Microsoft Admits XP Has Same Bug As Win2K 161
Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.
Re:Open crypto algorithms; no fix for Win2K (Score:2, Informative)
It might be easy to code the fix, but it's (at least) an order of magnitude more work to actually test it. Windows supports thousands of different hardware configurations, in hundreds of different languages.
Yeah, Microsoft could release this as a hotfix. For any customer that screams loud enough (and pays enough), they may well do.
To be honest, I'd rather see Microsoft focus their efforts on XP SP3, Vista SP1 and 2008 RTM (2003 SP2 only just came out, so I'll let that slide). I can't say that I'm fussed about seeing Windows 2000 SP5, and I'm sure that the vast majority of Microsoft's customers aren't either.
On a personal note, I'm fed up with supporting Windows 2000 (it's 7 years old, for FSM's sake!), so I've gotta come down on Microsoft's side on this one.
Re:stupid (Score:4, Informative)
This PRNG vulnurability does just that. Keys derived from it can be recovered by an attacker who compromises the machine _after_ the key was used and discarded.
Meanwhile, in the *nix (Score:4, Informative)
No, sorry, you can keep Vista for yourself.
Re:Naw. You just have to take a different approach (Score:2, Informative)
So-called forward security (yes, looking at things in the past is 'forward'
Re:Meanwhile, in the *nix (Score:2, Informative)
Re:Maybe the best solution is your own RNG? (Score:3, Informative)
The nub of the problem is that a deterministic state machine can never produce random behaviour. The long term solution would be an entropy generator on the motherboard. (Actually, many machines have one already: a sound card with an unconnected high-impedance input picking up static is a good entropy source.)
Re:stupid (Score:3, Informative)
And if you're using real encryption instead, you're not caring about the Windows RNG I hope.
Re:Meanwhile, in the *nix (Score:3, Informative)
It's not about hard disk encryption (Score:3, Informative)
CryptGenRandom is supposed to be the Windows-equivalent of /dev/urandom. Except it's not, because of this design flaw. The implications of this extend far beyond encrypted NTFS volumes.
For example, an attacker can passively monitor a network of Windows machines, wait for one of them to do something interesting (like connect via SSL www.paypal.com), then actively compromise those selected machines later, and gain enough information to decrypt the captured SSL sessions.
Basically, if you encrypt something sensitive, before some spyware gets installed on your Windows machine---or after it's removed---the random data used for the encryption (including stuff like SSH session keys) is likely to be compromised (except perhaps in cases where you've rebooted or restarted the requisite processes in the meantime).
Do not underestimate the severity of this bug.