Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft patches another Passport hole

From: InfoSec News <isn () c4i org>
Date: Wed, 2 Jul 2003 04:51:49 -0500 (CDT)
http://www.globeandmail.com/servlet/story/RTGAM.20030701.wmike71/BNStory/Technology/

Associated Press 
July 1, 2003  

Washington - Microsoft Corp. said Tuesday it has fixed another
security flaw in its popular Internet Passport service, which could
have allowed hackers to hijack some older accounts.

Microsoft senior manager Jeff Jones said he believes no Passport
accounts were stolen. Mr. Jones declined to say how many people were
at risk but said the flaw affected only a small number of users who
had created their accounts more than four years ago. As part of its
repair efforts late Monday, Microsoft briefly prevented some Passport
users from manually changing their passwords.

Passport, which offers consumers a convenient method for identifying
themselves across different Web sites, also controls access for
Windows users to the Hotmail e-mail service and instant-messaging
accounts.

"To the best of our knowledge, no one exploited this," Mr. Jones said.

Microsoft said it learned about the vulnerability after a
self-described security consultant published details to an Internet
discussion list, a practice that has increasingly frustrated
executives who prefer researchers to quietly work with software
vendors to resolve such problems before announcing them publicly.

The consultant, who identified himself as Victor Manuel Alvarez Castro
of Mexico, wrote that he tried unsuccessfully to contact Microsoft
"several times" by e-mail.

It was the second admission by Microsoft of a serious vulnerability in
Passport since last summer's settlement with the U.S. Federal Trade
Commission, which had accused Microsoft of deceptive claims about
Passport's security. In response, the company pledged to take
reasonable safeguards to protect those accounts and submit to audits
every two years for the next 20 years or risk fines up to $11,000
(U.S.) for each violation.

In May, a Pakistani computer researcher determined by typing a
specific Web address that included the phrase "emailpwdreset," he
could seize any Passport account. The FTC still has not determined
what sanctions and fines, if any, to assess against Microsoft in that
incident.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: