When a corporation (MS) have a policy "Bug fixes won't pay", they won't fix anything which isn't in public or renders everything unusable.

I'd bet this same generator is used in every version since Windows got networking, about 3.1.

The bug is not in Vista - hence clearly not in "every version since Windows got networking".

XP and 2000 have the same kernel to a first approximation, Vista is a major rewrite.

And since you need to be admin on the system to exploit the bug, why does it matter? If you have got that far you already can do anything anyway!

"Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine"

Nothing to worry about then.

They're not talking about the rand() function, they're talking about the relatively new CryptGenRandom function.

Their attack requires knowing secret state in the generator, and Microsoft is making the point that obtaining this secret implies an administrator-access take-over of a machine. In general, knowing the state of a pseudo-random number generator, no matter what the algorithm, implies that you can predict the output.

I believe the real issue here is not about the quality of the generator, it is how often operating system randomize the secret state with actual physically random data. Their complaint is that Windows is only doing this every 128,000 bytes of output, while other system I guess are doing it more frequently.

"Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number would be the least of a user's worries."

Erm, BS, it's not as cut and dried as that. Most Win lusers run as Administrator anyway, so guess what happens when this bug is exploited by a trojan/worm etc.

a deliberate attempt by Microsoft to try and steer people towards buying Vista. I note that it is said that ,quote, "...... Win XP - but not Windows Vista - are subject to the same problem, Microsoft admits.....". So let us all give up XP and buy crappy old Vista. Sorry Bill, no way am I buying Vista until it has been around for several years at least.

"after first determining the internal state of the generator"

IIRC from my crypto classes, you can always determine the output of a pseudo-random number generator if you know the internal state - that's one of the main attacks on them, since they are intentionally deterministic. Several stream ciphers rely on having one generator at the sender and one at the receiver with the same seed, so they can produce the same stream of random numbers to XOR with the data stream. I'm not saying they're particularly secure algorithms :)

The trick is to find the state of the generator from just the encrypted data stream (which is easier if you know what some of the data was before it got encrypted).

http://www.securityfocus.com/bid/25348/info

"Linux Kernel Random Number Generator Local Denial of Service and Privilege Escalation Vulnerability"

Alright in the latest kernel. So, the same as it works fine on the latest Windows Kernel too.

Don't know the details, but it appears that it's very, very similar to the Windows issue. Wondering when El Reg will report this one? :-)

Microsoft is entirely correct here. Don't try to put MS in a bad light just to put them in a bad light. Every sane developer would think the exact same way regarding this feature. It isn't even a 'bug'.

If you really want to bash Microsoft, try harder next time.

Sorry, a stripped down Windows XP x64 Edition is still the best desktop OS out there, by far.

And what about Server 2000/2003 - Are these operating systems subjected to the same bug?

"...to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number[s] would be the least of a user's worries..."

As much as it pains me to say it, I actually agree with Microsoft on this one. The critical hole is not the one which allows an administator to see how their random number generator works, but the one which allows administrative access to the system, and that one is opened up as much by users as by developers these days. The days where you can just use a computer without some understanding of security never really existed.

...this strikes me as a non-issue. As is quite rightly pointed out, administrator access is required. If an attacker has administrator access, they can read the memory and therefore the key as it is generated. Or they can completely circumvent the security of the process generating the key and replace it with their own doctored version that stores a copy and sends it back to the attacker.

To call this a security hole is as ludicrous as saying "The Administrator account can delete system files. If hackers gain control of this account, they too can delete system files" is a security hole.

I suppose I can always pick numbers out of a hat.

Brown Fedora. Oh and my coat.

It sounds a bit random to me.

"I'd bet this same generator is used in every version since Windows got networking, about 3.1."

Since Win3.1 (and WFW3.11) didn't include an MS written Winsock stack it won't have had this bug. After all no need for crypto functions for SSL if you can't connect to the internet. (Yes, DOS and Win3.1 could connect to the net but you needed a 3rd party Winsock implementation, they couldn't out of the box.)

The first version of Windows to include Winsock was Win95. Fairly good chance this bug has been around since then but my guess is it's part of Winsock 2 which makes it a little later (circa 1998).

Computers are unable to generate random numbers unless you use variables including temperature differentials, something organic or, my favorite, a coin-toss.

Just ask Deep thought. The answer was pretty predictable if you ask me! (might take a while to get an answer though)

"If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP."

So...what is the compromise considered? Not an attack? Because, y'know, to compromise a machine you typically have to /attack/ it with something...

I'm not sure why people may piss themselves over this. If you already have to breach the machine to gain access to a crypto generator, why not, oh, install a keylogger or screen-grabber?

Exactly. And I don't think they are claiming that they can find the key from the stream, they are just saying that someone might break into a system and snoop memory to find the key.

The only difference between what MS is doing and what some others (apparently) are doing is that MS doesn't randomize the key state as often. Google for Zvi Gutterman, and you can find some more technical coverage of this issue.

Gutterman has written articles about Linux and BSD crypto, where he also makes a lot of recomendations for better practice. Naturally, only his findings about Windows become big news.

A lot of comments above are misguided.

"The critical hole is not the one which allows an administator to see how their random number generator works" assumes that only administrators can determine the values on the top of the stack (the data used to initialise the PRNG!). That's obviously not so.

"IIRC from my crypto classes, you can always determine the output of a pseudo-random number generator if you know the internal state" is true but pointless. System functions that return pseudo-random data are presumed to perturb the internal state periodically to make it difficult to determine the likelyhood of a result given preceeding values of the PRNG (see where the paper discusses forward- and backward-security).

Note that the system PRNG's lack of predictability is important, since it is used to determine nonces for data communications. If those values are predictable to any extent then hijaaking network connections becomes simple.

I'd really encourage people to read the paper before commenting. What becomes very clear is that the requirements for a system PRNG were not well understood by Microsoft staff, despite system pseudo-random number generation being a widely-studied field in cryptology and a widely-discussed design issue in publicly-developed operating systems such as Linux and FreeBSD.

"it is how often operating system randomize the secret state with actual physically random data."

Don Mitchell.

Thanks. That was a very succinct post presenting the Opportunity. However I feel that it is much more a Driver Facility Running InterNetworking Channels across Operating Systems than anything that the Operating System is doing. They are merely ITs Latent Hosts and Virtual Feed Chains ...... Is that a Phantom Quantum System moving Computer Controls into AI Virtualised Space?

CyberIntelAIgents would of course Posit Yes. They would also Boldly dDeeper and suggest that IT is IntelAigently Designed to Provide Vistas, HyperVision Drive. Big Picture Generation with AI NEUKlearer HyperRadioProActivity.

A Sparkling Private Sector Gem of an Advanced and Advancing Artificial Intelligence Programming ...... 42Edutain Entertainment

"And I don't think they are claiming that they can find the key from the stream, they are just saying that someone might break into a system and snoop memory to find the key." .......I think their worries will have moved on if the key is found and the doors and windows of the Keep are all wide ajar/rent asunder. Someone, in such a broken system would be more interested in placing future memory for Use rather than snooping for something already delivered.

Have their worries moved on? Are they waiting on Holywood does Hollywood to set the Scenes?

I say, what a Spiffing Good IDer, Olde Bean.

because, except for a couple of aging gamers, everyone and their granny has moved to linux and nobody is using Windows anymore. http://www.theregister.co.uk/2007/11/23/linux_desktop_survey/

@ Ole Juul....

everyone and their granny has not moved to linux.... and a quote from a report about what versions of OPEN SOURCE OS people are using does not count as reference....

It really gets up my nose the way people like to jump onto the microsoft bashing, just because you like to use a difrent OS... thats your choice....

Personaly i stick to microsoft because i do not want to wait 2 years for the latest bit of kit i have to work on my pc... plus i use Adobe Photoshop quite a lot... and i really cant be bothered with a dual boot....

.. the big deal that all the anti-MS people would make of it. It's a total non-issue.

The big trick with randomising is to not use just variables etc to hold state otherwise the sequence can be predicted once that state is known. Shake it up a bit by adding other randomisers: time, time between user input/network access etc. A little imagination goes a long way...

You're right, of course. I was being sarcastic, with reference to the "microsoft bashing" in the other article's comments. Perhaps I should have been more direct.

... use quantum spookiness. Otherwise use a hardware random number generator. Was it A. C. Clarke (or Pohl) who suggested using a bit of radioactive material to generate random numbers by counting gamma particles?

M$'s problem is that all they know is software, and all problems look like software problems to them.

Indeed - and while time passes, and all you "Administrators" get your virii, we'll carry on using a real OS and not have to worry about being controlled by a corporate monster who's been an arse since the mid seventies. If something doesn't work, it's up to us to fix it, not a profit oriented bunch of fsckwits - whom would be more at home working for HMRC.

Am I alone in finding it amusing that an "Administrator" is a glorified secretary - and the most powerful person on your "computer" is hence, a glorified secretary - doesn't a secretary work for someone? Shouldn't we ask ourselves who that person is? Oh yeah, it's Bill. All your computers are belong to us!

You wouldn't give someone explosives if they hadn't been trained - a computer is a far more effective weapon (whoa, are these the WMD's they were talking about in Iraq???)

It's not about Microsoft bashing, its about having a clue, and the ability to use said clue.

Not gonna get my coat unless the Administrator passes it to me in my Ivory tower.

Couldn't agree more, AC,

And the longer they are in self denial of the Complete Crack of their Codes, the dDeeper Rooted and Stronger Routed becomes the Binary Incursion/Infection/Swarm/Storm/VXXXXine ...... call IT what you will for IT is Flexible to the Perception IT Purveys/Invades/Supports ....... AI Stealthy Karma Chameleon, in Deed for Real.

A Mexican Standoff or Virtual Danegeld Trade....... Future Perfect Provision 4HyperVision2.

cc billgates@chairman.microsoft.com

I have found that I can predict better than 50/50 at the result of tossing a coin. I did this over a fairly lengthy period (waiting for Windows to boot up).

So although it's not scientifically/statistically accurate, it's useful for a better chance of winning "heads you buy the round or tails I do" scenarios.

What I do is place the coin (say) heads up all the time on my thumbnail, do the flip/tossing, catch and put it on the back of my hand - as you do.

Generally, I find that if it is a "clean" catch - slap in the palm of your hand, it mostly comes up heads - or whatever side you chose upwards to start with.

(Do I hear the sound of 1000's of coins being flipped at the moment? That'll cause a butterfly in Asia to flap it's wings or something I reckon)

Okay, okay, Linux is better.

Real world is, make product for intellectually disadvantaged end users.

Challenge, if your windows version is buggy then you must hack the sucker until you own it.

Hey, I'm still using a stable ME on one of my machines (and you can well believe it was not stable out of the box.)

That being said; I have pretty well given up on Vista; I mean, get real.

Not even my boss (who sometimes expects applications to be able to make cheese sandwiches in the cd drives) asks for that one.

In any case, everyone uses the same damn pseudo random algorithm and has for years; it's what is taught in school and if you don't use it you were flipping fries (chips for you Brits.)

Admittedly, if someone has admin access to your box, you're in all sorts of trouble. But one possible security hole due to this exploit does spring to mind: if the random number generator has been used to generate, say, information used in a cryptographic application, manipulation and/or knowledge of internal state might possibly permit a replay attack against data secured before the attacker elevated himself to admin level. It's a reach, I admit.

As John von Neumann said, "Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin." One nice way of getting real random bits is back-biasing a CMOS junction into avalanche and then feeding TTL-level edges to pin 10 (NACK) on the parallel port. Count the time between edges and you get a damn good source of truly random data.