CVE-2001-0261

• BID:2243
• URL:http://www.securityfocus.com/bid/2243
• BUGTRAQ:20010119 BugTraq: EFS Win 2000 flaw
• URL:http://marc.info/?l=bugtraq&m=97992179925715&w=2
• BUGTRAQ:20010123 Reply to EFS note on Bugtraq
• URL:http://marc.info/?l=bugtraq&m=98027311214976&w=2
• XF:win2k-efs-recover-data(5973)
• URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/5973

 Bishop> Sounds like Microsoft just confirmed it!
 Christey> The description should make the point that the original files
   are in plaintext.
 LeBlanc> The preconditions needed to obtain the clear-text backup file
   are that the user must be able to read the raw disk. Only administrators
   or those with physical access can read the raw disk. An admin could
   alter the operating system such that anything a user did would be
   available, even EFS information (since the admin can cause processes to
   run as any user who is logged on currently). Thus even if this issue
   were not present, the same set of preconditions would lead to access to
   the same information. In the case of physical access, scrubbing the disk
   should be viewed only as raising the bar - information can be recovered
   even from overwritten sectors. Additionally, coverage of a file might
   not be complete - in the case where a file is truncated, then encrypted,
   there could be sectors with file information that the operating system
   would have no knowledge of at the time the encryption occurred, and
   there is no practical way to wipe these. Considering all the realities
   of the situation, the only real-world solution is to create files you'd
   like encrypted in a directory marked for encryption.
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]