Microsoft: Passport To Trouble
by Arie Slob
Hello Windows users,
Last Friday (11/02), Microsoft disabled the virtual wallet function of the Passport service to correct security vulnerabilities discovered by software developer Marc Slemko, who is a founding member of the Apache Software Foundation.
By combining a number of known browser-based bugs with weaknesses in Passport's authentication system, Slemko was able to develop a technique capable of stealing a person's Microsoft Passport and credit card numbers, all simply by getting the victim to read a Hotmail (e-mail) message.
This security breach doesn't come at a good time for Microsoft: the company is trying to position their Passport single sign-in authentication service as the one and all single identity users should need for all their online activities. Passport is also central to Microsoft's .NET initiative.
As Slemko points out in his analyses, the current Passport implementation just isn't safe enough.
At this point, Passport isn't very widely deployed outside of Microsoft sites such as its Hotmail e-mail service and MoneyCentral personal finance site. However, there are a few other merchants who use Passport technology, with another 150 sites to be reported in the process of deploying Passport.
According to an article on Paul Thurrot's WinInfo site, Microsoft last Monday admitted the vulnerability in Passport, and said it has fixed the problem.
Well, I don't know about you, but I do not trust anybody (let alone Microsoft) with my credit card information and their ability to keep it safe! I will just type in my information if I want to purchase goods or services on-line, a small inconvenience for a little more security!
Microsoft Offers Additional Windows XP Licenses
After a delay, Microsoft is finally getting ready to offer additional Windows XP Licenses from their shop.microsoft.com Web site. But the savings are minimal, and amount to no more than an insult: $10 USD on Windows XP Home Edition and the Windows XP Professional Upgrade, with only the full version of Professional offering a somewhat reasonable saving of $29.90 USD
The pricing is as follows:
The additional licenses are available on Microsoft's Web site. Windows XP Home Edition is available here, while Professional can be found at this URL. Although right now all options seem to be "on backorder". According to Microsoft, additional licenses should also be available through the retail channel.
Rose City Software
"I love this little program. It is one of the slickest, best designed audio control panels I have ever seen or used, and believe me,as a system administrator I search for, download and try out all kinds of programs...."
- Mark Huff
Cookie Data in IE Can Be Exposed or Altered Through Script Injection
Microsoft has posted a warning, and is working on a patch, for a vulnerability in Internet Explorer 5.5 and 6. The vulnerability opens the possibility that data stored in a cookie could be exposed.
Affected Software Versions
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
Note: Microsoft tested Internet Explorer 5.5 SP2 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Invalid Universal Plug and Play Patch Could Cause Problems on Windows Me
Microsoft have received reports of problems with the Windows Me patch for the "Invalid Universal Plug and Play Request can Disrupt System Operation" vulnerability reported in last weeks Newsletter. They immediately removed the Windows Me version while investigating the issue further. For more information check the updated Security Bulletin.
Recommended Web sites
Each month we will feature a few Web sites here, ones which sent us the most visitors to our Web site in the previous month. We would encourage you to visit these popular Web sites yourself!
Here are some sites in the Top 15 for October:
- PC Pitstop - Help you to get your PC in top form.
- InfoWorld - InfoWorld - Lead with knowledge.
- VirtualDR - Support forums for Windows, Macintosh, BeOS, Unix and more.
The Top 15 sites are listed on our Web site.
Web Site Updates
These pages were added/updated in the past week. Information on previously updated/added pages is available on the What's New? page for 1 month.
Added: Anthrax Online
Added: Lindows® Hoping To Replace Windows®?
Added: Peek@Mail 1.0 mail utility released
Added: ATTS 2.0 Text to Speech utility released
Added: Microsoft Security: Cookie Data in IE Can Be Exposed or Altered Through Script Injection
Added: Microsoft Passport: Trouble
Updated: Microsoft Security: Invalid Universal Plug and Play Request can Disrupt System Operation
Added: Microsoft Start Offering Additional Windows XP Licenses
Added: Adjust CD-ROM AutoPlay
Added: Check and Set DMA Mode
Added: Passwords Not Saved in Outlook/Outlook Express
Added: Delay When Viewing Shares on a Windows 9x-Based Computer
Added: Adjust Internet Time Synchronization
Added: Remove Shared Documents Folder from My Computer
Added: Switching Num Lock On
Added: Turn Off ZIP Folders
Updated: Frequently Asked Questions (FAQ)
Added: Change Picture on the Welcome Screen & Start Menu
Added: Using & Tuning ClearType Font Smoothing
Added: Lock Windows XP
Added: Repair Internet Explorer
Added: Set Environment Variables