http://www.idg.net/go.cgi?id=601914



"I'm glad to see that a little guy can still wield some influence over the behavior of a software giant. The weakness in Passport that Slemko forced Microsoft to address was similar to, but different from, the major problem that I warned readers about a couple of months ago (see"Passport is cracked," www.infoworld.com/printlinks).

That problem, which still exists, is that Windows 95, 98, and Windows Me leave a user's ID and password visible in memory, where any rogue e-mail or Trojan horse can retrieve it during a user's dial-up connection to an ISP and for 10 minutes afterward. In Slemko's case, the 15-minute vulnerability was due to a cache on Microsoft's Passport Web server.

Microsoft reduced the Passport server timeout and placed Express Purchase back online on Nov. 3. The company said in a statement that the vulnerability would not have affected users running the new Windows XP operating system.

But Microsoft didn't wait until customers had XP before requiring millions of Hotmail subscribers to use Passport to log on. There are hundreds of millions of vulnerable PCs out there and Microsoft now requires that Passport be the only way to access an increasing number of services."