Windows 2000 EFS Temporary File Retrieval Vulnerability
by Phiber on January 22nd, 2001 A problem in the package could allow the recovery of sensitive data encrypted by the EFS. When the file is selected for encryption, and backup copy of the file is moved into the temporary directory using the file name efs0.tmp.....
The data from this file is taken and encrypted using EFS, with the backup file being deleted after the encryption process is performed. However, after the file is encrypted and the file is deleted, the blocks in the file system are never cleared, thus making it possible for a any user on the local host to access the data of the encrypted file, which falls outside of the constrains of access control imposed by the Operating System. This makes it possible for a malicious user to recover sensitive data encrypted by EFS.