IDG.net: Experts: Hotmail hack easy, office fix flawed

“Tweety Fish, a hacker with the hacker group Cult of the Dead
Cow, said the Hotmail hack is ‘about the easiest I’ve ever seen.
… ‘For Microsoft to call this knowledge anything ‘advanced’ is a
truly laughable PR play.’ “

” ‘I can’t overstate what a horrifying example this is of
Microsoft’s total inability to take security issues seriously.

’50 million’ people’s private information was left completely wide
open to anybody with the ability to make a Web page for OVER 24
hours, and Microsoft chose to minimize the problem and delay their
own response,’ he wrote. ‘It is completely irresponsible on their
part, and, I think, should serve as an indication to the public
at large that nothing Microsoft says about security should ever be
taken seriously without independent verification.’ “

“In another development today, Smith said the individual who
discovered last week’s security hole in Office 97 and Office 2000
now says the fix for those vulnerabilities has a problem. ‘This
Office problem seems to be taking weeks and weeks and weeks and
more than one try to get right,’ he said.

The security flaw, related to Microsoft’s Jet data access
software, allows code in an Excel 97 worksheet that is hidden in a
Web page or sent via e-mail to delete data, read files or spread
viruses, according to Juan Carlos Garcia Cuartango, the Spanish
engineer who discovered the exploit.”

Complete Story