Suggest A Fix PC Support Forums > MS Patch Available: Passport May Disclose Wallet C

Full Version: MS Patch Available: Passport May Disclose Wallet C

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Nov 7 2001, 09:38 PM

A vulnerability has been reported in Microsoft Passport. A remote user can obtain the Passport Wallet contents (cookies, other contents) when the Passport user views a malicious e-mail message.

A remote user can reportedly send a malicious e-mail or malicious HTML code to a Passport Wallet user. If the Passport Wallet user views this e-mail message or HTML code within a certain period of time after having manually signed in to the Passport server, the Passport Wallet contents can be obtained by the remote user. The period of time had been set to 15 minutes, but the vendor has since reduced this time to one or two minutes.

Solution: While the vendor has acknowledged the vunerability and is working on a patch, there is no official solution at this time. A detailed description of the weaknesses in the Passport architecture and some demonstration exploit methods are available at:

http://alive.znep.com/~marcs/passport/

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.