Windows 2000 EFS Temporary File Retrieval Vulnerability

EFS is the encrypted file system package designed to secure sensitive information. It is included with the Windows 2000 Operating System, distributed and maintained by Microsoft Corporation.

A problem in the package could allow the recovery of sensitive data encrypted by the EFS. When the file is selected for encryption, and backup copy of the file is moved into the temporary directory using the file name efs0.tmp. The data from this file is taken and encrypted using EFS, with the backup file being deleted after the encryption process is performed. However, after the file is encrypted and the file is deleted, the blocks in the file system are never cleared, thus making it possible for a any user on the local host to access the data of the encrypted file, which falls outside of the constrains of access control imposed by the Operating System. This makes it possible for a malicious user to recover sensitive data encrypted by EFS.


Privacy Statement
Copyright 2010, SecurityFocus