In Depth

Beyond Passport Vulnerabilities

Security flaws in high-profile products like Microsoft's Passport led experts and vendors to find new ways to disclose bugs

By Simson Garfinkel

January 01, 2005 — CSO — Little more than a year ago, a company that I'm involved with found a serious flaw with Microsoft Passport.

Microsoft Passport, for anyone not in the know, is Microsoft's highly promoted identity management and single sign-on system. Instead of having one password for the Microsoft Developer Network, another password for Hotmail and another password for Microsoft Messenger, all of these services are tied together with a single common database. Log in to one system, and you've logged in to them all. In theory, this makes the overall process easier for users, since there is only one ID and password to remember, and more secure, since it is easier to debug and audit one system as opposed to many.

Microsoft has adopted Passport internally for most of its products that need to identify usersthings such as Windows Media Player. Microsoft has also encouraged other companies to adopt Passport as their back-end authentication system. The biggest company that has jumped onboard so far is eBay, which allows you to sign in using either an eBay ID or a Passport ID.

The problem that the company discovered had to do with the way the Windows XP Registration Wizard used Microsoft Passport to register new copies of Windows when they were first loaded. Instead of communicating with the Passport servers over an encrypted SSL channel, as Microsoft claimed, much of the information was being sent without encryption.

Because Passport is so widely used, the bug was significant. By sniffing the packets on a local area network or an ISP, an attacker could learn the ID and password of any person registering a new copy of Windows XP. What's more, because the registration was done in a Wizard programrather than in a traditional Web browserthere was no telltale "https," meaning there was no easy way for people to know the information was being sent without encryption.

Passport vulnerabilities have been big news in the past: People who have found them have made the front page of The New York Times. Microsoft then scrambled to fix the problem, while individuals and organizations using the system were left in the lurch. The problem, of course, is that it's hard to stop using Passport. But once the vulnerability is known, the black hats are free to start exploiting it. And once they know where to look, more vulnerabilities might be found.

Bug hunters weren't always so fast to disclose vulnerabilities. When I started writing about computer security 15 years ago, such disclosures were widely seen as irresponsible and dangerous. Back then, newly discovered vulnerabilities were shared with a few trusted security professionals and communicated to the vendor or software developer. The idea was to give those most affected the opportunity to immediately protect themselves and give the company time to develop a fix before the problem was widely known. Frequently there was no "patch" issued at all; the fix for the security problem was simply folded into the next software release.The Problem with Selective DisclosureThere was just one problem with this careful approach to vulnerability disclosure: Many security vulnerabilities never got fixed at all. Uninformed that the new releases actually contained security fixes, many users didn't bother upgradingespecially users running mission-critical systems that couldn't afford any downtime. Even worse, many software vendors simply didn't fix the security problems that were brought to their attention. After all, why should they? The typical application or operating system has many security vulnerabilitiessome of which are known publicly, some of which are known internally and most of which are undiscovered. Why fix a vulnerability that's being kept secret?