Microsoft finds holes in Windows 2000 flaw claim
- — 14 November, 2007 16:27
Microsoft has rejected claims by a team of Israeli researchers that a loophole exists in the Windows 2000 random number generator, allowing hackers to retrieve users' personal information.
Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa, said CryptGenRandom can be exploited by hackers to access information such as email, password and credit card details.
"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," he said.
However, Mark Miller, Microsoft's director for security response communications, said after further investigation into the claims by Dr Pinkas, the company found that there is no security vulnerability.
"Information is not disclosed inappropriately to unauthorised users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged on to the local system with administrator credentials," he said. " "Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information."
He said Microsoft encourages customers who are concerned about this issue to follow best practices and have users run in accounts with limited privileges and to limit the number of users with administrative privileges.
"As a defence-in-depth measure, we are evaluating changes to further strengthen our random number generation capabilities," he added. again