Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"I feel it with you guys. These irritating interruptions on privacy MUST be stopped. It is a ..."
on Yahoo and Microsoft take aim at lottery scams
by Jan Wilmans | Dec 2, 2008 7:11 PM
 
"My AVG WILL NOT UPDATE"
on AVG update deletes critical Windows file
by James Downs | Dec 2, 2008 5:58 AM
 
"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."
on Shavlik Technologies to broaden its patch management offerings
by Werner K | Nov 26, 2008 8:36 PM
 
"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."
on Companies have security to consider with in-the-cloud Office
by SGE | Nov 25, 2008 3:29 PM
 
"how many users allow per session? because the digital persona password manager allows only 10 ..."
on DigitalPersona Pro Workstation/Pro Server
by Daniel | Nov 25, 2008 12:14 AM
Application Flaws

Researchers warn of serious Windows flaw

  • Email a Friend
  • Print Page
Researchers warn of serious Windows flaw
Related Articles
By Robert Jaques
Nov 14, 2007 10:21 AM
Tags: Researchers | warn | of | serious | Windows | flaw
The flaw allows for the tracking of all text typed into a Windows 2000 computer, including emails, passwords and credit card numbers, according to a team led by Dr Benny Pinkas from the Department of Computer Science at the University of Haifa.

"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," warned Dr Pinkas.

The flaw could enable hackers to access information sent from the computer prior to the security breach, and even information that is no longer stored on the computer.

The researchers found the flaw in the random number generator in Windows. This program plays a critical role in file and email encryption, and the SSL encryption protocol which is used by all internet browsers.

For example, any correspondence with a bank or any other website that requires typing in a password or a credit card number, will invoke the random number generator to create a random encryption key.

This key is used to encrypt the communication so that only the relevant website can read the correspondence.

The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, and eavesdrop on private communication.

"There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning," said Dr Pinkas.

"I believe that there is room for concern at large companies, or for people who manage sensitive information using their computers, who should understand that the privacy of their data is at risk."

The researchers said that they have already notified Microsoft's security response team about their discovery.

Although the researchers only checked Windows 2000, which is currently the third most popular operating system in use, they assume that newer versions of Windows, such as XP and Vista, use similar random number generators and may also be vulnerable.

Their conclusion is that Microsoft needs to improve the way it encodes information.

Copyright © 2008 vnunet.com

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
Vulnerabilities & Exploits Whitepapers
 
Popular Tags
62 dns exploit file fix flaw kaminsky microsoft opera outofcycle patch poisoning proofsofconcept released reports researchers security virus vista windows