Windows guru Brian Livingston reports that inserting a Windows 2000 CD into an XP system allows one to bypass all password protection and manipulate any part of the machine at will. “Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console,” says Livingston. The intruder has Administrator privileges even if he or she does not provide a password, and can also assume the identity of any other user of the machine.
“I notified four Microsoft executives of the XP flaw weeks ago, but havent yet received an official response,” writes Livingston. “Theres no Knowledge Base article about it, and there may not even be a good solution to the problem.”
While one does need physical access to the machine to exploit the flaw, this will be little comfort to the administrators of academic computer laboratories and other facilities where users can easily pop a CD-ROM into a computer.