Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Bug Microsoft

Microsoft Admits XP Has Same Bug As Win2K 161

Posted by kdawson from the not-a-security-flaw-no-really dept.
Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.
This discussion has been archived. No new comments can be posted.

Microsoft Admits XP Has Same Bug As Win2K More

Microsoft Admits XP Has Same Bug As Win2K

Comments Filter:

  • Re:At last... (Score:1, Interesting)

    by muldy ( 607226 ) on Thursday November 22, 2007 @12:24PM (#21446593)
    And it will be "technologically impossible" to correct XP. Vista will get a "steath update" for this.

  • Article (Score:5, Interesting)

    by cbart387 ( 1192883 ) on Thursday November 22, 2007 @12:24PM (#21446597)
    Here [acm.org] is the original article on the ACM.

    Very brief summary of article
    Each process has their own instance of the generator, and the refresh of the internal state is done after 128 kbs of output from the generator (roughly 600-1200 SSL connections with IE). Not only that, it is run in the userspace so it is not a security violation to examine the internal state of the generator. The function used is not one-way which provides a means looking at past transactions of a user (within the 128 kbs of data).

  • Re:I have to agree with MS on this one... (Score:3, Interesting)

    by joss ( 1346 ) on Thursday November 22, 2007 @12:43PM (#21446723) Homepage
    The point is that people often use the same passwords
    on multiple systems. If you can crack them you can
    very likely gain access to other systems without having
    to wait for uses to login at a time when you dont know
    how long you have control of the system

  • Re:Naw. You just have to take a different approach (Score:4, Interesting)

    by UncleTogie ( 1004853 ) * on Thursday November 22, 2007 @12:44PM (#21446743) Homepage Journal

    Microsoft claims this is not a "security vulnerability"...

    Thanks for the flashback to l0pht's old page....! For those who don't remember it before it got rolled into @stake:

    "'That vulnerability is entirely theoretical.'-- Microsoft;
    L0pht, making the theoretical practical since 1992."

  • No hotfix ? (Score:3, Interesting)

    by Anonymous Coward on Thursday November 22, 2007 @01:10PM (#21446945)
    >Microsoft said that XP SP3, due in the first half of next year, will fix the bug.

    It should be an offence to know and state you know about a bug but sit on the fix for months. This is a really stupid MS position and will push people more towards alternatives like GNU/Linux.
    It should be a hot fix right now.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close