should be useful at least to French users of W2k-Xp-2k3...
You may enjoy (or regret) the explanation by Microsoft here:
In short, if you install a W2k-Xp-2k3 in any language with the option "French-France"
then you get a fixed "secret" key for your PStore
, or "protected storage system". Yes, that's it: you have the very same key as the French interior minister has.
PStore is where, for instance, Outlook Express stores your secret key to access your mail
And many other programs do similar "secure" storages, it's there:
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
, the file encryption by Ntfs (which should be avoided anyway for other reasons) as well stores the encryption key in PStore.
I find the explanation by Microsoft interesting
to read, as
- Other countries had restrictive laws on cryptography in 1999. Did these allow a working PStore then? Or don't they allow a patch now?
- French law allowed cryptography with short keys (about 40 bits) then, if memory serves. It would have been easy to truncate the key to 40 bits instead of zero bit, to my feeling.
- And with 40 bits keys, Microsoft could have disclosed this restriction. With zero bit keys, all the user's interface gives the impression of a properly working PStore.
- French law changed in 1999 to allow 128 bits and shortly later to allow any key length without governmental approval.
W2k had an Sp1, Sp2, Sp3, Sp4, R1 and about 70 patches before KB955417 was issued in 2008.
Xp appeared 2 years after the 1999 law and had an Sp1, Sp2 and Sp3.
W2k3 appeared 4 years after 1999 and had an Sp1 and Sp2.
(As for Nt4, Microsoft doesn't issue any patch more, so it's everyone's guess whether the unique secret key impacted it or not)
- KB955417 is not published as a security bulletin, but rather as a kind of "function improvement" covered by Wga... Though, my feeling is that the unique key does impact security.
So may I express the shadow of my doubt whether Microsoft had all the necessary freedom to improve this weakness quickly?
Microsoft's proposal with KB955417 is that it recreates the account's PStores with a new, this time random, secret key, and transfers the contents of PStore. This sounds good, and gives us all reason to use KB955417 with confidence.
Another parry (can probably be combined with KB955417) to be considered would be, at least for new installations of W2k-Xp-2k3, to choose the "French-Switzerland" or "French-Canada" option (or any free country) when creating the administrator account and later any user account
, and switch to "French-France" for normal use if this is of any advantage.
May I point out that, since any foreign governmental agency knows as much as the French do, such a weakness on nearly all computers in France may be fine for some French governmental agencies, but is not the country's best interest?