers. Or they need a reboot. If you're really after the user passwords, resetting them to something else is also not an option. AFAIK there is no other *easy* way to get a user's password from a locally exploitable Windows box, especially not if you cannot reboot it without being detected.

So in some cases, where a hacker with local access to a Windows box wants to have a user password without leaving a trace, an attack like this would be interesting.

I admit It's all a bit hypothetical... Still, it's not very nice to have a possible security hole like this and not patching it.

Re:I have to agree with MS on this one... (1)

John Betonschaar (178617) | more than 6 years ago | (#21446569)

quote first paragraph of my previous comment, unquote. I should use the preview option more often.

Re:I have to agree with MS on this one... (1)

neltana (795825) | more than 6 years ago | (#21446925)

Nah, preview is for the <b>weak</b>! Real men don't even turn on the monitor when they post!

Re:I have to agree with MS on this one... (3, Funny)

Rogerborg (306625) | more than 6 years ago | (#21447081)

You have a monitor to turn on? Pwwwp, noob. I don't even have a keyboard; I'm writing this by shorting a PCB with paperclips.

Re:I have to agree with MS on this one... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21446671)

You can possibly compromise keys which were generated before you had admin access and you can comprimise keys which are created in the future without keeping a rootkit installed which might be detected and traced back to you.

Re:I have to agree with MS on this one... (2, Interesting)

joss (1346) | more than 6 years ago | (#21446723)

The point is that people often use the same passwords
on multiple systems. If you can crack them you can
very likely gain access to other systems without having
to wait for uses to login at a time when you dont know
how long you have control of the system

Re:I have to agree with MS on this one... (2, Insightful)

Terrasque (796014) | more than 6 years ago | (#21446853)

This is how I read it :

"At the moment we know of no way to abuse this bug without already having obtained Administrative access."

I will almost bet money that there is a smart bugger out there which find a way to abuse this.
That we don't know of a fearsible attack right now is no excuse not to fix the bug IMHO.

Re:I have to agree with MS on this one... (5, Insightful)

mosch (204) | more than 6 years ago | (#21446865)

If you truly agree with MSFT, then you should quit working in computers right now, for everybody's sake.

Many corporate computers have local admin accounts that are likely to share a user/password combo across large numbers of machines. A keylogger might not get you these credentials, but the ability to crack these credentials could get you admin access to a huge number of other computers.

It is people like you who make sure that security consultants will never want for work.

Re:I have to agree with MS on this one... (2, Insightful)

RightSaidFred99 (874576) | more than 6 years ago | (#21447339)

Yeah, because Microsoft doesn't know what they're talking about. This is a PRNG flaw, it doesn't help you "get credentials" in terms of getting Windows logins/passwords. For Christ's sake. Once you have access to the machine, you can theoretically access any encrypted data on the machine because you can get the session keys for e.g. SSL sessions. But, of course, since you already have admin access you could do this any of various other ways anyway.

Re:I have to agree with MS on this one... (1)

ILuvRamen (1026668) | more than 6 years ago | (#21447635)

Then you have to wait for them to type it again and make it appear unhacked in the meantime. If you can hack in and immediately get their password, that would be awesome. But I don't think that's actually what this bug does. Doesn't it only affect anything new generated off the random number generator?

At last... (5, Funny)

EsbenMoseHansen (731150) | more than 6 years ago | (#21446471)

A reason to upgrade to Vista! ;)

Re:At last... (2, Funny)

Anonymous Coward | more than 6 years ago | (#21446581)

Yes sir, Vista it is. Then Window 7 will fix Vista security ... we should wait for Window 7 or better Window 8 ... Right?

Re:At last... (1)

VGPowerlord (621254) | more than 6 years ago | (#21447673)

Wait for Windows 2037. I hear it fixes some major flaw that sllows privilege escalation, related to the use of the time_t structure.

Re:At last... (2, Interesting)

muldy (607226) | more than 6 years ago | (#21446593)

And it will be "technologically impossible" to correct XP. Vista will get a "steath update" for this.

Re:At last... (1)

SlipperHat (1185737) | more than 6 years ago | (#21446847)

Actually, if XP SP3 comes out, it's one less reason to upgrade to Vista. Why bother paying more for bloat, when you can update a fresh install of XP, then install a service pack to make it as secure as Microsoft makes possible. Windows XP isn't the best, but even an average user who prioritizes speed over new features can tell the difference in speed (on the same hardware). Users buying a brand new computer with Vista preinstalled, might not notice, but then again they might.

Arguably, it's question of semantics or the age-old "is glass is half-empty or half-full?". However with Windows, the hot topic (among the /. crowd) is about which version is less slow than which version is more fast.

Re:At last... (1)

Your.Master (1088569) | more than 6 years ago | (#21447327)

You could make the argument that it's no more reason to upgrade to Vista, but in what Universe is the fact that Vista is not vulnerable to something XP SP2 (but not the upcoming SP3) is vulnerable to a strike against Vista? I think you're changing the subject.

Re:At last... (1)

lgw (121541) | more than 6 years ago | (#21447459)

Why bother paying more for bloat, when you can update a fresh install of XP
What was that again?

I Post Anonymously (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21446485)

I post anonymously do avoid being dicked over by Slashdot groupthink retards.

If someone already has Administrator access to your computer, doesn't that mean you are already fucked?

Are you people reall so stupid that you give a shit about this?

Happy Thanksgiving, retards.

Re:I Post Anonymously (2, Insightful)

heffrey (229704) | more than 6 years ago | (#21446537)

Why is this flamebait? Surely the original post and the pathetic summary was flamebait?

As lots of people have commented, if you have admin rights you own the box.

Re:I Post Anonymously (3, Insightful)

cloakable (885764) | more than 6 years ago | (#21446661)

It's flamebait because the GP didn't have to call people retarded, in order to get his or her point across.

They also could have worded this a lot more diplomatically than they did. So yes, the GP is flamebait.

Re:I Post Anonymously (0)

Anonymous Coward | more than 6 years ago | (#21446751)

Ok, so if he'd called them idiots, that would have been ok? It's just plain honest.

Re:I Post Anonymously (2)

cloakable (885764) | more than 6 years ago | (#21446885)

Possibly. What would be better still is to show, provably that those he was calling morons/idiots, were indeed morons/idiots. As it is, he just insulted all slashdotters (including me, obviously), many of whom are not either.

Re:I Post Anonymously (1)

heffrey (229704) | more than 6 years ago | (#21446983)

Can you "show, provably" that "many are not either"?

Only joking!

Re:I Post Anonymously (2)

cloakable (885764) | more than 6 years ago | (#21447165)

Hell no, but the onus of proof is not on me :) I'm not the one accusing.

Maybe the best solution is your own RNG? (-1, Redundant)

mlts (1038732) | more than 6 years ago | (#21446487)

If I were writing a crypto app for Windows, I'd use my own RNG, and use Windows's as one of the inputs, but not the definitive input. Perhaps have the user wiggle the mouse briefly in a screen to seed a random number pool in RAM, then mix that with other non-periodic sources.

I know TrueCrypt does this, where it uses its own RNG, and uses the OS's (be it Windows or Linux) as input, but not the RNG.

In any case, if an attacker had administrator access, having them guess the output of the RNG is the least of one's worries.

Re:Maybe the best solution is your own RNG? (2, Informative)

ajs318 (655362) | more than 6 years ago | (#21447367)

And your "random"-number generator, unless based on a proven algorithm, might well have vulnerabilities of its own to worry about. If you keep the source code secret, no serious security person is going to touch it with a barge pole; and if you show the source code, then your extra layer is largely irrelevant since the sequence only depends on a seed supplied by Microsoft's PRNG.

The nub of the problem is that a deterministic state machine can never produce random behaviour. The long term solution would be an entropy generator on the motherboard. (Actually, many machines have one already: a sound card with an unconnected high-impedance input picking up static is a good entropy source.)

THe paper refered to. (4, Insightful)

leuk_he (194174) | more than 6 years ago | (#21446489)

This article refers to this summary [buslab.org] of this paper [iacr.org]

I fail to see why you would need administative privelidges however. You would only need to run in the userspace of the process that did run the random number generator before. Having administrative privs would be nice to inject code into that userspace, but is not needed i think.

It can get even worse if from a public key part the random number that was used to generate it can be extracted, what was done in early ssl implementation attacks.

Re:THe paper refered to. (3, Insightful)

MoogMan (442253) | more than 6 years ago | (#21447245)

As the winsock TCP/IP stack randomises it's TCP sequence numbers, I would suggest that it's very likely that it uses a PRNG output directly, and therefore is at risk of being spoofable.

Theoretically, one would need knowledge of just one TCP sequence number, and then it could generate the future sequence numbers coming out of the box. Therefore one would be able to hijack TCP/IP sessions *much* faster and easier than before.

Anyone know to the contrary?

Re:THe paper refered to. (1)

Almahtar (991773) | more than 6 years ago | (#21447861)

That's true. I don't remember if it's still this way, but in the 9x days any process could arbitrarily decide to "debug" another and be granted access to its internals.

If that's true of the NT line, you could exploit this without admin privileges easily.

And Vista? (1)

Thanshin (1188877) | more than 6 years ago | (#21446595)

Has Microsoft officially stated that the bug is not present in Vista? Or will they "recently discover" that too.

Re:And Vista? (1)

Farmer Tim (530755) | more than 6 years ago | (#21447007)

Or will they "recently discover" that too.

Only after Windows 7 is released.

Re:And Vista? (0)

Anonymous Coward | more than 6 years ago | (#21447031)

Reading the summary might help answer that for you.

What's that? Why yes, I am new here.

Article (5, Interesting)

cbart387 (1192883) | more than 6 years ago | (#21446597)

Here [acm.org] is the original article on the ACM.

Very brief summary of article
Each process has their own instance of the generator, and the refresh of the internal state is done after 128 kbs of output from the generator (roughly 600-1200 SSL connections with IE). Not only that, it is run in the userspace so it is not a security violation to examine the internal state of the generator. The function used is not one-way which provides a means looking at past transactions of a user (within the 128 kbs of data).

Re:Article (1)

sam0737 (648914) | more than 6 years ago | (#21447397)

Each process has their own instance of the generator...does it mean that if a lay Bob wants to look at Alice's past SSL key generation, it has to be admin because otherwise how could a normal user looks at the internal state of another user?

Re:Article (1)

lgw (121541) | more than 6 years ago | (#21447477)

Wow, that's surprisingly bad. Not a clever math hack then, but simple lack of concern for the RNG as part of a cryptographic process on MSs part.

Re:Article (1)

Ducho_CWB (900642) | more than 6 years ago | (#21447575)

So this means that a virus running in my userspace could decrypt my web bank sessions?

Some food for thought for Vista haters (1, Flamebait)

trifish (826353) | more than 6 years ago | (#21446613)

"The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable."

Re:Some food for thought for Vista haters (1, Redundant)

B3ryllium (571199) | more than 6 years ago | (#21446837)

This is the same company that initially said that XP was not vulnerable. How much do you trust that statement, in light of this?

Re:Some food for thought for Vista haters (1)

Macthorpe (960048) | more than 6 years ago | (#21447669)

Where did Microsoft say XP wasn't vulnerable?

A lot of people assumed it wasn't because the testing was done on Win2k, but Microsoft never confirmed it. In fact, the article states they were very hesitant to do just that:

As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way [...] Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable
So, in light of them actually admitting they're at fault, why wouldn't you trust it?

Re:Some food for thought for Vista haters (1)

B3ryllium (571199) | more than 6 years ago | (#21447719)

Fair point :)

There are other reasons not to trust MS, of course, but from what I understand ... vista's weird incompatibilities are just an annoying symptom of touching Windows in its naughty place - in other words, because MS rewrote so many of the lower-level subsystems in Vista, they probably ended up fixing many outstanding bugs from previous generations. The downside, those incompatibilities and quirks and new bugs/exploits, will hopefully get a lot brighter in SP1 :)

Re:Some food for thought for Vista haters (1)

Macthorpe (960048) | more than 6 years ago | (#21447877)

I have to be honest - I think a lot of the outstanding bugs are related to Microsoft's focus on backwards compatibility, which I feel is unnecessary and holds back Windows development. In a way, I'm glad a lot of things broke in Vista - because in the end, a lot of things are only breaking because there are some terrible coding practices at work out there.

One entry on Raymond Chen's blog (which is a goldmine for the weird quirky things that some programs expect Windows to handle) explained a situation where one program sent keystrokes to Windows to bring up a specific feature - so when Microsoft changed it's location, the whole thing broke down - and the company who did it was big enough that Microsoft implemented something that would intercept those keystrokes for that program only, and then bring up the feature anyway. Crazy.

In the end, while Linux and Apple can afford to break things a little every now and then to consistently improve, Microsoft set themselves up for a massive fall because they spent so long trying to make everything work before that now they aren't trying as hard, everyone sees it as a failure.

Meanwhile, in the *nix (3, Informative)

DrYak (748999) | more than 6 years ago | (#21446981)

Meanwhile, free/libre open-source unices like Linux and *BSD have been having a sound random generator [wikipedia.org] that doesn't suck too much [seclists.org] for, like, ages...

No, sorry, you can keep Vista for yourself.

Re:Meanwhile, in the *nix (2, Informative)

Anonymous Coward | more than 6 years ago | (#21447029)

The Linux RNG was vulnerable in the past too. What was your point?

Re:Meanwhile, in the *nix (1, Funny)

Anonymous Coward | more than 6 years ago | (#21447483)

IT NEVER WAS!
Off to re-education camp for you!

Re:Meanwhile, in the *nix (2, Informative)

trifish (826353) | more than 6 years ago | (#21447679)

Yes, the Linux random number generator was vulnerable in the past too. See e.g. http://eprint.iacr.org/2006/086.pdf [iacr.org]

Re:Some food for thought for Vista haters (0)

Anonymous Coward | more than 6 years ago | (#21447199)

Who modded that as Offtopic, someone from China? It is clearly on-topic. Ah, I forgot 'Offtopic' is used in place of 'Inconvenient' now. Sorry.

Re:Some food for thought for Vista haters (0)

Anonymous Coward | more than 6 years ago | (#21447379)

"The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable." - by trifish (826353) on Thursday November 22, @11:26AM (#21446613)
Hopefully, it's true (OR, @ least harder to break thru)...

In any event, when I read this a day or two back (avid FIREHOSE reader here on this site)?

Well, it makes me GLAD I use Windows Server 2003 SP#2 fully hotfix patched (along with my apps) & that I practice THIS material ontop of that:

http://www.security-forums.com/viewtopic.php?p=273323&sid=5665cc148e4d788ff5a1c4b0d4e38e56#273323 [security-forums.com]

It works.

APK

P.S.=> VISTA's got some really GOOD ideas for security (Address Space Randomization Layer for executables) that Windows Server 2003 doesn't have, but, it's got its share of hassles (@ least until SP #1 or 2 imo, just as NT/2000/XP did before it), but I know that VISTA's built off the foundation of Windows Server 2003's core code, & that makes VISTA @ least have potential imo! apk

Because they can. (1)

childprey (1054198) | more than 6 years ago | (#21446621)

I for one welcome our new random number generating overlords But seriously, aside from the "we're exploiting this because we can" this is hardly a security liability. They already have administrator and there's not much left to be compromised.

Open crypto algorithms; no fix for Win2K (5, Insightful)

compumike (454538) | more than 6 years ago | (#21446649)

While in general I think open-source and closed-source software can coexist, I think this is a pretty good example of why anything related to crypto should be open. All of public key cryptography relies on the secrecy of private keys, not on the secrecy of the algorithm itself. And while they might have faithfully implemented the algorithm, who knows what kinds of arguments/whatever to the crypto functions might cause undesired results -- it's just too hard to test.

In any case, the thing that surprised me most from the article was that Windows 2000 users would be left out in the cold: "Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch [for Win2K]." Wow. Especially when it's something this easy to fix. This bug also solves any attacker's problem of trying to sort valuable from non-valuable information, since presumably any valuable information (credit cards used online, etc) will use encryption. And while someone suggested that a program should use its own random number generator, there is a problem because, in general, your application (not running as Admin) shouldn't have access to nearly the same amount of entropy sources (like network activity, GUI inputs, etc).

--
Educational microcontroller kits for the digital generation -- great gift! [nerdkits.com]

Re:Open crypto algorithms; no fix for Win2K (2, Informative)

guy-in-corner (614138) | more than 6 years ago | (#21446705)

Especially when it's something this easy to fix.

It might be easy to code the fix, but it's (at least) an order of magnitude more work to actually test it. Windows supports thousands of different hardware configurations, in hundreds of different languages.

Yeah, Microsoft could release this as a hotfix. For any customer that screams loud enough (and pays enough), they may well do.

To be honest, I'd rather see Microsoft focus their efforts on XP SP3, Vista SP1 and 2008 RTM (2003 SP2 only just came out, so I'll let that slide). I can't say that I'm fussed about seeing Windows 2000 SP5, and I'm sure that the vast majority of Microsoft's customers aren't either.

On a personal note, I'm fed up with supporting Windows 2000 (it's 7 years old, for FSM's sake!), so I've gotta come down on Microsoft's side on this one.

Re:Open crypto algorithms; no fix for Win2K (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21446825)

Windows supports thousands of different hardware configurations, in hundreds of different languages.

OTOH, Linux, OpenSSH and OpenSSL only run in Intel 80386 IBM branded hardware in Medieval English, so providing a more secure implementation is waaaaay simpler.

Re:Open crypto algorithms; no fix for Win2K (2, Insightful)

lgw (121541) | more than 6 years ago | (#21447507)

Does 7 years sound like a long time for a computer product to be in service to you? What platform do you work with again?

Re:Open crypto algorithms; no fix for Win2K (2, Insightful)

TheAwfulTruth (325623) | more than 6 years ago | (#21447653)

Exactly how many Linux distributers support 7 year old versions of their OS?!?!?

(Well MAYBE Debian...)

Most of them crap out after 12 months!

W2K has been given the shaft for awhile from MS. (1)

SacredNaCl (545593) | more than 6 years ago | (#21446683)

Not that I consider this flaw terribly serious unless it has the ability to compromise other encryption algos run on the machine aside from user passwords. I've never considered windows encryption secure, so never bothered with it. A person with admin rights could do what they wanted anyway as far as the system goes.

The real downside of W2K is that MS has given it the shaft for awhile, even when it wasn't in extended support they were still not supporting it very well for the last couple years as far as the add ons and other things that came out during that period. Its a shame too, W2K properly tuned is a very fast & light OS.

Maybe I'll buy up someones old XP or Server 2003 license to run on the desktop to tide me over until they finally yank out enough of Vista to make it tolerable, its replacement comes out, or Linux finally learns to handle triple and quad displays properly.

Re:W2K has been given the shaft for awhile from MS (1)

ScrewMaster (602015) | more than 6 years ago | (#21446953)

or Linux finally learns to handle triple and quad displays properly.

I'd settle for two.

Re:W2K has been given the shaft for awhile from MS (0)

Anonymous Coward | more than 6 years ago | (#21447373)

I'd settle for one working properly with all the features of my graphics card that I paid for. Granted, that's more ATI's fault than Linux's, but the end result is still a gimped laptop and an unhappy user. With all the progress that's been made in recent years there are still hardware configurations that Linux can't handle. And when "Sorry, this hardware isn't fully supported.", is the best advice the community can come up with, it's no wonder why Linux hasn't seen much wide spread uptake as a desktop OS.

Re:W2K has been given the shaft for awhile from MS (1)

DaleGlass (1068434) | more than 6 years ago | (#21447611)

I have two monitors under Linux, works fine.

Some applications don't handle it as well as they should, but that's an application issue.

Re:W2K has been given the shaft for awhile from MS (0)

Anonymous Coward | more than 6 years ago | (#21447735)

Do you know how much money Microsoft would pay to have its customers blame applications rather than the OS when problems arise?

Who wants to bet... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21446787)

Who wants to bet that they'll "upgrade" to the elliptic curve algo with the NSA backdoor?

One of many ... (2, Funny)

ScrewMaster (602015) | more than 6 years ago | (#21446903)

Microsoft Admits XP Has Same Bug As Win2K

More correctly, "Microsoft Admits XP has same bugs as Win2K."

No hotfix ? (3, Interesting)

Anonymous Coward | more than 6 years ago | (#21446945)

>Microsoft said that XP SP3, due in the first half of next year, will fix the bug.

It should be an offence to know and state you know about a bug but sit on the fix for months. This is a really stupid MS position and will push people more towards alternatives like GNU/Linux.
It should be a hot fix right now.

Re:No hotfix ? (0)

Anonymous Coward | more than 6 years ago | (#21447369)

they would have a hotfix IF it was actually a problem. The exploit grants you admin access when you already have admin access. WOOOOOOOOOOOOOO call security, we have a problem!!!!!!!!

No Surprise here ....... (-1, Troll)

HW_Hack (1031622) | more than 6 years ago | (#21446959)

This is what happens when you keep polishing the same turd, and then passing it off as a new product every few years .... Following this trend - Vista is about as popular as turd floating in a punch bowl at a wedding

Re:No Surprise here ....... (1)

matazar (1104563) | more than 6 years ago | (#21447717)

Troll much?
You need admin access to exploit the system with this. If you don't like windows then don't use it.

Re:No Surprise here ....... (1)

HW_Hack (1031622) | more than 6 years ago | (#21447813)

"Troll Much"

No I usually go fly fishing - but I do use barb-less hooks.

Whether an exploit is thru the network stack - browser - user account or admin ......... doesn't matter. Once exposed it should be patched. Foa any tech professional avoiding "windows" is not really possible. I just expect more from a company claiming to be a leader in modern computing.

Service Pack 3 (1)

compulsiveguile (1173669) | more than 6 years ago | (#21446985)

Alright... so what all will this Service Pack entail besides the number generator fix? Will Mac Boot Camp users run into any problems with this update? I'm just curious if it affects anything seeing as Mac claims only Service Pack 2 can be installed on the Boot Camp partition.

Re:Service Pack 3 (1)

Almahtar (991773) | more than 6 years ago | (#21447909)

Alright... so what all will this Service Pack entail besides the number generator fix?
Hey, something has to bloat XP enough that Vista starts to look good.

Who wants to bet? (0)

Anonymous Coward | more than 6 years ago | (#21447101)

Who wants to bet that they'll "upgrade" to the elliptic curve algo with the NSA backdoor?

This is Why Open Source is Good. (4, Insightful)

Stephen Samuel (106962) | more than 6 years ago | (#21447157)

If this bug was in RedHat 5.2, there would be no issue about getting this critical bug fixed. If nothing else, I could just fix it myself -- and put the necessary patches to the source packages on my website.

No worries about whether or not it's even legal to fix a machine that I'm using to run my business.

I'm not generally fond of defending Microsoft... (1)

foxtrot (14140) | more than 6 years ago | (#21447173)

...but I can't complain that XP has the same bug as Windows 2000 in this case-- if the researchers didn't find the problem and publish it before last month, it seems to be asking a little much to expect Microsoft to fix a bug nobody knew they had.

As to patching Windows 2000: They're going to patch XP, and if the bug is in both, chances are it's the same code. I believe they should at least look at it and see if a patch is going to be simple. That said, it'd have to be darned simple to be worth it: if you're running Windows 2000 still, I'm gonna go out on a limb and guess you're probably not all that interested in updating it, or you'd probably be running XP by now... Not releasing a patch won't affect many people at all, and for those people, they still had to get Admin rights cracked to begin with...

Re:I'm not generally fond of defending Microsoft.. (1)

Almahtar (991773) | more than 6 years ago | (#21447917)

it seems to be asking a little much to expect Microsoft to fix a bug nobody knew reported until now
There, fixed it for you. Just because this is the first time the bug was reported doesn't mean it's the first time it's been discovered. It may have been privately exploited for years at this point.

How can you reverse engineer a random # generator? (1)

Viol8 (599362) | more than 6 years ago | (#21447389)

I just don't see how its possible just from looking at the numbers themselves unless you're selecting from a pre-known selection of algorithms and comparing expected results with actual output from the generator given a specific seed. If you don't know the algo then you could be making educated guesses for literally years and still not work out the algorithm.

Blah Blah Blah (0)

Muggz (800774) | more than 6 years ago | (#21447585)

News about a legacy OS.

MS Admits... (1)

azrider (918631) | more than 6 years ago | (#21447821)

Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it.
Let's see here. When I bought my new laptop (with MCE on it), I logged in as myself (with admin rights). I tried to downgrade myself to a "Power User"
I was told by MCE that "there must be at least one administrator".
I logged out and logged in as "Administrator" and tried to downgrade my normal userid.
I was told once again by MCE that "there must be at least one administrator". This while I was logged in as Administrator and the user I was trying to change was the one set up on first boot of an OEM version (NOT "Administrator""
With this in mind, what is wrong with the assertion that "an attacker would have to have gained administrative access to a system before exploiting it"?

Re:MS Admits... (1)

myz24 (256948) | more than 6 years ago | (#21447971)

It should read, at least one other administrator other than the user administrator. Typically the administrator user is not exposed in XP Home or MCE.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?