[ISN] Microsoft patches another Passport hole

From: InfoSec News (isnat_private)
Date: Wed Jul 02 2003 - 02:51:49 PDT

  • Next message: InfoSec News: "RE: [ISN] Expert slams outlandish hacker claims"

    http://www.globeandmail.com/servlet/story/RTGAM.20030701.wmike71/BNStory/Technology/
    
    Associated Press 
    July 1, 2003  
    
    Washington - Microsoft Corp. said Tuesday it has fixed another
    security flaw in its popular Internet Passport service, which could
    have allowed hackers to hijack some older accounts.
    
    Microsoft senior manager Jeff Jones said he believes no Passport
    accounts were stolen. Mr. Jones declined to say how many people were
    at risk but said the flaw affected only a small number of users who
    had created their accounts more than four years ago. As part of its
    repair efforts late Monday, Microsoft briefly prevented some Passport
    users from manually changing their passwords.
    
    Passport, which offers consumers a convenient method for identifying
    themselves across different Web sites, also controls access for
    Windows users to the Hotmail e-mail service and instant-messaging
    accounts.
    
    "To the best of our knowledge, no one exploited this," Mr. Jones said.
    
    Microsoft said it learned about the vulnerability after a
    self-described security consultant published details to an Internet
    discussion list, a practice that has increasingly frustrated
    executives who prefer researchers to quietly work with software
    vendors to resolve such problems before announcing them publicly.
    
    The consultant, who identified himself as Victor Manuel Alvarez Castro
    of Mexico, wrote that he tried unsuccessfully to contact Microsoft
    "several times" by e-mail.
    
    It was the second admission by Microsoft of a serious vulnerability in
    Passport since last summer's settlement with the U.S. Federal Trade
    Commission, which had accused Microsoft of deceptive claims about
    Passport's security. In response, the company pledged to take
    reasonable safeguards to protect those accounts and submit to audits
    every two years for the next 20 years or risk fines up to $11,000
    (U.S.) for each violation.
    
    In May, a Pakistani computer researcher determined by typing a
    specific Web address that included the phrase "emailpwdreset," he
    could seize any Passport account. The FTC still has not determined
    what sanctions and fines, if any, to assess against Microsoft in that
    incident.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 05:11:29 PDT