Wide-spread exploitation of security hole in Windows Live Mail

Yesterday, April 5th 2009 at approximately 4:30pm (BST), several messages were sent from my HoTMaiL account to every single one of my MSN contacts. Luckily, this account is long-dormant – but unfortunately, Windows Live operates a shared list of contacts between Mail and Messenger (which I do still use, for my sins).

The message test was:

Great shopping for you!
i would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of
good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!

The URL that followed was from the following domain:

Domain Name: DTPLAZA.COM
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: NS1.DNS.COM.CN
Name Server: NS2.DNS.COM.CN
Status: clientTransferProhibited
Updated Date: 28-mar-2009
Creation Date: 28-mar-2009
Expiration Date: 28-mar-2010

… which was only registered 8 days prior to this email being sent. It appears that many other people have been having similar issues for days, though:

5 people having been hit since 9th March;
3 people having been hit since 26th March;
24th February (same message with a different URL);
26th March (same message with a different URL).

Other occurences in mailing-lists are here and here.

Worryingly, here is a spam blog post… did this user have the ability to create posts via email turned on, or is even more of the Live infrastructure compromised?

I believe that this must be a vulnerability within the Windows Live infrastructure: My mail account was unused, me having not logged in to it for months. I do use MSN Messenger and did start Windows 7 over the weekend which caused Live Mesh to update – both of which use the same login data. The password on the account was strong and not dictionary-based, and I haven’t used any public terminals or unsecure Wifi connections recently – and probably not for Microsoft services for several years.

I can therefore only see three possibilities for the cause of this:

Some organisation has the capability to crack Windows Live passwords en-mass
This is the most unlikely scenario, as the time needed to crack even a small number of weak dictionary-based passwords is enormous. Additionally, you’d hope that there would be rate-limiting mechanisms on login infrastructure to prevent an attacker spamming possible passwords at the maximum rate the network allows. Hopefully this rate-limiting isn’t source IP address based, as in today’s world of pervasive botnets, each individual machine need only send a small number of requests to cover large chunks of password dictionaries. I have checked such dictionaries for my password, though, and it isn’t listed.
MSN Messenger has a login vulnerability
If Messenger were vulnerable to a man-in-the-middle or replay attack, then an attacker would already have the login name (the user ID) and could potentially gain the account password. This would be a major hole in such a widely-used service, and would explain how my particular low-usage account could have been compromised. This option is troubling as it would give full access to all account data to an attacker. They could also change secret questions and follow linked accounts, probably trying the same password against these accounts. If this is the case, then the only solution until such a vulnerability is confirmed by Microsoft and fixed is to stop using the MSN Messenger protocol (as my work usage of MSN, the only significant use of this login information, is through the open-source Pidgin application).
The Windows Live infrastructure has a vulnerability
This is probably the most disturbing option, given the number of different ways in which Microsoft have tried to push what were originally HoTMaiL email account names as a form of universal ID. The silver lining is that the security model may not be blown-open, and it may only be facets which can be accessed by an attacker. For example, an attacker may be able to view the contacts list and send email, but may be unable to view other details or change passwords. This view would be supported by the fact that none of the people reporting having had spam send from their accounts has been locked-out of Live Mail… surely, if you’d expended a lot of time or effort to crack a service that you then had full control over (as any of the above options would imply) then the first thing you’d do is change the password to lock-out the owner whilst they work out how to get these details reset. Given that anyone inadvertently sending spam will likely find out this situation from contacts fairly quickly, this doesn’t seem to disclose any additional information. At the same time, many users may be unsure as to what they are able to do to resolve the situation, and so the attack may simply rely on affected people doing nothing, whereas an account lock-out prompts action.

My hunch is that the situation is described by the third option above: Other than Messenger, I make no use of other Windows Live services and haven’t for months – this suggests an attack against the Live infrastructure directly. The only question is then of what level of access an attacker gains: can they read the existing password? If not, then there will be a lot of spam going around until Microsoft fix the problem. If so, then all Microsoft IDs and all data associated with them are compromised, and these accounts should be closed immediately.

What needs to happen is for Microsoft to go public about this problem, how wide-spread it is, what information is compromised, and what they are doing about it. Until then, all Microsoft services should be approached with utmost caution.