Posted on 05/17/2003 11:10:55 PM PDT by Timesink
A serious security flaw shows that Microsoft Passport identities could be easily compromised. Financial institutions and other enterprises should replace or augment Passport until at least November 2003.
Whether any attackers exploited this flaw before Microsoft patched the problem is important to enterprises that depend on Passport identities, but it doesn't affect the actions they must take to limit the damage. As with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport. For this reason, Gartner recommends that financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose immediately:
Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers.
This discovery deals a major blow to Microsoft and the Liberty Alliance, which have not yet succeeded in getting the consumer e-commerce market to accept identity services of this type. Gartner surveys have shown that consumers and enterprises have already seen more risk than value in Passport and Liberty. The serious vulnerability in Passport will likely further delay any meaningful demand for such services until at least 4Q04. Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review.
Analytical Sources: John Pescatore and Avivah Litan, Gartner Research
Written by Terry Allan Hicks, Gartner News
Recommended Reading and Related Research
(You may need to sign in or be a Gartner client to access all of this content.)
Anyone who trusts microsoft's security gets what they deserve, and deserves what they get.
A "bears repeating" bump.
"I know, I know. Just skip the rigorous QC for now. Give it quick once-over. We gotta get this thing out the door or there's gonna be hell to pay. Don't worry, we'll do the QC later and stick it in version x.1"
I'd bet a dollar statements like this are made around M$FT on a regular basis.
They do not, much to their detriment, realize that QC is not a "separate" process; rather it must parallel the development process from the beginning.
</end rant>
Microsoft will have a solution for all these security flaws soon. All we'll have to do is go out and buy brand new computers with their new OS Palladium installed on it. It will phone home regularly to the fatherland in Redmond to make sure everything's okie dokie.
Big brother to the rescue.
Yeah, like that's gonna happen.
Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review.
What have these folks been smoking? Microsoft will make the reviewers sign NDAs so they can't even talk amongst themselves and do a proper review. MS doesn't want to know about their flaws; they just want to continue to dominate the market.
If MS had been paying attention, they would have picked up on the Passport thing soon after April 12th, when the researcher first tried to contact them. But nooooobody at MS knew a thing about it until he finally posted it to the Full-Disclosure list out of desperation.
Remember back in February (the shortest month of the year, BTW) 2002, when MS took a whole month off to train their folks and review all of their code? Does anyone really think that it could all be done in a single month? Does anyone else have a strange suspicion that it was all for PR?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.