Noted Windows analyst Brian Livingston reports that inserting a Windows 2000 CD into an XP system gives complete admin access to that system, even without a password.
Windows guru Brian Livingston reports
that inserting a
Windows 2000 CD into an XP system allows one to bypass all password
protection and manipulate any part of the machine at will. "Anyone with a
Windows 2000 CD can boot up a Windows XP box and start the Windows 2000
Recovery Console," says Livingston. The intruder has Administrator
privileges even if he or she does not provide a password, and can also
assume the identity of any other user of the machine.
"I notified four Microsoft executives of the XP flaw weeks ago, but
havent yet received an official response," writes Livingston. "Theres
no Knowledge Base article about it, and there may not even be a good
solution to the problem."
While one does need physical access to the machine to exploit the flaw,
this will be little comfort to the administrators of academic computer
laboratories and other facilities where users can easily pop a CD-ROM
into a computer.