Microsoft denies Windows 2000 security risk

Microsoft has hit back at claims that Windows 2000 users are exposed to a loophole in the operating system's random number generator, a flaw researchers claim allows hackers to retrieve users' personal information. Dr Benny Pinkas from the Department of Computer Science at the University of Haifa, said CryptGenRandom can be exploited by hackers to access information such as email, password and credit card details.

"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," he said. However, Mark Miller, Microsoft's director for security response communications, said after further investigation into the claims by Dr Pinkas, the company found that there is no security vulnerability.

View: Full Article @ PC Advisor

Report a problem with article
Previous Story

Microsoft to hike spending on Embedded

Next Story

SolveigMM Video Splitter 2.0.711.09 Beta

9 Comments

If you read a little more of TFA than that piece you quoted, you would see "this loophole enables hackers to access information that was sent from the computer prior to the security breach and even information that is no longer stored on the computer" meaning encrypted emails could be broken (per the report, I have no personal knowledge if this is true, just what it says).

The claim is that the random number generator isn't random enough. Oh, and XP/Vista haven't been analyzed, so they are 'unknown', per the report.

markjensen said,
If you read a little more of TFA than that piece you quoted, you would see "this loophole enables hackers to access information that was sent from the computer prior to the security breach and even information that is no longer stored on the computer" meaning encrypted emails could be broken (per the report, I have no personal knowledge if this is true, just what it says).

The claim is that the random number generator isn't random enough. Oh, and XP/Vista haven't been analyzed, so they are 'unknown', per the report.


Oh, I read it. I still have trouble comprehending accessing info that's no longer there. That's all. BTW, I was being snarky with the Vista bit. Recalibrate your sarcasm detector.

RAID 0 said,
Oh, I read it. I still have trouble comprehending accessing info that's no longer there. That's all. BTW, I was being snarky with the Vista bit. Recalibrate your sarcasm detector.
Ahhh.. I wasn't quite sure about the Vista thing. Humor is sometimes hard to pass through a text post (even with limited smileys to assist). I must have missed that.

As far as the info that is no longer on the PC, I surmise that they are talking about encrypted emails that were sent. If I were to capture these, and crack the specific machine's number generator, I can decode the email, even though it is no longer on the computer I cracked.

Sort of a sensational-sounding claim when worded like it is.

markjensen said,
Ahhh.. I wasn't quite sure about the Vista thing. Humor is sometimes hard to pass through a text post (even with limited smileys to assist). I must have missed that.

As far as the info that is no longer on the PC, I surmise that they are talking about encrypted emails that were sent. If I were to capture these, and crack the specific machine's number generator, I can decode the email, even though it is no longer on the computer I cracked.

Sort of a sensational-sounding claim when worded like it is.


Ahhh.. OK. I get it. You're right, it is sensational-sounding. Thanks for helping me understand that.
/no sarcasm

I'd love to see Dr Benny Pinkas get someone’s "personal information" by exploiting a flaw in W2K's "random number generator", I really would, as it sound like bulls**t to me.

daPhoenix said,
According to Microsoft, there was no URI vulnerability either. Right.

well, that depends on how you look at it. I for one still follow their first stance, namely that it is the responsability of the receiving application to check the incoming URI parameters for strange characters or possible buffer overflows.

Commenting is disabled on this article.