Possible password flaw discovered in Windows XP
- 19 February, 2003 09:22
A security flaw recently revealed in Microsoft's Windows XP could enable unauthorized users to access password-protected PCs.
Using the Windows 2000 CD, anonymous users can apparently boot up a computer with the Windows XP OS and call up the troubleshooting program Windows 2000 Recovery Console.
Using the program's system recovery routine, the unauthorized user can then work under the guise of a Windows XP Administrator, effectively rendering any passwords useless. The flaw affects all XP user accounts, password-protected or not -- visitors can then access files from the hard drive and copy to any removable media.
Representatives from Microsoft were not immediately available for comment.
Thomas Slodichak, chief security officer for WhiteHat Inc. in Burlington, Ontario, said the possible flaw was brought to his attention on Monday.
"It seems as though XP has a bit of programming missing that was included in its predecessor Windows 2000," the security expert said.
Although Microsoft hasn't officially confirmed the XP flaw, it highlights the notion, Slodichak said, that proper security practices within the enterprise are paramount. Even if this access flaw is confirmed "there are tons of other routines available that enable you to break into a workstation," Slodichak said.
Enterprises face an endless see-saw battle between security and convenience, Slodichak said. "You can prevent this kind of thing from happening by changing settings in the BIOS and making sure you can't boot from the CD or floppy disk."
On the flipside, organizations may argue this usually ends up making networks less manageable, software upgrades harder to implement and ultimately results in more calls to the help desk, he added.
But the overall consensus within the security community, Slodichak continued, is that as long as there is any physical access to a box, data can be improperly accessed. "If a Windows box can be broken, let's make sure that there isn't data on it that can be leveraged or (is at least) encrypted let's put the data on the servers, behind locked doors where it belongs," Slodichak said.
"It's a question of corporate policy -- if the data is on servers it can't breached or touched in this manner. It's safe, it's secure from the standpoint that it will be backed up on corporate data back-up systems."