Researchers warn of serious Windows flaw

Researchers warn of serious Windows flaw

Vulnerability confirmed in Windows 2000, but could also be present in XP

A group of Israeli researchers claims to have discovered a serious vulnerability in Microsoft's Windows 2000 operating system.

The flaw allows for the tracking of all text typed into a Windows 2000 computer, including emails, passwords and credit card numbers, according to a team led by Dr Benny Pinkas from the Department of Computer Science at the University of Haifa.

"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," warned Dr Pinkas.

The flaw could enable hackers to access information sent from the computer prior to the security breach, and even information that is no longer stored on the computer.

The researchers found the flaw in the random number generator in Windows. This program plays a critical role in file and email encryption, and the SSL encryption protocol which is used by all internet browsers.

For example, any correspondence with a bank or any other website that requires typing in a password or a credit card number, will invoke the random number generator to create a random encryption key.

This key is used to encrypt the communication so that only the relevant website can read the correspondence.

The research team found a way to decipher how the random number generator works and thereby compute previous and future encryption keys used by the computer, and eavesdrop on private communication.

"There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning," said Dr Pinkas.

"I believe that there is room for concern at large companies, or for people who manage sensitive information using their computers, who should understand that the privacy of their data is at risk."

The researchers said that they have already notified Microsoft's security response team about their discovery.

Although the researchers only checked Windows 2000, which is currently the third most popular operating system in use, they assume that newer versions of Windows, such as XP and Vista, use similar random number generators and may also be vulnerable.

Their conclusion is that Microsoft needs to improve the way it encodes information.