Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa has expressed his concern on a possible vulnerability in relation to the Windows 2000 random number generator. He said that hackers may exploit CryptGenRandom to reach sensitive personal information including banking details, email passwords and others.
Mark Miller, Microsoft's director for security response communications, however, has dismissed the claims. “Information is not disclosed inappropriately to unauthorised users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged on to the local system with administrator credentials. Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information,” Miller said.
Microsoft encourages users to run accounts with limited privileges and also to limit the number of accounts with administrative rights. Even though, according to the company, the flaw does not exist, they are still working on CryptGenRandom to improve capabilities.