Bugs plague not-so-secure Windows beta
Unlike last week's NSA key controversy, Microsoft admits that there is a problem with Windows 2000 Beta 3, but claims it's been fixed. Some security experts, however, aren't so sure.
Another apparent security problem is dogging Microsoft, this time affecting Windows 2000 Beta 3.
Unlike last week's NSA key controversy, Microsoft willingly admits to the new problem and says that it has been corrected. Some security experts, however, aren't so sure.
The Windows 2000 weakness came to light when David Litchfield, a security expert with Arca Systems, gave instructions in an Internet posting for exploiting the operating system's automatic login feature.
The feature, introduced with Windows 2000 Beta 3, was designed to let a system load without the need for a password.
Microsoft claims the feature is activated on stand-alone machines, or PCs not connected to a network server. The installation would create a default account based on registration information and would assign a blank password. The system would thereafter login automatically after startup.
The feature can be disabled or the password changed, said Scott Culp, Microsoft's product manager for Windows security. Windows 2000 is also designed to delete the auto login account whenever a system is attached to a network server.
Microsoft changed the feature in one of the beta versions released soon after Beta 3 went out in April. It no longer activates by default and requires the user to set a password.
"This is not something we are recommending be used in a network setting, a corporate setting, or situations in offices where people come and go," said Culp. "Clearly this is something that has a very restrictive utility."
Microsoft may have corrected the problem, but Culp couldn?t say how many of the estimated 650,000 beta testers are using the original Beta 3. Several PC manufacturers, among them Compaq, Dell, and IBM, also sell Windows 2000 Beta systems. It is unclear how they will deal with the security issue.
Litchfield, who could not be reached directly for comment, outlined in an Internet posting how the feature in the soon-to-be-replaced beta version could be compromised using a Telnet server. Telnet, a service for logging onto a system remotely across a corporate network or the Internet, can be activated without a user's knowledge, Litchfield warned.
He described how a simple command embedded in a Web page could be used to activate telnet remotely and how a common network command would reveal the name of the person logged onto the computer. A malicious hacker could then silently log in as the default user and, unprompted for password, access the machine with full rights.
Microsoft argues that by changing the auto login feature the problem is fixed.
"One of the things you have to keep in mind here is we are talking about a feature in a beta version of an as yet unreleased product," said Culp. "One of the reasons we're doing a beta is to get feedback on things just like this."
Some potentially unwanted feedback is apparently coming in the form of a move away from Windows at one high-profile Web site.
According to a recent report from the U.S. Army News Service, the homepage of the U.S. Army is now being hosted on a Macintosh server because of security issues with Windows NT.
The switch was made after the arrest of a Wisconsin teen for breaking into the Windows NT server and altering the Army's Web page, the service reported.