trust action and major security breaches affecting Internet Explorer 5 and, earlier, Office. Now, however, a security breach which left millions of private Hotmail accounts open to non-subscribers means more debate now over both online security in general and Microsoft security in particular.
The Hotmail breach let surfers gave at least two Web sites' surfers access to accounts merely by typing in a Hotmail user's name. Reports indicate a Web site in the U.K. and another in Sweden allowed such access. In many cases, once in, messages could be read and even forwarded, according to ZDNet News and other sources.
Microsoft says it took Hotmail servers down a few hours Monday morning to fix the breach, but some users are reportedly saying the fix wasn't complete and the breach still exists. CNET says the breach still existed as of 12 noon PDT. ZDNet says that was largely because of Microsoft going server to server to close the breach.
ZDNet reporter Lisa Bowman says one of the first sites to exploit the breach was Sweden's Moving Pictures. Their URL was actually directing people to a number of sites, including Microsoft's security page and "a rant about Internet standards and date-related software problems," Bowman says.
With between 40 and 50 million users, Hotmail - which Microsoft took over more than a year and a half ago - is the world's largest free e-mail service. But reports indicate that no other such services were affected by the breach.
And the breach may have been due to sloppy front-end programming, according to some reports. ZDNet News says Hotmail was configured to accept anyone's ID forwarded within a specific URL framework as a valid user ID - but if someone knew what that framework was, they could insert someone else's ID and raid that account.
Bowman and other observers say that even if Microsoft did repair the breach quickly, they will have a bigger problem to repair which may take longer - the public relations damage, especially in the wake of the IE5 and Office security problems. Computer consultants also think that until or unless consumers demand more secure software, Microsoft - and others - aren't that likely to make security higher priority than it is now.
