Despite Microsoft claims that it took "advanced" skills to create a hack in its free Web-based Hotmail service that exposed millions of users' accounts, security experts yesterday said it was actually very "user friendly" and easily shared.
In a separate development, a fix for security holes in Microsoft Office is flawed, according to one software expert.
The Office security problem hit the headlines last week. But the Hotmail hack, first publicised in Sweden yesterday, has become Microsoft's latest public relations fiasco. The Hotmail hack became widely known after a Swedish Web site administrator included on his page a URL that linked to a Hotmail log-in page. That log-in page allowed anyone to type in a user name and either a fake password or no password and access that user's account. The owner of the Web site with the link said he did not create the code but only cut and pasted the URL to the log-in page from another Web site.
Microsoft fixed the hack later in the day and Deanna Sanford, a product marketing manager for the Microsoft Network, attributed it to "a malicious hacker with very specific knowledge of advanced Web-development languages."
However, several security experts chuckled at that explanation.
"Maybe the first person who discovered it was pretty smart," said Richard M. Smith, president of Phar Lap Software in Cambridge, Massachusetts. "But once the cat's out of the bag it doesn't make any difference.
"Once somebody figured out what it took it was pretty simple, just a form on a Web page," he said. "Anybody could get to it. It was very user-friendly."
Smith said the cause of the hack was a bug in the application software that runs the Hotmail service, and not in the Unix operating system the application was running on. The bug apparently was in older Hotmail servers and not newer ones running Microsoft's new Passport service, which offers MSN users single log-in access to a variety of MSN Web sites, he said.
"It's interesting that the problem showed up the same weekend that the Passport service got started and only happened on some of the older servers," Smith said. "But, the bugs could have been around for six months and it was just a coincidence (too)."
Tweety Fish, a hacker with the hacker group Cult of the Dead Cow, said the Hotmail hack is "about the easiest I've ever seen."
"It's not often that you see a hack of this severity that can be perpetrated with no tool other than Microsoft FrontPage, or GoLive CyberStudio. The only HTML knowledge (required), the ability to create a form, is one of the very first skills anybody who learns to make Web pages is taught," the hacker wrote in an e-mail response to questions. "For Microsoft to call this knowledge anything 'advanced' is a truly laughable PR play."
Tweety Fish speculated that the hack was an intentional "backdoor," either part of a work in progress or a function implemented for testing purposes. "It's also possible that it was an accident that the cgi that was exploited got left on production servers," he said. "Either way it's a gross oversight, the most foolish type of security misstep."
CGI stands for common gateway interface, which is the standard way for Web servers to pass a user's request to an application program and receive data back to send on to the user.
The hacker said he suspects that a current or former Microsoft employee told somebody about the "start.cgi" code that had been left on the production servers and that person then passed the information along.
"I can't overstate what a horrifying example this is of Microsoft's total inability to take security issues seriously. '50 million' people's private information was left completely wide open to anybody with the ability to make a Web page for OVER 24 hours, and Microsoft chose to minimize the problem and delay their own response," he wrote. "It is completely irresponsible on their part, and, I think, should serve as an indication to the public at large that nothing Microsoft says about security should ever be taken seriously without independent verification."
Neither Smith nor Tweety Fish had heard of Hackers Unite, the group that reportedly has claimed responsibility for the hack.
A Microsoft spokeswoman said officials were inundated with calls on the situation and could not immediately make someone available to comment.
In another development today, Smith said the individual who discovered last week's security hole in Office 97 and Office 2000 now says the fix for those vulnerabilities has a problem. "This Office problem seems to be taking weeks and weeks and weeks and more than one try to get right," he said.
The security flaw, related to Microsoft's Jet data access software, allows code in an Excel 97 worksheet that is hidden in a Web page or sent via e-mail to delete data, read files or spread viruses, according to Juan Carlos Garcia Cuartango, the Spanish engineer who discovered the exploit.
In a posting yesterday to the NTBugtraq e-mail list (www.ntbugtraq.com), Garcia Cuartango said that after three weeks of development, the JetcoPkg.exe fix Microsoft released to combat the Office97/2000 vulnerability last week still contains "a lot of vulnerabilities."
"Jet driver can be used from an Excel Worksheet or Word document to silently create, delete or modify some kind of files," he wrote. "A lot of exploits can be implemented, a malicious document opened by hand or automatically inside a hidden HTML frame could do everything on your computer even destroy it or inoculate a virus."
Garcia Cuartango said he has suggested that Microsoft modify Office so that it handles any document containing ODBC (open database connectivity) calls as if it contains macros.
More information about the Office fix is at http://www.microsoft.com/security and http://officeupdate.microsoft.com/. The Redmond, Washington-based company can be reached at +1-425-882-8080 or http://www.microsoft.com/.