Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


A Mistaken Hacking Call on CardSpace

A software developer discovered flaw in 'Windows CardSpace' claiming that it could give a user illegal access to the desktop. Was it a vulnerability that Microsoft overlooked? The company denies it to be one at all.

Microsoft has created 'Windows CardSpace' to store digital identities. It is meant to be a core place to authenticate users for transactions such as logging into desktop or posting a comment or suggestion on a site. The technology also acts as storage of other information about a user such as name, address and phone number. The key function of 'CardSpace' is to keep data secured. In its brief existence so far, there has been no breaches. However, someone claims to have broken through the system.

Developer Sergey Shishkin says he has hacked 'CardSpace and is even ready with a 'proof of concept'.

The vulnerability that was exploited was an 'Open File Dialog', which is used in operations such as choosing a picture for a card or a file for data backup. When the 'Open File Dialog' is in the process of opening, the desktop becomes visible for just a moment. But after it opens, the 'start menu' is free to open using 'Win button' and then anything is possible to do.

This was something that can't be missed. Actually, Microsoft didn't miss it and the company said it wasn't vulnerability. Responding to Shishkin's claim, Richard Turner, program manager for 'Windows CardSpace', explained when the 'Open File Dialog' opens within CardSpace, the user is actually taken back to the desktop where the 'Open File Dialog' displays itself.

Microsoft was very careful that the 'dialog' did not open from within CardSpace's desktop to guard from an inadvertent or deliberate summon of a code. The code, which could execute within could weaken the security of 'CardSpace's Private Desktop'.

Since the 'dialog' appears like opening from within CardSpace, Microsoft made several trials to keep the user experience consistent.
Although the CardSpace was not a subject of headlines in recent times, but vulnerability reported like this certainly could. When handling a technology that maintains people's information, it is important that rumors are not allowed to spread.

Related article: A New "Blackmailing" Variant Creeps Around…

» SPAMfighter News - 10/27/2006

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page