Microsoft Money Plaintext Password Vulnerability
BID:1615
Info
Microsoft Money Plaintext Password Vulnerability
| Bugtraq ID: | 1615 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 25 2000 12:00AM |
| Updated: | Aug 25 2000 12:00AM |
| Credit: | Discovered by Ken and publicized in a Microsoft Security Bulletin (MS00-061) on August 25, 2000. |
| Vulnerable: |
Microsoft Money 2001 Microsoft Money 2000 |
| Not Vulnerable: | |
Discussion
Microsoft Money Plaintext Password Vulnerability
Under certain circumstances, the password used to protect Microsoft Money from unauthorized access is stored as plaintext. A user who has physical access to the system where the Money file resides is able to obtain the password and use it to view and modify the Money file which includes account information.
This vulnerability could only be exploited remotely if the Money file exists on a share that has been made available to external users.
Under certain circumstances, the password used to protect Microsoft Money from unauthorized access is stored as plaintext. A user who has physical access to the system where the Money file resides is able to obtain the password and use it to view and modify the Money file which includes account information.
This vulnerability could only be exploited remotely if the Money file exists on a share that has been made available to external users.
Exploit / POC
Microsoft Money Plaintext Password Vulnerability
See discussion.
See discussion.
Solution / Fix
Microsoft Money Plaintext Password Vulnerability
Solution:
Microsoft has provided the following instructions for installing the patch:
This patch is available for automatic download using the â??Update Internet Informationâ? feature in Money.
1. On the Tools menu, click Update Internet Information.
2. Follow the instructions on the screen to install the patch.
3. Microsoft recommends users change their password after applying this fix as a best practice.
Solution:
Microsoft has provided the following instructions for installing the patch:
This patch is available for automatic download using the â??Update Internet Informationâ? feature in Money.
1. On the Tools menu, click Update Internet Information.
2. Follow the instructions on the screen to install the patch.
3. Microsoft recommends users change their password after applying this fix as a best practice.
References
Microsoft Money Plaintext Password Vulnerability
References:
References: