Bugtraq mailing list archives
Re: Insufficient Authentication vulnerability in Acer notebooks
From: Susan Bradley <sbradcpa () pacbell net>
Date: Thu, 28 May 2009 13:41:53 -0700
Windows 7 is soon to be released. Translation that means no one is investing any resources into an operating system that is just hanging around long enough for the RTM of Windows 7 to be installed on netbooks. Every version of XP professional that I've touched in the last three years on HP machines did prompt you for a password. Again, this is not a vulnerability of the operating system but an implementation issue that has been around since 2004.
Configuring Windows 7 for a Limited User Account: http://unixwiz.net/techtips/win7-limited-user.html MustLive wrote:
Hello Susan!If Microsoft did it, than it's good. But better for my opinion to do such as in Windows XP Professional - not to disable admin account by default, but tomake password of default admin account similar to password of first admin (during installation process). Because if default admin account will be enabled later (with empty password) and will forget to set new password, than it'll be much worse.I'm not using Vista, so I can't check this issue on any of my computers. And I want to check it by myself - is there such issue on Vista or not. For this I'm planning to check one notebook of my friend (with Vista). But for morethan two weeks I couldn't meet with him and take his notebook. I quicklychecked two Asus notebook of my friends (as I wrote already to bugtraq), but there is some delay with this Acer notebook with Vista. If in near time I'llnot be able to meet with my friend to take his notebook (because he is busy), then I'll try to check this situation on one Samsung notebook of another friend of mine (and better to check both these notebooks). There are many versions of Vista, so there can be such situation with different versions of Vista as with XP, where XP Home and XP Professional have different situations with default admin accounts. Which leads tovulnerability in XP Home. So I'm planning to investigate different versionsof Windows Vista to be sure. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Susan Bradley" <sbradcpa () pacbell net> To: "MustLive" <mustlive () websecurity com ua> Cc: <bugtraq () securityfocus com> Sent: Wednesday, May 20, 2009 3:42 AM Subject: Re: Insufficient Authentication vulnerability in Acer notebooksMicrosoft agrees with you which is why they disable the admin account by default in Vista. MustLive wrote:Hello! Just came to securityfocus.com and found that there are some answers on my post about Insufficient Authentication vulnerability in Acer notebooks.Is not that a simple design decission? (truly brain-dead, but a conscious decission).David, it's very bad design decision. As for Microsoft (if we will be claiming that it's hole in Windows XP), as for Acer (because they usetheir own program for first OS initialization process, so it's definitelyvulnerability in Acer). And also for Asus - recently I wrote to bugtraq about similar vulnerability in Asus notebook.That is I standard issue with Windows XP.Dave, this is not standard issue for all versions Windows XP. It can beonly issue of XP Home Edition (because I found such cases only in XP HE),but I'm investigating it now to be completely sure in it.In all Windows XP (in all versions with which I worked from 2001), after installation the default Administrator account's password was always setequal to first admin's password.I used a lot of different Windows XP (XP Professional and also XP Home onmy two notebooks). And in all versions from original (Gold) to SP1 and SP2 (didn't work with XP's installations with SP3) it was the same behavior(except these two notebooks with XP Home). So normal behavior for WindowsXP is to set default admin's password equal to first admin's password.With any installation of it you have to boot in safe mode and manually set a password on the hidden admin account.In XP Professional default admin account is not hidden, only in XP HomeEdition. And default admin password can be changed not only in safe mode, but in normal mode from any admin account (in both XP Professional and XPHE). Particularly it can be done in command prompt with "net" command.Try the "net user password ..." command (from the CMD prompt). That'll save you from having to do it in safe mode.Garrett, you mean the next command: net user Administrator password ;-)If in XP Professional you can use GUI or command prompt to change defaultadmin's password, then in XP HE you can only use command prompt (due to Windows XP HE limitations). P.S.People, I'm not subscribed to bugtraq, so if you want to answer me, thanwrite directly to my email. Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
Current thread:
- Insufficient Authentication vulnerability in Acer notebooks MustLive (May 11)
- RE: Insufficient Authentication vulnerability in Acer notebooks David Sánchez Martín (May 11)
- Re: Insufficient Authentication vulnerability in Acer notebooks dpo5003 (May 12)
- Re: Insufficient Authentication vulnerability in Acer notebooks Garrett M. Groff (May 12)
- Re: Insufficient Authentication vulnerability in Acer notebooks Øystein Larsen (May 12)
- Re: Insufficient Authentication vulnerability in Acer notebooks dpo5003 (May 12)
- <Possible follow-ups>
- Re: Insufficient Authentication vulnerability in Acer notebooks MustLive (May 19)
- Re: Insufficient Authentication vulnerability in Acer notebooks Susan Bradley (May 20)
- Re: Insufficient Authentication vulnerability in Acer notebooks MustLive (May 28)
- Re: Insufficient Authentication vulnerability in Acer notebooks Susan Bradley (May 28)
- Re: Insufficient Authentication vulnerability in Acer notebooks Susan Bradley (May 20)
- RE: Insufficient Authentication vulnerability in Acer notebooks David Sánchez Martín (May 11)