Neowin.net

Biggest users of Terminal Server will be worst affected by licensing change

Some of Microsoft's biggest customers face extra costs because of licensing changes introduced with Windows Server 2003.
Organisations using Microsoft Terminal Server software to access central applications will be affected by the changes.

Windows 2000 users were able to connect to Terminal Server for free. But with the newly launched Windows Server 2003, customers will have to buy a Terminal Server Client Access Licence for every user device whether it is a PC or a thin client.

Westminster buying arm the Office of Government Commerce is concerned that the changes will mean a "significant cost increase".

"Some departments run centralised applications and there appears to be an increase in this trend. For these departments, there is potentially a significant cost increase," said a spokesman.

"While we understand that holders of Enterprise Agreement licences will be provided with Terminal Server Client Access Licences at no extra charge, we are concerned at the potential cost to the government. As such, we are reviewing the overall impact of the introduction."

The move will create more bad feeling among users, according to David Rippon, chairman of the BCS IT directors group Elite.

News source: vnunet.com

Microsoft has touted Passport as a technological centerpiece in the company's Web services future. Passport accounts are central repositories for a user's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the user's online accounts.

Microsoft moved quickly to prevent online vandals from exploiting the issue. The advisory was posted just before 8 p.m. PDT, and by 11:30 p.m., the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.

The flaw allowed a single Web address--or URL--to be used to request a password reset from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account.

Danka claims to have found the issue after a friend's account had been hacked.

"Later, my friend gave the 'attacker' my passport address as a challenge, and mine was compromised as well," he wrote in the e-mail. Not long after, he figured out how the attacker had compromised the accounts.

The security consultant also said that he had repeatedly sent e-mail warnings to Microsoft's abuse and security addresses at Hotmail.com to no avail. However, he didn't send an e-mail to Microsoft's standard security contact point, secure@microsoft.com.

It wasn't clear Wednesday night whether the flaw affected all Passport accounts, or a smaller subset of accounts. Several security experts confirmed that the flaw could be exploited in the manner described by Danka.

"I tried it on my own account and I tried it on my friends' accounts, with full permission; it worked on all occasions," said Wayne Chang, a student at the University of Massachusetts at Amherst. "This is definitely a big security flaw."

The issue couldn't be confirmed by everyone. In some cases, security experts didn't get an e-mail back from the server.

"I just tried again, and have not yet received an e-mail with the change password link in it," Marc Slemko, a Seattle-area software engineer, wrote to CNET News.com in an e-mail. "That either means it is much slower now or has been disabled."

The engineer believed Microsoft would rally the security teams to handle the vulnerability, as the issue had enormous implications for customers.