[ SOURCE: http://www.secureroot.com/security/advisories/9672544727.html ] The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-061) - -------------------------------------- Patch Available for "Money Password" Vulnerability Originally posted: August 25, 2000 Summary ======= Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) Money. The vulnerability could allow a malicious user to obtain the password of a Money data file. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-061.asp. Issue ===== Microsoft Money provides a password protection feature that prevents unauthorized access to your Money file. However, due to the way the password is currently handled, the password may be written in plaintext under certain conditions. The vulnerability only affects Money data stored on the user's local computer - it does not affect the security of Money's online services in any way. Moreover, a malicious user would need to gain physical access to an affected file in order to exploit the vulnerability - it could not be exploited remotely. It's important to note that password protection in Money is not intended to be a substitute for file-level access control, and even in the absence of this vulnerability, customers need to protect such files. Microsoft recommends that computer users follow best practices when securing their systems, including ensuring that machines with important data are physically secure, and not sharing important data files with untrusted or unknown sources. Affected Software Versions ========================== - Microsoft Money 2001 - Microsoft Money 2000 Patch Availability ================== This patch is available for automatic download using the "Update Internet Information" feature in Money. 1. On the Tools menu, click Update Internet Information. 2. Follow the instructions on the screen to install the patch. 3. Microsoft recommends users change their password after applying this fix as a best practice. Note: Additional security patches are available at the Microsoft Download Center More Information ================ Please see the following references for more information related to this issue. - Frequently Asked Questions: Microsoft Security Bulletin MS00-061, http://www.microsoft.com/technet/security/bulletin/fq00-061.asp - Microsoft Knowledge Base article Q272232 discusses this issue and will be available soon. - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft thanks ken for reporting this issue to us and working with us to protect customers. Revisions ========= - August 25, 2000: Bulletin Created. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Last Updated August 25, 2000 (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOabCWY0ZSRQxA/UrAQG3IAf/XXhoOE+mzVf6T4gyE33E+MwVm0PD9PQO HlBF/4VTtJjzGbUsO3RT9gpavYmvZOxBH2BceNdK0SFpDAS0pkHqJWTF5pZNyCMh 5xIY5N/ss0Ou/TB2so2v9uPoQQyughb9ioZ9tGuxsuh931NO6oRyhGpujzQ9K8Tm LsK7tpUTigeqsvaYemWdfGT4UJw6ThZx/ITUW9yoxf4EwlbPB15zcTL33oZJC4gY KjzjXG/9L55f1IAMBDBzBg1epqQ43vo/RPhCkHblw5UG4uL3ESfLR+UxnJNSOm2E Z5jchx355sZvHkCSssoM0NIHN+pjnr5bWUdBWJooWoGeYYl25FEYzQ== =FVEw -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.