Microsoft (MSFT: - news - boards) said Monday that it
was developing a software patch "as quickly as possible"
after a 21-year-old former employee publicized a potential
security flaw in the company's popular Web browser.
In a conference call with privacy advocates and reporters,
Bennet Haselton, the former employee and an active
opponent of Internet censorship who lives in Seattle, said
he could use the flaw to read the in boxes of HotMail
accounts and order products on Amazon.com without
the account holders' permission or knowledge.
All known versions of Microsoft's
Internet Explorer are vulnerable,
according to Haselton's Web site,
peacefire.org.
The flaw involves cookies, which electronic commerce
sites routinely deposit on the computers of Web users in
order to keep track of their purchases and for other
monitoring purposes. Using a specially constructed
uniform resource locator, or URL, a Web site can read
the cookies from any domain.
A spokeswoman for Microsoft said that the flaw could be
exploited only if a user is coerced or enticed to visit a
Web site operated by someone who intends to exploit the
flaw. The company is developing a software patch that will
be available shortly, said the spokeswoman, who works
for the company's outside public relations firm and asked
that she not be identified because of Microsoft's press
policies.
The spokeswoman also said cookies should not contain
sensitive data like credit card information or passwords in
the first place. Most cookies do not. For example, the
way Amazon uses cookies could allow a hacker to order
books sent to a person's address using the person's
credit card, but the hacker could not obtain the credit
card number or have the purchases sent elsewhere.
Jason Catlett, a privacy advocate who operates the Web
site Junkbusters.com, said the flaw would not allow
hackers to gain access to passwords but that it still
raised concerns because victims could be impersonated
or have the privacy of their email violated.
Haselton, whose discovery was detailed in an article in
The Wall Street Journal on Monday, said in a telephone
interview that he was looking for flaws in Microsoft
software in hopes that he could expose them to gain
publicity for his anti-censorship Web site.
Haselton said he took a pad of paper along on his Easter
break to visit family members a few weeks ago. The
purpose of the pad, he said, was to write down potential
hacks to try when he returned home to Seattle.
"I did this for the publicity," Haselton said. "I hope the
people on my old working group saw it in The Wall Street
Journal."
Haselton said he worked at Microsoft from May 1999 until
January and had hoped to become a software engineer
tasked to ferret out bugs for the company. He said that
he was not allowed to take training courses and was
instead dismissed from the company.
"They said I was too dumb for it," Haselton said.
The spokeswoman for Microsoft confirmed that Haselton
had worked for the company. |
