Re: Insufficient Authentication vulnerability in Acer notebooks

[Susan Bradley <sbradcpa@xxxxxxxxxxx>]

Microsoft agrees with you which is why they disable the admin account by 
default in Vista.

MustLive wrote:
> Hello!
>
> Just came to securityfocus.com and found that there are some answers 
> on my post about Insufficient Authentication vulnerability in Acer 
> notebooks.
>
> > Is not that a simple design decission? (truly brain-dead, but a 
> > conscious decission).
>
> David, it's very bad design decision. As for Microsoft (if we will be 
> claiming that it's hole in Windows XP), as for Acer (because they use 
> their own program for first OS initialization process, so it's 
> definitely vulnerability in Acer).
>
> And also for Asus - recently I wrote to bugtraq about similar 
> vulnerability in Asus notebook.
>
> > That is I standard issue with Windows XP.
>
> Dave, this is not standard issue for all versions Windows XP. It can 
> be only issue of XP Home Edition (because I found such cases only in 
> XP HE), but I'm investigating it now to be completely sure in it.
>
> In all Windows XP (in all versions with which I worked from 2001), 
> after installation the default Administrator account's password was 
> always set equal to first admin's password.
>
> I used a lot of different Windows XP (XP Professional and also XP Home 
> on my
> two notebooks). And in all versions from original (Gold) to SP1 and SP2
> (didn't work with XP's installations with SP3) it was the same behavior
> (except these two notebooks with XP Home). So normal behavior for 
> Windows XP
> is to set default admin's password equal to first admin's password.
>
> > With any installation of it you have to boot in safe mode and 
> > manually set a password on the hidden admin account.
>
> In XP Professional default admin account is not hidden, only in XP 
> Home Edition. And default admin password can be changed not only in 
> safe mode, but in normal mode from any admin account (in both XP 
> Professional and XP HE). Particularly it can be done in command prompt 
> with "net" command.
>
> > Try the "net user password ..." command (from the CMD prompt). 
> > That'll save you from having to do it in safe mode.
>
> Garrett, you mean the next command:
>
> net user Administrator password
>
> ;-)
>
> If in XP Professional you can use GUI or command prompt to change 
> default admin's password, then in XP HE you can only use command 
> prompt (due to Windows XP HE limitations).
>
> P.S.
>
> People, I'm not subscribed to bugtraq, so if you want to answer me, 
> than write directly to my email.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua