Microsoft has conceded that the pseudo-random number generator used by Windows XP suffers the same security shortcomings as Windows 2000.

Israeli researchers researchers recently discovered it was possible to predict the output of random-number generator built into Windows 2000, after first determining the internal state of the generator. Random numbers are a critical sub-component of cryptography functions, such as the generation of keys used for SSL exchanges.

Win XP - but not Windows Vista - are subject to the same problem, Microsoft admits. However the software giant has no plans to release a fix until Windows XP Service Pack 3 in the first half of 2008.

Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number would be the least of a user's worries. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," a company spokesperson told Computerworld. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP." ®

Related stories

• SANS sounds alarm on Debian OpenSSL flaw (16 May 2008)
• Debian fixes serious crypto bug (13 May 2008)
• MS to bundle 'broken' random number tool in Vista SP1 (18 December 2007)
• Vista vs XP performance: Some informal tests (4 December 2007)
• Random number bug blights FreeBSD (30 November 2007)
• Microsoft on the hunt for 'serious' Windows flaw (26 November 2007)
• Crypto guru warns over random number backdoor (16 November 2007)
• Windows random number generator is so not random (13 November 2007)
• Crypto boffins break car cypher (24 August 2007)
• Interview Gone in 120 seconds: cracking Wi-Fi security (15 May 2007)
• The box that broke Enigma code is rebuilt (8 September 2006)
• How ATM fraud nearly brought down British banking (21 October 2005)
• SHA-1 compromised further (19 August 2005)