Categories: News

first critical bug in the Windows 8

The first critical bug in the Windows 8 operating system has been discovered. Expected on Oct. 26th, Windows 8 – Microsoft’s most secure OS to date – already faces issues with the way it stores passwords for local accounts.

The flaw was discovered by the team at Passcape Software, a company that specializes in recovery of forgotten account passwords, while analyzing ways to recover login credentials without brute-forcing the accounts.

Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. To enable either of these authentication mechanisms, the user has to create a regular account with a passphrase, then change the authentication mechanism to the desired one. Before changing it, though, Windows stores a backup copy of the password, encrypted with the AES algorithm, in a Vault storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.

Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. To enable either of these authentication mechanisms, the user has to create a regular account with a passphrase, then change the authentication mechanism to the desired one. Before changing it, though, Windows stores a backup copy of the password, encrypted with the AES algorithm, in a Vault storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.

“Once the user has switched to a new authentication method, his text password is encrypted using the AES algorithm and saved to protected Vault storage in the folder %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28,”  “The text password is not bound to the PIN or picture password; therefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI).”

The good news is that this type of vulnerability can’t be exploited remotely. The bad news is that this Vault is available to all local users, allowing any user in a shared environment to iterate through the stored passwords, decrypt them and, why not, check to see if the victim hasn’t reused the password for social networking accounts, for instance.

techfeatured

Recent Posts

The Benefits of Partnering with an IT-Managed Service Provider for Your Business

Table of Contents Introduction to IT Managed Service Providers Why Outsource IT Management? Cost-Effective Solutions…

3 months ago

Choosing the Right Thresholds for Your Home: A Comprehensive Guide

Key Takeaways: The importance of selecting the correct thresholds for different areas in your home…

4 months ago

Innovative Railing Gate Solutions for Modern Homes

Key Takeaways: The variety of railing gate designs can significantly enhance the aesthetic appeal of…

4 months ago

How To Choose the Perfect Vehicle for Extended Commutes

For many, commuting is an unavoidable part of daily life. But when that commute extends…

5 months ago

The Future of Mobility: Innovations in Automotive Technology

When you're on the road, you want to feel safe, comfortable, and like you have…

6 months ago

Clean Air Starts at Home: Tips for Maintaining Indoor Air Quality

Key Takeaways: Understanding the significance of indoor air quality. Identifying common pollutants in your home.…

6 months ago