Possible password flaw discovered in Windows XP

By Ryan B. Patrick, ITWorldCanada.com |  Operating Systems Add a new comment

February 18, 2003, 8:26 AM A security flaw recently revealed in Microsoft Corp.'s Windows XP could enable unauthorized users to access password-protected PCs.

Using the Windows 2000 CD, anonymous users can apparently boot up a computer with the Windows XP OS and call up the troubleshooting program Windows 2000 Recovery Console.

Using the program's system recovery routine, the unauthorized user can then work under the guise of a Windows XP Administrator, effectively rendering any passwords useless. The flaw affects all XP user accounts, password-protected or not -- visitors can then access files from the hard drive and copy to any removable media.

Representatives from Microsoft were not immediately available for comment. Thomas Slodichak, chief security officer for WhiteHat Inc. in Burlington, Ontario, said the possible flaw was brought to his attention on Monday. "It seems as though XP has a bit of programming missing that was included in its predecessor Windows 2000," the security expert said.

Although Microsoft hasn't officially confirmed the XP flaw, it highlights the notion, Slodichak said, that proper security practices within the enterprise are paramount. Even if this access flaw is confirmed "there are tons of other routines available that enable you to break into a workstation," Slodichak said.

Enterprises face an endless see-saw battle between security and convenience, Slodichak said. "You can prevent this kind of thing from happening by changing settings in the BIOS and making sure you can't boot from the CD or floppy disk."

On the flipside, organizations may argue this usually ends up making networks less manageable, software upgrades harder to implement and ultimately results in more calls to the help desk, he added.

But the overall consensus within the security community, Slodichak continued, is that as long as there is any physical access to a box, data can be improperly accessed. "If a Windows box can be broken, let's make sure that there isn't data on it that can be leveraged or (is at least) encrypted

    Add a comment

    Post a comment using one of these accounts
    Or join now
    At least 6 characters

    Note: Comment will appear soon after you have activated your account.
    Obscene/spam comments will be removed and accounts suspended.
    The information you submit is subject to our Privacy Policy and Terms of Service.

    ITworld LIVE

    Operating SystemsWhite Papers & Webcasts

    White Paper

    Microsoft Enterprise Agreement Program Overview

    Discover how flexible the Microsoft Enterprise Agreement Program is to help you build the right software solution agreement for your business. This paper highlights all the available options-from on-premise software and cloud service solutions, to payment options and enrollment programs, and more.

    White Paper

    Watson - A System Designed for Answers. The future of workload optimized systems design

    Watson is a workload optimized system designed for complex analytics, made possible by integrating massively parallel POWER7 processors and DeepQA technology. Read the white paper about Watson's workload optimized system design.

    See more White Papers | Webcasts

    Answers - Powered by ITworld

    ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

    Join Now

    New questions

    What type of enterprise user is going to use Ubuntu Business Desktop Remix?
    0 answers
    What mobile apps are the worst offenders to user privacy?
    1 answer
    Where can I find tech services providers that focus on really small businesses?
    1 answer
    Why do VoIP calls over WiFi still get counted as "minutes used" by mobile providers?
    1 answer
    What can be done to control noise levels in data centers?
    0 answers
    View more questions

    Ask a question

    Join Now or Sign In to ask a question.
    Ask a Question