Microsoft has conceded that the pseudo-random number generator used by Windows XP suffers the same security shortcomings as Windows 2000.

Israeli researchers researchers recently discovered it was possible to predict the output of random-number generator built into Windows 2000, after first determining the internal state of the generator. Random numbers are a critical sub-component of cryptography functions, such as the generation of keys used for SSL exchanges.

Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number would be the least of a user's worries. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," a company spokesperson told Computerworld. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP." ®

Related stories

• SANS sounds alarm on Debian OpenSSL flaw (16 May 2008)
• Debian fixes serious crypto bug (13 May 2008)
• MS to bundle 'broken' random number tool in Vista SP1 (18 December 2007)
• Vista vs XP performance: Some informal tests (4 December 2007)
• Random number bug blights FreeBSD (30 November 2007)
• Microsoft on the hunt for 'serious' Windows flaw (26 November 2007)
• Crypto guru warns over random number backdoor (16 November 2007)
• Windows random number generator is so not random (13 November 2007)
• Crypto boffins break car cypher (24 August 2007)
• Interview Gone in 120 seconds: cracking Wi-Fi security (15 May 2007)
• The box that broke Enigma code is rebuilt (8 September 2006)
• How ATM fraud nearly brought down British banking (21 October 2005)
• SHA-1 compromised further (19 August 2005)