The flaw, in Passport's password recovery mechanism, could have allowed an attacker toto which the username is known. The simplicity of the attack method and the high value of the data frequently stored in Passport accounts--names, addresses, birthdates and credit card numbers--combined to make the vulnerability critical.
Microsoft immediately turned off the feature, and security and product teams worked overnight to fix the flaw. By the next morning, the company had, one that should have been there in the first place. The feature had been around since September 2002, and Microsoft is investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.
For a company that has publicly made security a priority, the Passport problem was a serious setback. But the damage to the company could run to more than just bad public relations. The software giant may alsofor the security lapse.
The potential investigation could lead to hefty fines at a rate of $11,000 per violation. If the FTC tries to levy fines on Microsoft, the total penalty could be as high as $2.2 trillion if all accounts are tallied as violations. However, the number of people that have been locked out of their accounts may be a better basis for determining fines.
Windows of the future
Security is obviously on Microsoft's mind lately, and the software giant is letting the public know. Microsoft used its Windows Hardware Engineering Conference (WinHEC) to offer a from its Windows operating system.
One of the changes it plans to make is tothat contain private information that's secured through Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium.
Secure windows will appear differently than regular, unsecured windows in order to remind people that they are looking at confidential material. People will likely customize the secure pages, which will help prevent "spoof attacks," where hackers plant a fraudulent Web page on a PC screen that looks like, but isn't, a file from a person's doctor or accountant, for example.
The controversial NGSC, which Microsoft hopes will help secure its future in the corporate market, is based on real and emulated hardware. Critics fear that the technology will result in consumers losing control of their PCs and data and that Microsoft could use the technology to lock up market share. Others argue that the software and hardware could help lock down corporate data.
Four major: A technology called process isolation will seal off trusted applications so they can't be attacked; sealed storage will allow applications to store data securely; secure path will encrypt data from USB (universal serial bus) hardware devices to the computer and secure video output; and so-called attestation will basically take a snapshot of key characteristics that will define the integrity of the PC.
The big news of the conference, however, was the announcement that Longhorn, the, will debut in 2005. With Longhorn, Microsoft hopes to improve the visual quality of the computing experience. The goal is to be able to run the OS on screens with a resolution of 120 dots per inch or higher.
Longhorn is intended to continue Microsoft's plans to make the PC the nerve center of the home entertainment network. A set-top box codeveloped by Microsoft and ATI Technologies, for instance, allows people to view on a TV monitor pictures or video stored on a PC.
Microsoft was also busy on the spam front, for its MSN and Hotmail services, noting that it now blocks the 2.4 billion e-mail messages that target subscriber in-boxes daily. Microsoft said MSN 8 and Hotmail subscribers this week can elect to turn off images within e-mails, a feature that the company said would help cut down on spam.
Images may conceal so-called Web beacons that confirm a particular e-mail address is in use. That's important to spammers, who frequently use dictionary attacks that blanket domains with thousands of random variations in the hopes of hitting a handful of targets. Beacons can be triggered when images appear in a preview window, meaning that recipients do not need to open the file to be painted as a target.
EarthLink got its licks in on spam, too,and injunction against the "Buffalo Spammer." EarthLink alleged that Howard Carmack had used stolen credit cards, identity theft and other illegal means to purchase hundreds of Internet accounts in order to send out 825 million unsolicited commercial e-mails.
The Carmack case ranks among the three largest spamming judgments that EarthLink has received to date. Last year, EarthLink won $25 million judgment against K.C. Smith, who allegedly sent out more than 1 billion unsolicited commercial e-mails over the company's networks. And in 1998, the courts awarded EarthLink a $2 million judgment in its case against Sanford Wallace, the former "king of spam."
EarthLink didn't have long to celebrate, though. In a case of antispammers against antispammers,, saying that the Internet service provider's new junk-removal system violates its own patented technology.
Mailblocks sells technology that helps Web surfers ward off spam by challenging messages from unknown or automated senders, a system known as "challenge/reponse." Mailblocks alleges that EarthLink initiated discussions related to its service, but nothing came of the talks. However, EarthLink's newly proposed service "as advertised" will infringe on its patent, the company says.
Also of note
Dell Computer's board of directors revealed that it wants to ?Networking company from the Silicon Valley to its East Coast offices?Lower DSL prices could pose a on the U.S. market for high-speed Internet access? of AOL Time Warner, slashing his stake by about half as he prepares to retire from his role as vice chairman at the beleaguered media giant?IBM is shedding light on a , illuminating a dual-pronged strategy, an unusual new processor design and a leaning toward the Linux operating system.