Microsoft Acknowledges PRNG Bug in Windows XP

Microsoft has finally acknowledged that the vulnerabilities found by Israeli researchers in Windows 2000 also extend to Windows XP. The vulnerabilities involve Windows' pseudo-random number generator (PRNG), a piece of code that generates seemingly random numbers for various uses in the system. I say "seemingly" because you have to trick a deterministic computer to produce numbers that behave like they're random (a trick I studied while an MS student in math many years ago).

In an academic paper published recently (read the PDF here), the researchers described how they recreated the algorithm used by Windows 2000's PRNG, and used that to investigate how it's used in the system. Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol.

The researchers also noted vulnerabilities in the Windows CryptGenRandom function, which calls on the algorithm. This may cause any application using the Windows cryptologic functions to exhibit the vulnerability.

Do you need to use random numbers in your application? And with the Windows PRNG? Let me know if you trust it at pvarhol@redmondmag.com.

Posted by Peter Varhol on 11/27/2007 at 1:23 PM


Featured

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

  • Microsoft's January Security Updates Come with NSA Help

    Microsoft released its January security updates with a partial assist from the U.S. National Security Agency (NSA).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.