Re: Insufficient Authentication vulnerability in Acer notebooks

[Susan Bradley <sbradcpa@xxxxxxxxxxx>]

Windows 7 is soon to be released.  Translation that means no one is 
investing any resources into an operating system that is just hanging 
around long enough for the RTM of Windows 7 to be installed on 
netbooks.  Every version of XP professional that I've touched in the 
last three years on HP machines did prompt you for a password.  Again, 
this is not a vulnerability of the operating system but an 
implementation issue that has been around since 2004.

Configuring Windows 7 for a Limited User Account:
http://unixwiz.net/techtips/win7-limited-user.html


MustLive wrote:
> Hello Susan!
>
> If Microsoft did it, than it's good. But better for my opinion to do 
> such as
> in Windows XP Professional - not to disable admin account by default, 
> but to
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
>
> I'm not using Vista, so I can't check this issue on any of my 
> computers. And
> I want to check it by myself - is there such issue on Vista or not. 
> For this
> I'm planning to check one notebook of my friend (with Vista). But for 
> more
> than two weeks I couldn't meet with him and take his notebook. I quickly
> checked two Asus notebook of my friends (as I wrote already to 
> bugtraq), but
> there is some delay with this Acer notebook with Vista. If in near 
> time I'll
> not be able to meet with my friend to take his notebook (because he is
> busy), then I'll try to check this situation on one Samsung notebook of
> another friend of mine (and better to check both these notebooks).
>
> There are many versions of Vista, so there can be such situation with
> different versions of Vista as with XP, where XP Home and XP Professional
> have different situations with default admin accounts. Which leads to
> vulnerability in XP Home. So I'm planning to investigate different 
> versions
> of Windows Vista to be sure.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@xxxxxxxxxxx>
> To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
> Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
> Sent: Wednesday, May 20, 2009 3:42 AM
> Subject: Re: Insufficient Authentication vulnerability in Acer notebooks
>
>
> > Microsoft agrees with you which is why they disable the admin account by
> > default in Vista.
> >
> > MustLive wrote:
> > > Hello!
> > >
> > > Just came to securityfocus.com and found that there are some answers on
> > > my post about Insufficient Authentication vulnerability in Acer
> > > notebooks.
> > >
> > > > Is not that a simple design decission? (truly brain-dead, but a
> > > > conscious decission).
> > >
> > > David, it's very bad design decision. As for Microsoft (if we will be
> > > claiming that it's hole in Windows XP), as for Acer (because they use
> > > their own program for first OS initialization process, so it's 
> > > definitely
> > > vulnerability in Acer).
> > >
> > > And also for Asus - recently I wrote to bugtraq about similar
> > > vulnerability in Asus notebook.
> > >
> > > > That is I standard issue with Windows XP.
> > >
> > > Dave, this is not standard issue for all versions Windows XP. It can be
> > > only issue of XP Home Edition (because I found such cases only in XP 
> > > HE),
> > > but I'm investigating it now to be completely sure in it.
> > >
> > > In all Windows XP (in all versions with which I worked from 2001), 
> > > after
> > > installation the default Administrator account's password was always 
> > > set
> > > equal to first admin's password.
> > >
> > > I used a lot of different Windows XP (XP Professional and also XP 
> > > Home on
> > > my
> > > two notebooks). And in all versions from original (Gold) to SP1 and SP2
> > > (didn't work with XP's installations with SP3) it was the same behavior
> > > (except these two notebooks with XP Home). So normal behavior for 
> > > Windows
> > > XP
> > > is to set default admin's password equal to first admin's password.
> > >
> > > > With any installation of it you have to boot in safe mode and manually
> > > > set a password on the hidden admin account.
> > >
> > > In XP Professional default admin account is not hidden, only in XP Home
> > > Edition. And default admin password can be changed not only in safe 
> > > mode,
> > > but in normal mode from any admin account (in both XP Professional 
> > > and XP
> > > HE). Particularly it can be done in command prompt with "net" command.
> > >
> > > > Try the "net user password ..." command (from the CMD prompt). That'll
> > > > save you from having to do it in safe mode.
> > >
> > > Garrett, you mean the next command:
> > >
> > > net user Administrator password
> > >
> > > ;-)
> > >
> > > If in XP Professional you can use GUI or command prompt to change 
> > > default
> > > admin's password, then in XP HE you can only use command prompt (due to
> > > Windows XP HE limitations).
> > >
> > > P.S.
> > >
> > > People, I'm not subscribed to bugtraq, so if you want to answer me, 
> > > than
> > > write directly to my email.
> > >
> > > Best wishes & regards,
> > > MustLive
> > > Administrator of Websecurity web site
> > > http://websecurity.com.ua