Windows XP Home LSA secrets stores XP loginpassphrase in plain text

[Markus Jansson <seemyhomepage () katsokotisivuilta ni>]

Johd Doe sayed:
>Markus, if a villain has physical access to
>your computer you have bigger issues than this.

You obiously didnt bother to read these part of my message:
- "You can, for example, decrypt all EFS encrypted files"
- "You can, for example, try that same password in all kinds
of places where that users is logging in (since chances are hes using
the same password or variations of it elsewhere)."
You can NOT do these if you just get physical access to the computer 
(without this bug), since EFS remains secure and your password unknown 
to attacker.

Especially focus on the following I sayed:
- "..The next time users sign in to the computer, their passwords etc. 
can be recorded and abused by villan. However, notice the words "next 
time users sign in"! If someone steals the computer, that doesnt happen. 
If someone leaves hints that system is tampered, that doesnt happen."

--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/