Microsoft Security Bulletin MS00-061 - Critical
Patch Available for 'Money Password' Vulnerability
Published: August 25, 2000 | Updated: October 14, 2002
Originally posted: August 25, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Money. The vulnerability could allow a malicious user to obtain the password of a Money data file.
- Microsoft Money 2001
- Microsoft Money 2000
Vulnerability Identifier: CVE-2000-0777
Microsoft Money provides a password protection feature that prevents unauthorized access to your Money file. However, due to the way the password is currently handled, the password may be written in plaintext under certain conditions.
The vulnerability only affects Money data stored on the user's local computer - it does not affect the security of Money's online services in any way. Moreover, a malicious user would need to gain physical access to an affected file in order to exploit the vulnerability - it could not be exploited remotely. It's important to note that password protection in Money is not intended to be a substitute for file-level access control, and even in the absence of this vulnerability, customers need to protect such files. Microsoft recommends that computer users follow best practices when securing their systems, including ensuring that machines with important data are physically secure, and not sharing important data files with untrusted or unknown sources.
What's this bulletin about?
Microsoft Security Bulletin MS00-061 announces the availability of a patch that eliminates a vulnerability in Microsoft® Money. Under certain conditions, the vulnerability could allow a malicious user to obtain the password of a Money data file. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privacy compromise vulnerability that could potentially expose the password of a Money data file. If a malicious user could obtain the password to a Money file, he could open the Money file, view the user's accounts and make any change that the user himself could make.
There are several significant restrictions to this vulnerability. In order for a malicious user to compromise the password of a Money file, he would need to have already obtained physical access to the Money data file. There is no way for a malicious user to access your Money data file over the internet via this vulnerability and the security of Money's online services are not affected.
What causes the vulnerability?
This vulnerability is caused by the way the password associated with a Money file is handled. By design, the password is encrypted in the file; however, the vulnerability causes it to be written in plaintext under certain conditions.
What would this vulnerability allow a malicious user to do?
If a malicious user could access an encrypted Money file that's affected by the vulnerability, he could exploit the vulnerability as a way of learning the password to the file. If he could do that, he would have full access to the contents of the Money file.
What protection does a password provide?
A password is like a lock on your door. It provides protection against unauthorized entry while still allowing you access. However the password protection in Money is not intended to serve as a substitute for an access control mechanism. That is, even in the absence of this vulnerability, customers should regulate access to the Money files. Customers using Windows 95, 98 or 98 Second Edition should ensure that the files are physically protected; Windows NT and Windows 2000 users should use the built-in access control mechanisms to prevent other users from accessing the files.
How would a malicious user obtain physical access to my Money data file?
This vulnerability does not provide a way for a malicious user to gain physical access to the file - instead, this would be a problem of social engineering. He might try to entice you into giving him access to your computer, or, if the file were stored on a floppy disk, he might simply steal it.
Could a malicious user exploit this vulnerability via the Internet?
The vulnerability cannot be remotely exploited. However, if a user had created a share, made it available to external users, and placed an affected Money file on the share, it could be possible for a malicious user to retrieve the file and then exploit the vulnerability.
Does this vulnerability affect the security measures for online activity such as statement download, bill payment, and synchronization with MSN Money Central?
No. This vulnerability does not impact the security of the user's data while connected to the Internet. Personal finance software is extremely secure. With the release of this patch, Money customers may be assured that their passwords are encrypted with full 128-bit encryption - the highest-level available. Money also uses 128-bit encryption to protect sensitive file data and in communicating with banks, bill pay services, etc.
I have never password protected my Money data file in the past, should I do so now?
Yes. Password protection insures that your Money data is not accessible to anyone else but you.
I am using NT 4.0 or Windows 2000, is there anything else I can to do to prevent physical access to my money file?
Yes. Windows NT and Windows 2000 are designed to provide file level access. Customers who wish to protect their Money file in the most secure manner should use Windows NT or Windows 2000 on an NTFS partition and use the native access control features to prevent unauthorized access to the file.
Do I have to register Money in order to receive this fix?
No. Although Microsoft recommends registering Money, it is not required in order to receive this patch.
Who should use the patch?
Microsoft recommends that all Money 2000 and Money 2001 users consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by fixing the way your password is written to the Money data file.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch This patch is available for automatic download using the "Update Internet Information" feature in Money.
- On the Tools menu, click Update Internet Information.
- Follow the instructions on the screen to install the patch.
- Microsoft recommends users change their password after applying this fix as a best practice.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q272232, http://support.microsoft.com/default.aspx?scid=kb;en-us;272232&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 August 25, 2000: Bulletin Created.
- V1.1 October 14, 2002: Bulletin updated with new URL in acknowledgements.
Built at 2014-04-18T13:49:36Z-07:00