Microsoft on Tuesday fixed a bug in its Windows Live ID registration that let users deceptively register a false e-mail address.
The false e-mail address could then be used as an ID for Microsoft's Live Messenger program, which could trick a user into thinking they are chatting with someone who is not whom they appear to be, such as steveballmer@microsoft.nl.
Erik Duindam, a Web developer in Leiderdorp, the Netherlands, reported the problem to Microsoft on Monday. Microsoft acknowledged it had fixed the bug but did not have further information on the flaw's impact.
It's unclear how long the flaw may have existed or how many accounts with deceptive instant messenger IDs could have been created. Duindam said a fake ID he created was still active on Tuesday morning.
If a user attempts to create a Windows Live ID, Microsoft sends a confirmation e-mail to the e-mail address entered by the user. Without confirmation, Microsoft includes a warning with future messages sent by instant message, which appear as: fake@emailaddress (E-mail Address Not Verified).
However, accounts created over the weekend with fake e-mail addresses were still active as of Tuesday and carried no such warning.
"It's heaven for scammers," Duindam said via instant message on Tuesday.
An attacker could use the flaw as part of a social-engineering ploy, where users are tricked into doing something that puts their machine at risk. For example, victims could receive an instant message from someone who appears to have their boss's e-mail address.
At that point, victims could be tricked into thinking they are communicating with their boss. The hacker could then send a link to a malicious Word document, for example, that could install a keystroke logging program on a machine.
"In one swoop, you can become the boss, or human resources or accounts," wrote Chris Boyd, senior research manager with FaceTime Communications, via instant message.
Boyd said if the original spoofed accounts are still active, Microsoft should try to shut them down as soon as possible. But it could be difficult, especially if Microsoft was not aware of the flaw and can't track the spoofed accounts.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
3 Recommendations
