Windows XP random number generator flawed
According to reports in the US media, Microsoft has conceded that the pseudo-random number generator (PRNG) used by Windows XP suffers from the same problems that affect Windows 2000. However, the software giant does not consider the flaw to be a security vulnerability and has no plans to fix the problem prior to the release of Windows XP Service Pack 3 (SP3) in the first half of 2008. Whether there will ever be a fix for Windows 2000 remains uncertain, but Vista is said to be unaffected.
University researchers in Israel recently published a paper showing that random numbers in Windows 2000 were easy to compute and that the number generator itself was vulnerable to attack. This could have serious consequences for the security of some crypto applications such as encryption programs, banking software, DRM systems and SSL. The problem did not in itself represent a direct threat, since any attacker would first have to penetrate the system.
- Weaknesses in the Windows 2000 random number generator on heise Security.
(mba)