Hotmail Flaw Raises Questions Over XP Security

UPDATED As Microsoft CEO Steve Ballmer touted Windows XP's rapid progression toward manufacturing, news reports began to surface indicating that a proof of concept "hack" had compromised the integrity of the company’s Hotmail e-mail services. Throughout its lifespan, Hotmail has been plagued by outages and occasionally some highly embarrassing security oversights. Now that integral components of Windows are tightly integrated with Microsoft's Passport authentication system and Web based services, even seemingly minor incidents are examined under the lens of a microscope.

Late Sunday night, Root Core, a group of computer security experts, published information exposing vulnerabilities in Microsoft's popular service. While it is not known how many e-mail accounts were accessed, the methods employed in order to successfully follow the exploit prohibit widespread abuse. The hack requires specific knowledge of a target's username as well as a Message ID –- comprised of a string of 10-11 unique digits.

In order to be successful, a hacker would need to know the exact time a particular message was sent down to the second. UK based technology news site, The Register, reported that a "brute force" application authored by Root Core was itself cumbersome and time consuming. It also requires a high bandwidth Internet connection.

In an e-mail statement sent to BetaNews written by MSN Product Manager Mark Wain, the company downplayed the potential for mischief. Wain wrote, "These conditions make it extremely difficult for anyone but the user themselves to exploit this 'proof of concept' code which the poster has given us. A malicious attacker would have to conduct thousands if not tens of thousands of attempts before they could hit on a valid message ID, and even that would only give them a portion of the information they would need to fully exploit this issue."

He went on to criticize Root Core for failing to notify the company of its findings prior to releasing information that could be detrimental to users. Despite the difficult nature of the hack, Wain conceded that even insignificant security flaws were matters of some importance. Saying, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."
On its Web site, Root Core claims to have alerted Microsoft.

Whitehat security expert Jeremiah Grossman, formerly a member of Yahoo's security auditing team, told BetaNews that the scope of the Root Core exploit is greater than most reports have indicated. In cases were user accounts are configured to email lost or forgotten passwords back to Hotmail, this attack can be used to retrieve that information. The security hole has since been fixed.

A Troubled Past

Hotmail has suffered from outages that have interrupted the service for periods as long as several days. Several highly publicized security breaches have also led experts to recommend that users should not assume that e-mail services based on public Web servers are secure. To counter those claims, Microsoft has continually attempted to improve its security having requested independent experts to audit Hotmail on one occasion.

Passport, the service's sign in system, will be protected by VeriSign technology in cases were additional security measures are required.
However, security experts still have their sights aimed at Passport, placing it under heavy fire. eWEEK reports that a flaw in the technology can place personal information in the hands of malicious individuals who simply have to obtain a cookie from a target system, thereby easily gaining access.

As first reported by BetaNews, AOL is also in the process of phasing in its own authentication system dubbed Magic Carpet. The use of Web-based services is set to become more commonplace as companies roll out their answers to .NET enabled applications. Redmond competitor Sun Microsystems has spent several years perfecting Jini, its answer to Microsoft's .NET solution.

Russian Roulette or The Next Logical Step

Microsoft was deployed .NET-based technology into Windows XP, merging its desktop software with its own online services. This has proven to be a point of contention with competitors and US Government antitrust officials alike. New York Senator Charles Shumer has recently asked that Windows XP be reviewed, and has threatened to block its release.

Microsoft maintains that .NET is the future software development, and insists that Windows must evolve along side with cutting edge Internet technologies such as XML. It also maintains that it must build features into Windows that appeal to the demands of its custumers.

According to Microsoft Chief Software Architect Bill Gates, "The transition to .NET is as dramatic a transition as the move from MS-DOS to Windows."

Despite concerns over the inherent risks involved with trusting sensitive information to shared servers, the incorporation of the .NET framework into Microsoft products continues to move ahead as planned.