| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 May 2009 13:41:53 -0700 From: Susan Bradley <sbradcpa@...bell.net> To: MustLive <mustlive@...security.com.ua> Cc: bugtraq@...urityfocus.com Subject: Re: Insufficient Authentication vulnerability in Acer notebooks Windows 7 is soon to be released. Translation that means no one is investing any resources into an operating system that is just hanging around long enough for the RTM of Windows 7 to be installed on netbooks. Every version of XP professional that I've touched in the last three years on HP machines did prompt you for a password. Again, this is not a vulnerability of the operating system but an implementation issue that has been around since 2004. Configuring Windows 7 for a Limited User Account: http://unixwiz.net/techtips/win7-limited-user.html MustLive wrote: > Hello Susan! > > If Microsoft did it, than it's good. But better for my opinion to do > such as > in Windows XP Professional - not to disable admin account by default, > but to > make password of default admin account similar to password of first admin > (during installation process). Because if default admin account will be > enabled later (with empty password) and will forget to set new password, > than it'll be much worse. > > I'm not using Vista, so I can't check this issue on any of my > computers. And > I want to check it by myself - is there such issue on Vista or not. > For this > I'm planning to check one notebook of my friend (with Vista). But for > more > than two weeks I couldn't meet with him and take his notebook. I quickly > checked two Asus notebook of my friends (as I wrote already to > bugtraq), but > there is some delay with this Acer notebook with Vista. If in near > time I'll > not be able to meet with my friend to take his notebook (because he is > busy), then I'll try to check this situation on one Samsung notebook of > another friend of mine (and better to check both these notebooks). > > There are many versions of Vista, so there can be such situation with > different versions of Vista as with XP, where XP Home and XP Professional > have different situations with default admin accounts. Which leads to > vulnerability in XP Home. So I'm planning to investigate different > versions > of Windows Vista to be sure. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ----- Original Message ----- From: "Susan Bradley" <sbradcpa@...bell.net> > To: "MustLive" <mustlive@...security.com.ua> > Cc: <bugtraq@...urityfocus.com> > Sent: Wednesday, May 20, 2009 3:42 AM > Subject: Re: Insufficient Authentication vulnerability in Acer notebooks > > >> Microsoft agrees with you which is why they disable the admin account by >> default in Vista. >> >> MustLive wrote: >>> Hello! >>> >>> Just came to securityfocus.com and found that there are some answers on >>> my post about Insufficient Authentication vulnerability in Acer >>> notebooks. >>> >>>> Is not that a simple design decission? (truly brain-dead, but a >>>> conscious decission). >>> >>> David, it's very bad design decision. As for Microsoft (if we will be >>> claiming that it's hole in Windows XP), as for Acer (because they use >>> their own program for first OS initialization process, so it's >>> definitely >>> vulnerability in Acer). >>> >>> And also for Asus - recently I wrote to bugtraq about similar >>> vulnerability in Asus notebook. >>> >>>> That is I standard issue with Windows XP. >>> >>> Dave, this is not standard issue for all versions Windows XP. It can be >>> only issue of XP Home Edition (because I found such cases only in XP >>> HE), >>> but I'm investigating it now to be completely sure in it. >>> >>> In all Windows XP (in all versions with which I worked from 2001), >>> after >>> installation the default Administrator account's password was always >>> set >>> equal to first admin's password. >>> >>> I used a lot of different Windows XP (XP Professional and also XP >>> Home on >>> my >>> two notebooks). And in all versions from original (Gold) to SP1 and SP2 >>> (didn't work with XP's installations with SP3) it was the same behavior >>> (except these two notebooks with XP Home). So normal behavior for >>> Windows >>> XP >>> is to set default admin's password equal to first admin's password. >>> >>>> With any installation of it you have to boot in safe mode and manually >>>> set a password on the hidden admin account. >>> >>> In XP Professional default admin account is not hidden, only in XP Home >>> Edition. And default admin password can be changed not only in safe >>> mode, >>> but in normal mode from any admin account (in both XP Professional >>> and XP >>> HE). Particularly it can be done in command prompt with "net" command. >>> >>>> Try the "net user password ..." command (from the CMD prompt). That'll >>>> save you from having to do it in safe mode. >>> >>> Garrett, you mean the next command: >>> >>> net user Administrator password >>> >>> ;-) >>> >>> If in XP Professional you can use GUI or command prompt to change >>> default >>> admin's password, then in XP HE you can only use command prompt (due to >>> Windows XP HE limitations). >>> >>> P.S. >>> >>> People, I'm not subscribed to bugtraq, so if you want to answer me, >>> than >>> write directly to my email. >>> >>> Best wishes & regards, >>> MustLive >>> Administrator of Websecurity web site >>> http://websecurity.com.ua > >
Powered by blists - more mailing lists