lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 28 May 2009 13:41:53 -0700
From: Susan Bradley <>
To: MustLive <>
Subject: Re: Insufficient Authentication vulnerability in Acer notebooks

Windows 7 is soon to be released.  Translation that means no one is 
investing any resources into an operating system that is just hanging 
around long enough for the RTM of Windows 7 to be installed on 
netbooks.  Every version of XP professional that I've touched in the 
last three years on HP machines did prompt you for a password.  Again, 
this is not a vulnerability of the operating system but an 
implementation issue that has been around since 2004.

Configuring Windows 7 for a Limited User Account:

MustLive wrote:
> Hello Susan!
> If Microsoft did it, than it's good. But better for my opinion to do 
> such as
> in Windows XP Professional - not to disable admin account by default, 
> but to
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
> I'm not using Vista, so I can't check this issue on any of my 
> computers. And
> I want to check it by myself - is there such issue on Vista or not. 
> For this
> I'm planning to check one notebook of my friend (with Vista). But for 
> more
> than two weeks I couldn't meet with him and take his notebook. I quickly
> checked two Asus notebook of my friends (as I wrote already to 
> bugtraq), but
> there is some delay with this Acer notebook with Vista. If in near 
> time I'll
> not be able to meet with my friend to take his notebook (because he is
> busy), then I'll try to check this situation on one Samsung notebook of
> another friend of mine (and better to check both these notebooks).
> There are many versions of Vista, so there can be such situation with
> different versions of Vista as with XP, where XP Home and XP Professional
> have different situations with default admin accounts. Which leads to
> vulnerability in XP Home. So I'm planning to investigate different 
> versions
> of Windows Vista to be sure.
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> ----- Original Message ----- From: "Susan Bradley" <>
> To: "MustLive" <>
> Cc: <>
> Sent: Wednesday, May 20, 2009 3:42 AM
> Subject: Re: Insufficient Authentication vulnerability in Acer notebooks
>> Microsoft agrees with you which is why they disable the admin account by
>> default in Vista.
>> MustLive wrote:
>>> Hello!
>>> Just came to and found that there are some answers on
>>> my post about Insufficient Authentication vulnerability in Acer
>>> notebooks.
>>>> Is not that a simple design decission? (truly brain-dead, but a
>>>> conscious decission).
>>> David, it's very bad design decision. As for Microsoft (if we will be
>>> claiming that it's hole in Windows XP), as for Acer (because they use
>>> their own program for first OS initialization process, so it's 
>>> definitely
>>> vulnerability in Acer).
>>> And also for Asus - recently I wrote to bugtraq about similar
>>> vulnerability in Asus notebook.
>>>> That is I standard issue with Windows XP.
>>> Dave, this is not standard issue for all versions Windows XP. It can be
>>> only issue of XP Home Edition (because I found such cases only in XP 
>>> HE),
>>> but I'm investigating it now to be completely sure in it.
>>> In all Windows XP (in all versions with which I worked from 2001), 
>>> after
>>> installation the default Administrator account's password was always 
>>> set
>>> equal to first admin's password.
>>> I used a lot of different Windows XP (XP Professional and also XP 
>>> Home on
>>> my
>>> two notebooks). And in all versions from original (Gold) to SP1 and SP2
>>> (didn't work with XP's installations with SP3) it was the same behavior
>>> (except these two notebooks with XP Home). So normal behavior for 
>>> Windows
>>> XP
>>> is to set default admin's password equal to first admin's password.
>>>> With any installation of it you have to boot in safe mode and manually
>>>> set a password on the hidden admin account.
>>> In XP Professional default admin account is not hidden, only in XP Home
>>> Edition. And default admin password can be changed not only in safe 
>>> mode,
>>> but in normal mode from any admin account (in both XP Professional 
>>> and XP
>>> HE). Particularly it can be done in command prompt with "net" command.
>>>> Try the "net user password ..." command (from the CMD prompt). That'll
>>>> save you from having to do it in safe mode.
>>> Garrett, you mean the next command:
>>> net user Administrator password
>>> ;-)
>>> If in XP Professional you can use GUI or command prompt to change 
>>> default
>>> admin's password, then in XP HE you can only use command prompt (due to
>>> Windows XP HE limitations).
>>> P.S.
>>> People, I'm not subscribed to bugtraq, so if you want to answer me, 
>>> than
>>> write directly to my email.
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site

Powered by blists - more mailing lists