Microsoft Acknowledges PRNG Bug in Windows XP

Microsoft has finally acknowledged that the vulnerabilities found by Israeli researchers in Windows 2000 also extend to Windows XP. The vulnerabilities involve Windows' pseudo-random number generator (PRNG), a piece of code that generates seemingly random numbers for various uses in the system. I say "seemingly" because you have to trick a deterministic computer to produce numbers that behave like they're random (a trick I studied while an MS student in math many years ago).

In an academic paper published recently (read the PDF here), the researchers described how they recreated the algorithm used by Windows 2000's PRNG, and used that to investigate how it's used in the system. Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol.

The researchers also noted vulnerabilities in the Windows CryptGenRandom function, which calls on the algorithm. This may cause any application using the Windows cryptologic functions to exhibit the vulnerability.

Do you need to use random numbers in your application? And with the Windows PRNG? Let me know if you trust it at [email protected].

Posted by Peter Varhol on November 27, 2007 at 11:57 AM


Featured

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft Releases Migration Manager for SharePoint Server

    Microsoft this week announced updates to the SharePoint Migration Tool, plus commercial release of Migration Manager.

  • Version 2004 of Windows 10, Windows Server Released

    Microsoft announced the latest update milestones for Windows 10 and Windows Server this week.

  • Microsoft Projects Q4 Release for Universal Print Solution

    Microsoft's plan to alleviate organizations of the pain of managing print servers continues to take shape.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.