Re: MSN messenger service

[root () RGFSPARC CR USGS GOV (Robert G. Ferrell)]

> I have noticed that when I check email from the MSN Messenger.
> MSN Messenger writes a temp file in C:\windows\temp\sfd4080.htm.
> The contents of that file are below. What I have found is that if that
> file is saved, you can use it as a redirect to hotmail without using a
> password. I wonder what a "while true" loop looking in c:\windows\temp\
> would be able to capture? Session seems to time out around 5 minutes.
> When that happens, the "creds" value changes but not the auth.

I haven't done any serious investigation of the mechanism of this, but I've
noticed that my MS Outlook 97 (8.02,4212) exhibits similar behavior (albeit in a
much smaller time frame).  If I log off and log right back on (< 3 or 4 secs), I
don't need to reenter my authentication information at all.

This doesn't seem like a particularly exploitable vulnerability, but it's worthy
of mention, anyway...

RGF

Robert G. Ferrell, CISSP
Information Systems Security Officer
National Business Center, US DoI
Robert_G_Ferrell () nbc gov
------------------------------------------------------------
Nothing I have ever said should be construed as even vaguely
representing an official statement by the NBC or DoI.
------------------------------------------------------------