We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

XP & Vista users wary of Windows 2000 exploit

Microsoft defends random number generator flaw

Microsoft claimed last week that the flaw in Windows 2000's random number generator uncovered by Israeli researchers is a vulnerability - but not a security vulnerability - leaving some users wondering if Windows XP and Vista shared the same problem.

In a paper published earlier this month, Benny Pinkas of the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, described how attackers could exploit a weakness in Windows' pseudo-random number generator (PRNG) to predict encryption keys generated by the operating system and its applications.

After reverse-engineering the algorithm used to power the PRNG, Pinkas and his colleagues found that they could easily predict its future results and reveal what it had produced in the past. They could then compute both future and previously-used encryption keys.

The past was most important to Pinkas. "For you as a user, it means that if you are managing sensitive information today it is not enough for you to verify that your computer hasn't been compromised in the past," said Pinkas in a follow-up interview this week. "You should also worry about future attacks, since a compromise in the future might reveal the sensitive information used today.

"In the security world, this is called an attack on 'forward secrecy', and is taken very seriously," he added.

Last week, Microsoft responded to Pinkas' paper with several statements sent to PC Advisor's sister title Computerworld US in which it first acknowledged that the PRNG had a "local information disclosure vulnerability" but then denied that it had a "security vulnerability".

"There is no security vulnerability," Bill Sisk, the company's security response communications manager said. "Information is not disclosed inappropriately to unauthorised users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged on to the local system with administrator credentials."

Microsoft's justification that the PRNG issue was not a security vulnerability didn't sit well with Pinkas, who argued the other side. "Applied alone [our attack] does not enable unauthorised parties to access the system, but it does disclose to authorised users information which they are not supposed to learn," he said on Monday.

Symantec, which posted its own analysis last week, issued a low-level alert for it yesterday to customers of its DeepSight threat network. Like Microsoft, Symantec didn't classify the threat as a security vulnerability, but instead called it a design error. "Microsoft's recognised this as a local information disclosure issue, and Symantec agrees," Wayne Periman, the director of development for Symantec's security response, said on Monday. "The reason for the low rating is that in order to exploit this there has to be a complex attack organised."

Symantec scored the problem as 3.1 on a scale of 1-10. Periman also defended Microsoft's classification of the issue, saying it is in line with general practices and meets the current definition of 'vulnerability'.


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'