Security Vulnerability in Microsoft .NET Passport 440
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
Nice going, MS. (Score:5, Interesting)
Jokes aside... (Score:5, Interesting)
What do people expect? (Score:4, Interesting)
The problem with Microsoft (and the majority of other IT firms) is that there is no PROACTIVE auditing. I think that every company should conduct OpenBSD-style code audits before they release software. This would cut down dramatically on the number of incidents like this.
How do you contact Microsoft? (Score:5, Interesting)
Microsoft make an interesting interpretation of RFCs by accepting all mail to postmaster@ but only insofar as to send an automatic response saying your message will not be read.
This guy also says he tried to email them ten times and never got further than automagic autoreplies. Do they actually have a procedure to inform them when things are broken?
Re:FUD (Score:1, Interesting)
Re:404 error (Score:1, Interesting)
--Begin Page Source--
404 not found
--End Page Source--
That's right, not even a "real" 404, just a text file claiming to be a 404.
Re:FUD (Score:0, Interesting)
1) a security vulnerability is found.
2) a change is made.
3) the security vulnerability is no longer present.
So what if it's a temporary fix put in place while a better one is produced? It's still a fix, and the headline stating that there IS a vulnerability in Passport is still wrong: there WAS a vulnerability, but it has been fixed. Pure michael FUD.
If this chain of events is followed, we say "the security vulnerability has been fixed".
Re: Procedure to inform them it's broken. (Score:5, Interesting)
In the event a user discovers an exploit, inform user to reboot machine and it will go away.
But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to. People who i've known that worked there also have no clue as far as who to talk to, and admit this if you're lucky. If you are unlucky, just say it's a vender issue without thinking the vender is Microsoft.
thoughts (Score:2, Interesting)
So couldn't Microsoft simply fix this by having the email sent to the person's email address they provided when they registered with
Re:FUD (Score:2, Interesting)
Think about it, with a company like Microsoft, there is no doubt vulnerabilities will exist. If this was a distributed product we would still have script kiddies years from now drilling on this exploit. Now that it is a centralized service, it has been fixed in one place before any substantial damage has been done. -- Which evil do you want today?
Re: Procedure to inform them it's broken. (Score:5, Interesting)
Tell me about it. When IE5 first came out (with the modular installer) the installer had a nasty bug: If the FTP site it tried to connect to to download a CAB was full, it would create the CAB file which would contain no data, only the error message!
As one might expect, this would cause the installation to bomb, and no explanation would be given to the user. Attempting to resume the installation would also fail. The solution was, of course, to go into the installer's temp directory and delete the bad CAB files and re-download them, but most users wouldn't know where to find them, and would be forced to start from scratch.
When I attempted to contact Microsoft about the problem, they asked me for a credit card number. When I explained I didn't want support and was trying to report a bug, I was transferred to someone else who... asked me for a credit card number. Wash, rinse, repeat.
Re:Flawed concept (Score:4, Interesting)
While we will undoubtably see exploits on any system large enough to atract interest, I don't think Sun would code something this brain-dead stupid.
The industry standard is to ask for a passphrase when you forget your password. MS didn't even do this. I'm still wondering what junior level coder came up with this one though... I can't even express how stupid this is.
The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.
So we work to make it better... abandoning the concept entirely isn't going to happen. It's a worthwhile concept IMO, and while there's a lot of issues to be worked out that's not to say that they can't be. Most people would be willing to use a "strong" password if they only had to remember one. When you have to remember a dozen then forget it - the vast majority of people are going to use something like "password" or an easily guessable word from their personal life. Remembering "df783N:pa04uYG" and another dozen variants just isn't going to happen.
Re:FUD (Score:2, Interesting)
He sent them to, amongst others, abuse@hotmail.com. This is the place that they will get mails from everyone complaining about a spammer etc - it's like receiving the wrong order from Amazon and sending an email to hostmaster@amazon.com, then flaming them for taking so long to respond.
My company used incrementing session keys. (Score:3, Interesting)
'Twas a highly expensive piece of software as well...
Re:The Damage Has Been Done (Score:3, Interesting)
Having your website defaced is one thing, and having a day-long network headache because of the most recent worm is one thing, but losing sensitive personal data is quite another. Based on their track record, Microsoft is simply not qualified to step into the role of holding and protecting important personal information, and this exploit makes that abundantly clear.
To be fair, maybe nobody is qualified to step into that role right now, but Microsoft's release-now fix-later approach to software development has no place in an environment where there's so much at stake.
Re:Flawed concept (Score:1, Interesting)
Or carrying your thumb or retina around..
I have to go with the crowd here.... (Score:5, Interesting)
Some coders (again using the term loosely) at my organization used to do this absolutely all the time and I would bitch about how piss poor it was from a security angle (and regularly demonstrate how easy it was to circumvent the intended "security" mechanisms). Everybody laughed at me when I did... that is until one of our largest customers hired an outside firm to audit the "security" of the apps they were getting. It took the firm very little time to discover these nuggets, of course. It is interesting to note that they reported that the application security was among the poorest they had seen, but that the server configurations (my department) were among the tightest. The sad thing is the stupid customer basically thought the two canceled each other out, threw some extra money at redesigning the application to meet the standards it should have to begin with, rewarded our systems team which had done it right the first time with absolutely squat, and renewed the contract for another five years. Shows you how much the corporate world understands what's really going on.
Probably Microsoft code is difficult to maintain. (Score:5, Interesting)
After months of trying to understand Microsoft's situation (Windows XP Shows the Direction Microsoft is Going [hevanet.com]), I came to the conclusion that the Microsoft management style leads to mountains of sloppy code that is difficult to maintain. That's the only theory that seems to fit. For example, in Internet Explorer browser alone, there have been for years more serious security bugs than Microsoft fixed. There are, at present 14 security vulnerabilities [pivx.com].
Here is the recent record. The list of defects has been similar for years. Also, this is a record only of security defects, not all defects:
Obviously, Microsoft could fix the bugs if the company wanted to fix them. But the company apparently lacks the will to devote the resources necessary (IE still does not have tabbed browsing), and apparently also, it is not easy.
Re:I agree completely. (Score:1, Interesting)
One has to understand that M$ is a big company, and everyone in that company just does what they have to do to cover *their* ass! Nobody gives a F**k about the products!! The company I worked for was payed (poorly) to deliver. If that ment cutting corners...guess what...
There is NO WAY there can be good/secure products coming out of that system!! Thats why OSS will succeed.
Re:Remember... (Score:5, Interesting)
We on
Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.
Re:Oh my God (Mad scramble) (Score:2, Interesting)
How do I close a .Net Passport account? (Score:2, Interesting)
There seems to be no way to do this online. A call to MS customer service resulted in an "I dunno, I can't do that." answer.
btw, I'm not dumb enough to actively participate in Passport. I bought something online last summer from a small company, and after completing the purchase, I was shocked to see that Microsoft was handling the transaction with Passport. Damn it! Now they have my credit card info, shipping address, etc. Guess I should have read the fine print before I clicked Sumbit...
Anyone successfully done this?
Re:Oh my God (Mad scramble) (Score:2, Interesting)
Dear Xxxx,
It's terribly important for me to hack into an account of Yyyy !
Please understand, she's my girlfriend, and I think she might be cheating on me.
Please tell me how to do this
Now every time I read about another hotmail hack, I can't help but think how many ticklish revelations will happen today
Re:I have to go with the crowd here.... (Score:2, Interesting)
But I answer because your security idea of web apps is also very terrifying. Security through obscurity does not work! (passing variabless in headers is no security, and choosing weird names is bad coding practice and not more secure). Proper way is to put in the url what you need (?page_nr=3) and keep at the server the stuff that is only used after proper authentication. Perhaps at a very unknown website obscurity would delay the script kiddies a bit, but I think hackers are really to much motivated to hack Passport, to not try something other then IE (telnet passport.microsoft.com 80?).
But I'm glad you are a system administrator who knows how to secure his/her machines, those people are also too rare
MS problem is their own culture and codebase (Score:5, Interesting)
If you've made any study of it at all you know that effective security results from a process that starts before the software is even written. There is no protocol that will save you from logic errors (like the latest Passport hole). To do this reqires a good understanding by the devs of security and their adherence to design principles and coding practices. To do that you need a software development methodology that enforces the consistent application of those priciples and practices. Therein lies the problem.
In my little corner of MS (though by all accounts it was typical of the company as a whole) what was prized above all was meeting requirements and deadlines. Virtually no energy was put into the development environment (hence the hour I spent every morning just downloading the nightly build, the insane .bat scripts, constantly fixing my own NT install as a $55/hr contractor). Nobody got "c-hours" for making life easier. More importantly, there was little value placed on design, good technique. Lip service was paid in meetings and reviews, of course, and superficial style details received obsessive scrutiny. Code reviews often bogged down on correct hungarian notation but a unit test consisting of "return true" was perfectly ok. The "heros" were people with big brain muscles who spent nights and weekends hammering out code to meet the latest deadline.
The result of all this was a coding culture that I called the kingdom of cut-and-paste. I was actually encouraged to write routines by starting with someone else's routine to do something unrelated and edit it to do my task. A colleague would stand over my shoulder browsing the codebase looking for something convenient to steal. It was a shock to realize how little code people actually wrote. This is one of the things that I hated about working there, that I spent so much of my time fscking with the various APIs, incomprehensible include file heirarchies and so little time writing C++.
Well, in my Intro to Fortran class in '77 the prof explained why massive code duplication is a bad idea, and the results are visible in every MS product. You can't fix a bug in one place, you have to fix it every place it got copied to, and you don't know where those are. The codebase is now on the order of 100'sM lines or better? Probably not even MS has a good handle on this, because they can't know for sure how much duplication (with tiny variations) there is (clue: lots).
Once a company grows to a considerable size it's really hard to change the culture. I've seen this at several startups. MS is like a battleship or an aircraft carrier. High-tech and deadly but turning that boat around is really hard and simply may not happen in a short distance. Expecting them to change their performance WRT security in a few months (or year) is kind of like expecting the old Soviet apparatchiks to start respecting civil liberties and human dignity because the Central Comittee sends out a memo. Good luck. It's a city unto itself in Redmond, its own little world. And even if you did, what the hell are you going to do about the millions of lines of (largely incomprehensible) code in the installed base? The millions of systems in the wild that are unpatched and unmaintained?
I see many of the same disasters being recapitulated in .NET. They may talk security and I'm sure they're trying hard but I expect that their long term strategies are going to rely more on legislation than the (probably impossible)
task of bringing their products t
culture of security (Score:3, Interesting)
A: You're way off about changing peoples' approach. The sad fact is people like that are in pain-avoidance mode. Give them pain. Give them a productive way to avoid the pain. There must be code review. One guy does a little coding, another guy has to sign off on it. A third has to sign off that it has been tested (whether or not any testing actually happens is not important). All three get burned if anything bad happens: after-hours or weekend work to fix it NOW? The rate of code churn goes down, and the quality goes up. Grumbling goes up, but it sounds like a personal problem to me... :)
B: You're dead-on-target about doing other people's work. You can't have individual effort and collective accountability. You have to have collective work and collective accountability. Oh, and if you're smarter than others: the sharpest knife always gets used the most. Adjust to it. One day you will be enlightened.
C: You are dead-on-target about the financial sector :). That does not mean it won't work in hospitals or law offices though. It just means *somebody* has to fulfill the role of irate customer when the slackers need it.
Culture is not something you create at the water cooler or in seminars. It is dictated by the unique combination of supply and demand wherever you are. You can change the supply (of people or other resources), or the demand. The boss/team-leader mediates customer demand and needs to have some real power over the programmers in the same way that customers have real power to affect the company's bottom line. If you lack accountability, that isn't a software development problem. You're just going to get shoddy results, software security, housekeeping, everything included.
The moral of the story: accountability is security. So, if you want a culture of security, improve your accountability! It has positive potential for Maslow's "self-actualizer" types too.