lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 28 May 2009 13:41:53 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Acer notebooks

Windows 7 is soon to be released.  Translation that means no one is 
investing any resources into an operating system that is just hanging 
around long enough for the RTM of Windows 7 to be installed on 
netbooks.  Every version of XP professional that I've touched in the 
last three years on HP machines did prompt you for a password.  Again, 
this is not a vulnerability of the operating system but an 
implementation issue that has been around since 2004.

Configuring Windows 7 for a Limited User Account:
http://unixwiz.net/techtips/win7-limited-user.html


MustLive wrote:
> Hello Susan!
>
> If Microsoft did it, than it's good. But better for my opinion to do 
> such as
> in Windows XP Professional - not to disable admin account by default, 
> but to
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
>
> I'm not using Vista, so I can't check this issue on any of my 
> computers. And
> I want to check it by myself - is there such issue on Vista or not. 
> For this
> I'm planning to check one notebook of my friend (with Vista). But for 
> more
> than two weeks I couldn't meet with him and take his notebook. I quickly
> checked two Asus notebook of my friends (as I wrote already to 
> bugtraq), but
> there is some delay with this Acer notebook with Vista. If in near 
> time I'll
> not be able to meet with my friend to take his notebook (because he is
> busy), then I'll try to check this situation on one Samsung notebook of
> another friend of mine (and better to check both these notebooks).
>
> There are many versions of Vista, so there can be such situation with
> different versions of Vista as with XP, where XP Home and XP Professional
> have different situations with default admin accounts. Which leads to
> vulnerability in XP Home. So I'm planning to investigate different 
> versions
> of Windows Vista to be sure.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@...bell.net>
> To: "MustLive" <mustlive@...security.com.ua>
> Cc: <bugtraq@...urityfocus.com>
> Sent: Wednesday, May 20, 2009 3:42 AM
> Subject: Re: Insufficient Authentication vulnerability in Acer notebooks
>
>
>> Microsoft agrees with you which is why they disable the admin account by
>> default in Vista.
>>
>> MustLive wrote:
>>> Hello!
>>>
>>> Just came to securityfocus.com and found that there are some answers on
>>> my post about Insufficient Authentication vulnerability in Acer
>>> notebooks.
>>>
>>>> Is not that a simple design decission? (truly brain-dead, but a
>>>> conscious decission).
>>>
>>> David, it's very bad design decision. As for Microsoft (if we will be
>>> claiming that it's hole in Windows XP), as for Acer (because they use
>>> their own program for first OS initialization process, so it's 
>>> definitely
>>> vulnerability in Acer).
>>>
>>> And also for Asus - recently I wrote to bugtraq about similar
>>> vulnerability in Asus notebook.
>>>
>>>> That is I standard issue with Windows XP.
>>>
>>> Dave, this is not standard issue for all versions Windows XP. It can be
>>> only issue of XP Home Edition (because I found such cases only in XP 
>>> HE),
>>> but I'm investigating it now to be completely sure in it.
>>>
>>> In all Windows XP (in all versions with which I worked from 2001), 
>>> after
>>> installation the default Administrator account's password was always 
>>> set
>>> equal to first admin's password.
>>>
>>> I used a lot of different Windows XP (XP Professional and also XP 
>>> Home on
>>> my
>>> two notebooks). And in all versions from original (Gold) to SP1 and SP2
>>> (didn't work with XP's installations with SP3) it was the same behavior
>>> (except these two notebooks with XP Home). So normal behavior for 
>>> Windows
>>> XP
>>> is to set default admin's password equal to first admin's password.
>>>
>>>> With any installation of it you have to boot in safe mode and manually
>>>> set a password on the hidden admin account.
>>>
>>> In XP Professional default admin account is not hidden, only in XP Home
>>> Edition. And default admin password can be changed not only in safe 
>>> mode,
>>> but in normal mode from any admin account (in both XP Professional 
>>> and XP
>>> HE). Particularly it can be done in command prompt with "net" command.
>>>
>>>> Try the "net user password ..." command (from the CMD prompt). That'll
>>>> save you from having to do it in safe mode.
>>>
>>> Garrett, you mean the next command:
>>>
>>> net user Administrator password
>>>
>>> ;-)
>>>
>>> If in XP Professional you can use GUI or command prompt to change 
>>> default
>>> admin's password, then in XP HE you can only use command prompt (due to
>>> Windows XP HE limitations).
>>>
>>> P.S.
>>>
>>> People, I'm not subscribed to bugtraq, so if you want to answer me, 
>>> than
>>> write directly to my email.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua 
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ