Microsoft Patches Passport
Posted by malebolgia on 02 July 2003 - 04:40 · 3 comments & 995 views
About the Author
Full name: Unknown
Forum name:
malebolgia
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
malebolgiaContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
Microsoft patched a hole in it's .Net Passport identity management service last night after a security researcher disclosed a potentially serious flaw that could enable attackers to hijack Passport accounts. The vulnerability was in the code for a "Secret Question" feature that helped users who had forgotten their Passport password, according to a message posted by Victor Manuel Alvarez Castro, who identified himself as a security consultant.
Some Passport accounts that were created before the Secret Question feature was implemented in August 1999 contained "bad data" in the Secret Question field, according to Jeff Jones, senior director of Trustworthy Computing Security at Microsoft. That data enabled knowledgeable attackers to circumvent the Secret Question feature and reset the password for another Passport user's account, he said.
Digital Envoy, a provider of rights management technology, and SyncCast, which specializes in media streaming, worked together to create the digital rights management (DRM) system.
The system works with the DRM technology integrated into Microsoft Windows Media 9 Series and has been included in the DVD-ROM bundled with the Terminator 2: Judgment Day (Extreme Edition) disc set, shipped in North America in early June for US$29.98.
The set contains a standard DVD, but the DVD-ROM has a high-definition version that provides three times more video detail, SyncCast spokesman David Nichols told CNETAsia. The movie file is encoded in WM9 format, required for the DRM operation of Windows Media Player 9.
The PC playing the DVD-ROM must be connected to the Internet, so as to obtain a license. Content owners can decide which type of license to issue; 1 time play, unlimited play, expires after 30 days, and so on, said Nichols.
"In the case of T2, Artisan (the studio releasing the DVD) decided to issue licenses that have to be renewed every 5 days. You can get as many 5 day licenses as you want but each license is only good for 5 days," he said.
This allows, say, a notebook user to view the movie for 5 days while on the road and disconnected from the Web.
While Nichols did not reveal fully how the DRM works, it is understood that it requires the online verification of details such as the user's IP address and the unique IDs of the disc, movie file and computer playing the file.
"If the user's IP and address is in the region designated by the content owner and they have a valid disc they are issued a license. Users who we determine are outside of the designated region are provided an email address to contact the licensor to request a license directly from them," said Nichols.
"Once they prove they have a valid disc, we issue a license to the user's computer. The user can play the file on any drive connected to his computer that has the license. If the user tries to play the content on a different computer, it won't work. If the user attempts to pass the content off to a friend, it won't work," he said.
The same DRM system can also be used to protect movie streams or downloaded movie files. Despite the checks, no user information is sent to SyncCast or Microsoft without the user's permission, he added.
SyncCast's and Digital Envoy's system are examples of various DRM technologies being tested. In Japan, Sony has been offering movie downloads that are timed to "self-destruct" after a given time.