Biting the hand that feeds IT
Biting the hand that feeds IT
|
|
Original URL: http://www.theregister.co.uk/2007/11/23/win_xp_random_bug/
Microsoft has conceded that the pseudo-random number generator used by Windows XP suffers the same security shortcomings as Windows 2000.
Israeli researchers researchers recently discovered it was possible to predict the output of random-number generator built into Windows 2000, after first determining the internal state of the generator. Random numbers are a critical sub-component of cryptography functions, such as the generation of keys used for SSL exchanges.
Win XP - but not Windows Vista - are subject to the same problem, Microsoft admits. However the software giant has no plans to release a fix until Windows XP Service Pack 3 in the first half of 2008.
Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number would be the least of a user's worries. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," a company spokesperson told (http://www.computerworld.com.au/index.php/id;837190152) Computerworld. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP." ®
SANS sounds alarm on Debian OpenSSL flaw (16 May 2008)
http://www.theregister.co.uk/2008/05/16/debian_openssl_flaw/
Debian fixes serious crypto bug (13 May 2008)
http://www.theregister.co.uk/2008/05/13/debian_openssl_bug/
MS to bundle 'broken' random number tool in Vista SP1 (18 December 2007)
http://www.theregister.co.uk/2007/12/18/vista_sp1_rng_backdoor_fears/
Vista vs XP performance: Some informal tests (4 December 2007)
http://www.theregister.co.uk/2007/12/04/vista_vs_xp_tests/
Random number bug blights FreeBSD (30 November 2007)
http://www.theregister.co.uk/2007/11/30/freebsd_bug/
Microsoft on the hunt for 'serious' Windows flaw (26 November 2007)
http://www.theregister.co.uk/2007/11/26/wpad_vuln_investigated/
Crypto guru warns over random number backdoor (16 November 2007)
http://www.theregister.co.uk/2007/11/16/random_number_backdoor_fears/
Windows random number generator is so not random (13 November 2007)
http://www.theregister.co.uk/2007/11/13/windows_random_number_gen_flawed/
Crypto boffins break car cypher (24 August 2007)
http://www.theregister.co.uk/2007/08/24/car_cypher_crack/
Gone in 120 seconds: cracking Wi-Fi security (15 May 2007)
http://www.theregister.co.uk/2007/05/15/wep_crack_interview/
The box that broke Enigma code is rebuilt (8 September 2006)
http://www.theregister.co.uk/2006/09/08/turing_bombe_rebuild/
How ATM fraud nearly brought down British banking (21 October 2005)
http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
SHA-1 compromised further (19 August 2005)
http://www.theregister.co.uk/2005/08/19/sha-1_attack/
© Copyright 2008
