September 2nd, 2008
Microsoft downplays BitLocker password leakage
Microsoft is downplaying the severity of a password leakage issue in BitLocker, the full disk encryption feature built into Windows Vista, insisting that a real world attack scenario is “very unlikely.”
According to an advisory from iViZ, the password checking routine of Microsoft Bitlocker fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
Technical details:
- Bitlocker’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e.
Here’s the response from Microsoft’s Bill Sisk:
“We recognize that the claim detailed in the presentation by the researcher about BitLocker is correct…This theoretical attack is only possible in targeted situations, and while probable, [it's] very unlikely.”
“Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in ‘Sleep mode’ it is, in effect, still running.”
The security issue is reportedly fixed in Windows Vista Service Pack 1.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
