Microsoft plugs Hotmail security hole

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6941020.html

By Robert Lemos
Special to CNET News.com 
August 21, 2001, 12:50 p.m. PT 

The day after Microsoft acknowledged a security hole in Hotmail, its
popular free e-mail service, a representative for the software giant
said it had fixed the problem.

Details of the hole, which could have allowed any user the ability to
read another user's e-mail, were originally publicized by hacker and
security site Root-Core four days ago.

Mark Wain, product manager for the Microsoft Network, acknowledged the
problem Monday, but he downplayed the threat, calling it a
"computational infeasibility." To exploit the flaw, a user would have
had to know the target's username, the time the e-mail was received
and a random two-digit number, he said.

Most would-be attackers would know only the target's username and
might be able to guess the time a particular message was received,
making the technique hard to implement.

"A malicious attacker would have to conduct thousands, if not tens of
thousands, of attempts before they could hit on a valid message," Wain
said.

If would-be spies knew the minute in which the message was received,
they would still have to try 6,000 numerical combinations. To scan all
the messages received in an hour, it would take 360,000 combinations.

An automated scanning tool, such as the one Root-Core posted on its
site, could have made an attack easier, but it's uncertain whether
Hotmail would allow the thousands of access attempts such a method
would require. Now that Microsoft has closed the hole, the issue is
essentially moot.

However, the problem comes at a bad time for the company.

Last week, Microsoft faced criticism in Washington, D.C., for its plan
to use its Passport authentication system as a keystone of security
for its next-generation consumer operating system, Windows XP.

Passport collects and stores personal information as a way of
identifying individual computer and Web users who want to log in to
specific Web sites or use certain services. Some critics have charged
that the system invades people's privacy, demanding an unreasonable
amount of information. The information, they say, could pose security
risks for people if it were shared or got out.

At present, Passport is the method by which Microsoft authenticates
Hotmail and MSN users when they log in. Obviously, a security flaw in
Hotmail doesn't look good.

On top of that, the flaw had an interesting side effect: It
highlighted the fact that Microsoft's premier mail service still uses
a non-Microsoft operating system.

The security hole made use of the fact that each message is identified
by a time stamp and a two-digit number. The time stamp uses the
typical Unix format. Microsoft confirmed that Unix systems still make
up a significant part of the Hotmail network.

"Hotmail does utilize some Unix servers on the back end, and through
time, we are looking to migrate the environment to Windows 2000," Wain
said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.