Cyber Eye: Breach of security and breach of trust
- By William Jackson
- May 28, 2003
Last month Microsoft Corp. again had to acknowledge and correct a security problem in its software'this time in the Passport service that manages account access on multiple Web sites.
The breach was twofold. First, the Passport system that controlled account passwords could accept outside connections. Whoever knew an exact Web address could hijack the accounts and personal data of more than 200 million users.
But in the long run the bigger breach could be trust. Microsoft didn't fix the problem until after word of the vulnerability was posted on the Internet May 7.
'Overnight Microsoft developed a fix, which is now in production,' a company spokesman said.
But according to media reports, Microsoft did not respond to 10 earlier e-mail messages from the user who found the flaw. Muhammad Faisal Rauf Danka told the Associated Press he discovered the problem after his Passport account had been repeatedly violated. When Microsoft apparently ignored his warnings, Danka felt he had no option but to force action through publicity.
The company said it had no record of complaints about the weakness before the published reports, a spokesman said.
Disclosure of vulnerabilities has been a hot topic among IT security experts for years. Some argue that public disclosure is irresponsible and exposes users to unnecessary risk. Others say that threat of exposure is the only way to force vendors to fix errors and take more care in developing software, and that a fully informed public is a safer public.
Among hackers, vendors and security organizations a consensus has developed that the proper protocol should be first to notify the vendor privately and not to publicize the flaw until a fix is available'or until the vendor fails to respond.
Whether Microsoft deserves censure for such lapses is a matter of opinion. But how unnerving that the privacy of 200 million Passport users was at risk before the problem was fixed.
Microsoft will keep getting brickbats for security failures. In the last year it also has drawn praise for a serious effort to improve software development under its Trustworthy Computing Initiative.
But any progress and goodwill is jeopardized by failure to deal effectively with problems when they are pointed out.
William Jackson is freelance writer and the author of the CyberEye blog.