Microsoft downplays BitLocker password leakage

Microsoft downplays BitLocker passwork leakageMicrosoft is downplaying the severity of a password leakage issue in BitLocker, the full disk encryption feature built into Windows Vista, insisting that a real world attack scenario is “very unlikely.”

According to an advisory from iViZ, the password checking routine of Microsoft Bitlocker fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.

Technical details:

  • Bitlocker’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e.

Here’s the response from Microsoft’s Bill Sisk:

“We recognize that the claim detailed in the presentation by the researcher about BitLocker is correct…This theoretical attack is only possible in targeted situations, and while probable, [it’s] very unlikely.”

“Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in ‘Sleep mode’ it is, in effect, still running.”

The security issue is reportedly fixed in Windows Vista Service Pack 1.

[Source: zdnet]