Microsoft sews up Hotmail hole

Slow to acknowledge a flaw in its free email service, Microsoft has now responded with a fix. But it downplays the danger to Hotmail users
Written by Robert Lemos, Contributor

The day after Microsoft acknowledged a security hole in Hotmail, its popular free email service, a representative for the software giant said it had fixed the problem.

Details of the hole, which could have allowed any user the ability to read another user's email, were originally publicised by hacker and security site Root-Core four days ago.

Mark Wain, product manager for the Microsoft Network, acknowledged the problem Monday, but he downplayed the threat, calling it a "computational infeasibility." To exploit the flaw, a user would have had to know the target's username, the time the email was received and a random two-digit number, he said.

Most would-be attackers would know only the target's username and might be able to guess the time a particular message was received, making the technique hard to implement.

"A malicious attacker would have to conduct thousands, if not tens of thousands, of attempts before they could hit on a valid message," Wain said.

If would-be spies knew the minute in which the message was received, they would still have to try 6,000 numerical combinations. To scan all the messages received in an hour, it would take 360,000 combinations.

An automated scanning tool, such as the one Root-Core posted on its site, could have made an attack easier, but it's uncertain whether Hotmail would allow the thousands of access attempts such a method would require. Now that Microsoft has closed the hole, the issue is essentially moot.

However, the problem comes at a bad time for the company.

Last week, Microsoft faced criticism in Washington, D.C., for its plan to use its Passport authentication system as a keystone of security for its next-generation consumer operating system, Windows XP.

Passport collects and stores personal information as a way of identifying individual computer and Web users who want to log in to specific Web sites or use certain services. Some critics have charged that the system invades people's privacy, demanding an unreasonable amount of information. The information, they say, could pose security risks for people if it were shared or got out.

At present, Passport is the method by which Microsoft authenticates Hotmail and MSN users when they log in. Obviously, a security flaw in Hotmail doesn't look good.

On top of that, the flaw had an interesting side effect: It highlighted the fact that Microsoft's premier mail service still uses a non-Microsoft operating system.

The security hole made use of the fact that each message is identified by a time stamp and a two-digit number. The time stamp uses the typical Unix format. Microsoft confirmed that Unix systems still make up a significant part of the Hotmail network.

"Hotmail does utilise some Unix servers on the back end, and through time, we are looking to migrate the environment to Windows 2000," Wain said.

See the Internet News Section for full coverage.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Telecoms forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards