Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] Microsoft patches another Passport hole
From: InfoSec News (isnc4i.org)
Date: Wed Jul 02 2003 - 04:51:49 CDT
July 1, 2003
Washington - Microsoft Corp. said Tuesday it has fixed another
security flaw in its popular Internet Passport service, which could
have allowed hackers to hijack some older accounts.
Microsoft senior manager Jeff Jones said he believes no Passport
accounts were stolen. Mr. Jones declined to say how many people were
at risk but said the flaw affected only a small number of users who
had created their accounts more than four years ago. As part of its
repair efforts late Monday, Microsoft briefly prevented some Passport
users from manually changing their passwords.
Passport, which offers consumers a convenient method for identifying
themselves across different Web sites, also controls access for
Windows users to the Hotmail e-mail service and instant-messaging
"To the best of our knowledge, no one exploited this," Mr. Jones said.
Microsoft said it learned about the vulnerability after a
self-described security consultant published details to an Internet
discussion list, a practice that has increasingly frustrated
executives who prefer researchers to quietly work with software
vendors to resolve such problems before announcing them publicly.
The consultant, who identified himself as Victor Manuel Alvarez Castro
of Mexico, wrote that he tried unsuccessfully to contact Microsoft
"several times" by e-mail.
It was the second admission by Microsoft of a serious vulnerability in
Passport since last summer's settlement with the U.S. Federal Trade
Commission, which had accused Microsoft of deceptive claims about
Passport's security. In response, the company pledged to take
reasonable safeguards to protect those accounts and submit to audits
every two years for the next 20 years or risk fines up to $11,000
(U.S.) for each violation.
In May, a Pakistani computer researcher determined by typing a
specific Web address that included the phrase "emailpwdreset," he
could seize any Passport account. The FTC still has not determined
what sanctions and fines, if any, to assess against Microsoft in that
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.