[19946] in bugtraq
Microsoft Security Bulletin MS01-019
daemon@ATHENA.MIT.EDU (Bob Rogers)
Fri Mar 30 06:09:07 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15043.15377.341326.112340@h0050da615e79.ne.mediaone.net>
Date: Thu, 29 Mar 2001 08:43:45 -0500
Reply-To: Bob Rogers <rogers-bugtraq@RGRJR.DYNDNS.ORG>
From: Bob Rogers <rogers-bugtraq@RGRJR.DYNDNS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C10F7F33B880B248BCC47DB446738847445E94@red-msg-07.redmond.corp.microsoft.com>
From: Microsoft Product Security <secnotif@MICROSOFT.COM>
Date: Wed, 28 Mar 2001 07:08:28 -0800
- ----------------------------------------------------------------------
Title: Passwords for Compressed Folders are Recoverable
Date: 28 March 2001
Software: Plus! 98 and Windows Me
Impact: Data compression passwords can be recovered.
Bulletin: MS01-019
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-019.asp.
- ----------------------------------------------------------------------
. . .
Mitigating Factors:
====================
- The password at issue here is not related in any way to the
user's network logon password. It is used solely for
password-protecting compressed folders.
Considering how frequently most people tend to reuse passwords, this is
a pretty strong statement. Since Microsoft states that the folder
password is "not related in any way to the user's network logon
password" with such confidence, that would seem to imply a mechanism
that prohibits password reuse when establishing the folder compression
password. Is that the case, or does this statement merely promote a
false sense of security?
-- Bob Rogers
