What's this bulletin about?
Microsoft Security Bulletin MS00-061 announces the availability of a patch that eliminates a vulnerability in Microsoft® Money. Under certain conditions, the vulnerability could allow a malicious user to obtain the password of a Money data file. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privacy compromise vulnerability that could potentially expose the password of a Money data file. If a malicious user could obtain the password to a Money file, he could open the Money file, view the user's accounts and make any change that the user himself could make.
There are several significant restrictions to this vulnerability. In order for a malicious user to compromise the password of a Money file, he would need to have already obtained physical access to the Money data file. There is no way for a malicious user to access your Money data file over the internet via this vulnerability and the security of Money's online services are not affected.
What causes the vulnerability?
This vulnerability is caused by the way the password associated with a Money file is handled. By design, the password is encrypted in the file; however, the vulnerability causes it to be written in plaintext under certain conditions.
What would this vulnerability allow a malicious user to do?
If a malicious user could access an encrypted Money file that's affected by the vulnerability, he could exploit the vulnerability as a way of learning the password to the file. If he could do that, he would have full access to the contents of the Money file.
What protection does a password provide?
A password is like a lock on your door. It provides protection against unauthorized entry while still allowing you access. However the password protection in Money is not intended to serve as a substitute for an access control mechanism. That is, even in the absence of this vulnerability, customers should regulate access to the Money files. Customers using Windows 95, 98 or 98 Second Edition should ensure that the files are physically protected; Windows NT and Windows 2000 users should use the built-in access control mechanisms to prevent other users from accessing the files.
How would a malicious user obtain physical access to my Money data file?
This vulnerability does not provide a way for a malicious user to gain physical access to the file - instead, this would be a problem of social engineering. He might try to entice you into giving him access to your computer, or, if the file were stored on a floppy disk, he might simply steal it.
Could a malicious user exploit this vulnerability via the Internet?
The vulnerability cannot be remotely exploited. However, if a user had created a share, made it available to external users, and placed an affected Money file on the share, it could be possible for a malicious user to retrieve the file and then exploit the vulnerability.
Does this vulnerability affect the security measures for online activity such as statement download, bill payment, and synchronization with MSN Money Central?
No. This vulnerability does not impact the security of the user's data while connected to the Internet. Personal finance software is extremely secure. With the release of this patch, Money customers may be assured that their passwords are encrypted with full 128-bit encryption - the highest-level available. Money also uses 128-bit encryption to protect sensitive file data and in communicating with banks, bill pay services, etc.
I have never password protected my Money data file in the past, should I do so now?
Yes. Password protection insures that your Money data is not accessible to anyone else but you.
I am using NT 4.0 or Windows 2000, is there anything else I can to do to prevent physical access to my money file?
Yes. Windows NT and Windows 2000 are designed to provide file level access. Customers who wish to protect their Money file in the most secure manner should use Windows NT or Windows 2000 on an NTFS partition and use the native access control features to prevent unauthorized access to the file.
Do I have to register Money in order to receive this fix?
No. Although Microsoft recommends registering Money, it is not required in order to receive this patch.
Who should use the patch?
Microsoft recommends that all Money 2000 and Money 2001 users consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by fixing the way your password is written to the Money data file.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
