• silicon.com
• Management
• CIO Insights

By Joey Gardiner, 31 May 2001 17:31

NEWS Security experts have branded Microsoft's response to the discovery of a possible security flaw in its authentication software as 'inadequate'. Experts say Microsoft's declaration that the problem was down to human error ignores the fact that any robust security engine should have easily picked up this type of inconsistency. On Tuesday, silicon.com revealed (http://www.silicon.com/a44732 ) that a user of its e-open web-licensing programme was able to see the account details of another Microsoft licensee. This online licence management facility is authenticated by Passport, Microsoft's proprietary authentication engine which underpins its .NET vision of fully integrated web services. In a written statement, Microsoft told silicon.com the user's "ability to view the licensing details of another Microsoft customer via the Microsoft e-open licensing programme was caused by a human error with data input... We are reviewing our backend processes to prevent this type of error from happening in the future. There was no breach of security or data corruption with Passport." But despite the software giant's assurances, security experts said the fault undoubtedly highlights weaknesses in its software. Bruce Schneier, founder and CTO of security consultants Counterpane, said Microsoft needs to create a secure system that could work in spite of human failure: "It is vital here because the idea of Passport is for a single sign-on, which is also potentially a single point of failure. Most security problems have a human element, but this highlights the inability of Microsoft's systems to handle the day-to-day things that people do." Neil Barrett, technical director at security consultancy IRM, concurred: "You would expect the system to have been more robust than it seems to have been." He added: "Microsoft typically seems to be clumsily quick to market with products that purport to have high levels of security, but don't live up to the billing. Their testing just doesn't seem to be security orientated." Microsoft was unable to provide any further comment at the time of writing.