|
|
|
|
| |
| DELL OEM XP Processional has a default hidden administrator account, with no password set. Use of this account will allow anyone with physical access to the computer to fully control the computer, add spyware, keystroke loggers, password stealing software and read all files, including temp files, local files, documents, and any email that has been stored locally. |
| |
Credit:
The information has been provided by Michael Scheidell.
|
| |
Vulnerable Systems:
* DELL Laptops with pre installed Microsoft Windows XP Professional SP2
Immune Systems:
* DELL Laptops with Retail Microsoft Windows XP professional, RTM, SP1 and SP2
A retail setup implementation of Microsoft Windows XP Professional Edition, "Out-of-Box Experience" (OOBE), requires that the installer be given the option to add an Administrator account. During the installation, the XP Installer states : "You must provide a name and an Administrator password for your computer. Setup creates a user account called Administrator. You use this account when you need full access to your computer." While setup will not require that a password actually be entered, it does stress that one SHOULD be entered. Additionally, the user is prompted to create a regular user account for general use.
In contrast, the DELL setup implementation of Microsoft Windows XP Professional Edition does not include such steps. The existence of an administrator account is never mentioned. Instead, the setup asks: "Who will use this computer? Type the name of each person who will use this computer. Windows will create a separate user account for each person so you can personalize the way you want Windows to organize and display information, protect your files and computer settings, and customize the desktop. These names will appear on the Welcome screen in alphabetical order. When you start Windows, simply click your name on the Welcome screen to begin. If you want to set passwords and limit permissions for each user, or add more user accounts after you finish setting up Windows, just click CONTROL PANEL in the START menu, and then click USER ACCOUNTS." By default, none of the accounts added in this step have passwords. Nor is their an option to set passwords during the install. While this is not unique to the IBM install, it is a known weakness in the Windows XP OOBE, including retail and OEM versions. Because the Administrator account was never requested, this leaves the system in a very vulnerable state.
CVE Information:
CAN-1999-0504
|
|
|
|
|
