Possible password flaw discovered in Windows XP
A security flaw recently revealed in Microsoft Corp.'s Windows XP could enable unauthorized users to access password-protected PCs.
Using the Windows 2000 CD, anonymous users can apparently boot up a computer with the Windows XP OS and call up the troubleshooting program Windows 2000 Recovery Console.
Using the program's system recovery routine, the unauthorized user can then work under the guise of a Windows XP Administrator, effectively rendering any passwords useless. The flaw affects all XP user accounts, password-protected or not -- visitors can then access files from the hard drive and copy to any removable media.
Representatives from Microsoft were not immediately available for comment. Thomas Slodichak, chief security officer for WhiteHat Inc. in Burlington, Ontario, said the possible flaw was brought to his attention on Monday. "It seems as though XP has a bit of programming missing that was included in its predecessor Windows 2000," the security expert said.
Although Microsoft hasn't officially confirmed the XP flaw, it highlights the notion, Slodichak said, that proper security practices within the enterprise are paramount. Even if this access flaw is confirmed "there are tons of other routines available that enable you to break into a workstation," Slodichak said.
Enterprises face an endless see-saw battle between security and convenience, Slodichak said. "You can prevent this kind of thing from happening by changing settings in the BIOS and making sure you can't boot from the CD or floppy disk."
On the flipside, organizations may argue this usually ends up making networks less manageable, software upgrades harder to implement and ultimately results in more calls to the help desk, he added.
But the overall consensus within the security community, Slodichak continued, is that as long as there is any physical access to a box, data can be improperly accessed. "If a Windows box can be broken, let's make sure that there isn't data on it that can be leveraged or (is at least) encrypted
» posted by ITworld staff
ITWorldCanada.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
