Hotmail Flaw Raises Questions Over XP Security

August 21st, 2001, 2:53 AM ET

By: David Worthington, BetaNews

Story URL: http://www.betanews.com/article.php3?sid=998376822

UPDATED As Microsoft CEO Steve Ballmer touted Windows XP's rapid
progression toward manufacturing, news reports began to surface
indicating that a proof of concept "hack" had compromised the integrity
of the company's Hotmail e-mail services. Throughout its lifespan,
Hotmail has been plagued by outages and occasionally some highly
embarrassing security oversights. Now that integral components of
Windows are tightly integrated with Microsoft's Passport authentication
system and Web based services, even seemingly minor incidents are
examined under the lens of a microscope.

Late Sunday night, Root Core, a group of computer security experts,
published information exposing vulnerabilities in Microsoft's popular
service. While it is not known how many e-mail accounts were accessed,
the methods employed in order to successfully follow the exploit
prohibit widespread abuse. The hack requires specific knowledge of a
target's username as well as a Message ID -- comprised of a string of
10-11 unique digits.

In order to be successful, a hacker would need to know the exact time a
particular message was sent down to the second. UK based technology news
site, The Register, reported that a "brute force" application authored
by Root Core was itself cumbersome and time consuming. It also requires
a high bandwidth Internet connection.

In an e-mail statement sent to BetaNews written by MSN Product Manager
Mark Wain, the company downplayed the potential for mischief. Wain
wrote, "These conditions make it extremely difficult for anyone but the
user themselves to exploit this 'proof of concept' code which the poster
has given us. A malicious attacker would have to conduct thousands if
not tens of thousands of attempts before they could hit on a valid
message ID, and even that would only give them a portion of the
information they would need to fully exploit this issue."

He went on to criticize Root Core for failing to notify the company of
its findings prior to releasing information that could be detrimental to
users. Despite the difficult nature of the hack, Wain conceded that even
insignificant security flaws were matters of some importance. Saying,
"we recognize the concerns raised in the computational infeasibility of
this mechanism and are investigating ways that we can raise this bar
even higher." On its Web site, Root Core claims to have alerted
Microsoft.

Whitehat security expert Jeremiah Grossman, formerly a member of Yahoo's
security auditing team, told BetaNews that the scope of the Root Core
exploit is greater than most reports have indicated. In cases were user
accounts are configured to email lost or forgotten passwords back to
Hotmail, this attack can be used to retrieve that information. The
security hole has since been fixed.

A Troubled Past

Hotmail has suffered from outages that have interrupted the service for
periods as long as several days. Several highly publicized security
breaches have also led experts to recommend that users should not assume
that e-mail services based on public Web servers are secure. To counter
those claims, Microsoft has continually attempted to improve its
security having requested independent experts to audit Hotmail on one
occasion.

Passport, the service's sign in system, will be protected by VeriSign
technology in cases were additional security measures are required.
However, security experts still have their sights aimed at Passport,
placing it under heavy fire. eWEEK reports that a flaw in the technology
can place personal information in the hands of malicious individuals who
simply have to obtain a cookie from a target system, thereby easily
gaining access.

As first reported by BetaNews, AOL is also in the process of phasing in
its own authentication system dubbed Magic Carpet. The use of Web-based
services is set to become more commonplace as companies roll out their
answers to .NET enabled applications. Redmond competitor Sun
Microsystems has spent several years perfecting Jini, its answer to
Microsoft's .NET solution.

Russian Roulette or The Next Logical Step

Microsoft was deployed .NET-based technology into Windows XP, merging
its desktop software with its own online services. This has proven to be
a point of contention with competitors and US Government antitrust
officials alike. New York Senator Charles Shumer has recently asked that
Windows XP be reviewed, and has threatened to block its release.

Microsoft maintains that .NET is the future software development, and
insists that Windows must evolve along side with cutting edge Internet
technologies such as XML. It also maintains that it must build features
into Windows that appeal to the demands of its custumers.

According to Microsoft Chief Software Architect Bill Gates, "The
transition to .NET is as dramatic a transition as the move from MS-DOS
to Windows."

Despite concerns over the inherent risks involved with trusting
sensitive information to shared servers, the incorporation of the .NET
framework into Microsoft products continues to move ahead as planned.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html