[ISN] Microsoft plugs Hotmail security hole

From: InfoSec News (isnat_private)
Date: Wed Aug 22 2001 - 02:59:09 PDT

  • Next message: InfoSec News: "[ISN] U.S., Aussie security centers sign pact"

    http://news.cnet.com/news/0-1003-200-6941020.html
    
    By Robert Lemos
    Special to CNET News.com 
    August 21, 2001, 12:50 p.m. PT 
    
    The day after Microsoft acknowledged a security hole in Hotmail, its
    popular free e-mail service, a representative for the software giant
    said it had fixed the problem.
    
    Details of the hole, which could have allowed any user the ability to
    read another user's e-mail, were originally publicized by hacker and
    security site Root-Core four days ago.
    
    Mark Wain, product manager for the Microsoft Network, acknowledged the
    problem Monday, but he downplayed the threat, calling it a
    "computational infeasibility." To exploit the flaw, a user would have
    had to know the target's username, the time the e-mail was received
    and a random two-digit number, he said.
    
    Most would-be attackers would know only the target's username and
    might be able to guess the time a particular message was received,
    making the technique hard to implement.
    
    "A malicious attacker would have to conduct thousands, if not tens of
    thousands, of attempts before they could hit on a valid message," Wain
    said.
    
    If would-be spies knew the minute in which the message was received,
    they would still have to try 6,000 numerical combinations. To scan all
    the messages received in an hour, it would take 360,000 combinations.
    
    An automated scanning tool, such as the one Root-Core posted on its
    site, could have made an attack easier, but it's uncertain whether
    Hotmail would allow the thousands of access attempts such a method
    would require. Now that Microsoft has closed the hole, the issue is
    essentially moot.
    
    However, the problem comes at a bad time for the company.
    
    Last week, Microsoft faced criticism in Washington, D.C., for its plan
    to use its Passport authentication system as a keystone of security
    for its next-generation consumer operating system, Windows XP.
    
    Passport collects and stores personal information as a way of
    identifying individual computer and Web users who want to log in to
    specific Web sites or use certain services. Some critics have charged
    that the system invades people's privacy, demanding an unreasonable
    amount of information. The information, they say, could pose security
    risks for people if it were shared or got out.
    
    At present, Passport is the method by which Microsoft authenticates
    Hotmail and MSN users when they log in. Obviously, a security flaw in
    Hotmail doesn't look good.
    
    On top of that, the flaw had an interesting side effect: It
    highlighted the fact that Microsoft's premier mail service still uses
    a non-Microsoft operating system.
    
    The security hole made use of the fact that each message is identified
    by a time stamp and a two-digit number. The time stamp uses the
    typical Unix format. Microsoft confirmed that Unix systems still make
    up a significant part of the Hotmail network.
    
    "Hotmail does utilize some Unix servers on the back end, and through
    time, we are looking to migrate the environment to Windows 2000," Wain
    said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 05:07:04 PDT