| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
Microsoft times out MICROSOFT WAS forced to temporarily suspend an important financial service of its Passport Wallet program for several days after a programmer showed that he could obtain users' credit card numbers and other personal information merely by sending them a single e-mail message.
After notifying Microsoft, and being assured that the company was temporarily taking its Express Purchase system offline on Nov. 1, Slemko published a white paper on this and other severe security problems with Passport. That paper is available at http://alive.znep.com/~marcs/passport. I'm glad to see that a little guy can still wield some influence over the behavior of a software giant. The weakness in Passport that Slemko forced Microsoft to address was similar to, but different from, the major problem that I warned readers about a couple of months ago (see "Passport is cracked.") That problem, which still exists, is that Windows 95, 98, and Windows Me leave a user's ID and password visible in memory, where any rogue e-mail or Trojan horse can retrieve it during a user's dial-up connection to an ISP and for 10 minutes afterward. In Slemko's case, the 15-minute vulnerability was due to a cache on Microsoft's Passport Web server. Microsoft reduced the Passport server timeout and placed Express Purchase back online on Nov. 3. The company said in a statement that the vulnerability would not have affected users running the new Windows XP operating system. But Microsoft didn't wait until customers had XP before requiring millions of Hotmail subscribers to use Passport to log on. There are hundreds of millions of vulnerable PCs out there and Microsoft now requires that Passport be the only way to access an increasing number of services. In an e-mail interview, Slemko stressed that the specific hole he demonstrated isn't the point. "The issues I raised apply to the use of Passport in general, and become more and more important with every new site that uses Passport," he said. "Passport is lacking in features that are necessary to protect the security and privacy of users with the sites deployed using it today, let alone the even higher level required if Passport is to be deployed in the pervasive way that Microsoft envisions," Slemko added. "Some of the flaws I came across are such trivial implementation flaws that you have to question Microsoft's commitment." In other words, reducing a server timeout in no way solves the larger problem. There's more going on. I'd be interested to hear your findings, too. Brian Livingston's latest book is Windows Me Secrets. Send tips to tips@brianlivingston.com. Go to www.iwsubscribe.com/newsletters to get Window Manager and E-Business Secrets free each week via e-mail.  RELATED SUBJECTS  Business NewsMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
