Microsoft KB Archive/272232

= Money: Description of the Money Password Security Update =

Article ID: 272232

Article Last Modified on 1/29/2007

-

APPLIES TO


 * Microsoft Money 2000 Standard Edition
 * Microsoft Money 2000 Business & Personal Edition
 * Microsoft Money 2000 Deluxe Edition
 * Microsoft Money 2001 Standard Edition

-



This article was previously published under Q272232



SUMMARY
This article describes the Money Password Security Update for Microsoft Money 2000 and Microsoft Money 2001.

Microsoft Money provides a password protection feature that prevents unauthorized access to a Money file. However, because of the method that Money currently uses to store the password in the Money data file, the password may be written in plain text under certain conditions.

This vulnerability only affects Money data that is stored on the local computer. It does not affect the security for the Online Services feature of Money.

In addition, to exploit the vulnerability, a malicious user would need to gain physical access to an affected Money data file. As a result, this vulnerability cannot be exploited remotely.

NOTE: Password protection in Money is not intended to be a substitute for file-level access control, and even in the absence of this vulnerability, you must protect your sensitive files. Microsoft recommends that you follow best practices when you secure your computer, including ensuring that any computer that contains important data is physically secure, and that important data files are not shared with untrusted or unknown users.

Microsoft has released the Money Password Security Update to fix this vulnerability. Microsoft recommends users change their password after applying this fix as a best practice.

The Money Password Security Update is available for automatic download using the Update Internet Information feature of Money. To receive the latest updates for Money, update your Money Internet information:
 * 1) On the Tools menu, click Update Internet Information.
 * 2) In Money 2000, follow the instructions on the screen to install the Money Password Security update.

In Money 2001, the update is silent and automatically takes effect the next time that you start Money.



MORE INFORMATION
For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS00-061.mspx

To determine if the Money Password Security Update is installed on your computer:  Click Start, point to Find, and then click Files or Folders. In the Named box, type mscofd.dll mcorehlp.dll . In the Look in box, click My Computer. Make sure that the Include subfolders check box is selected, and then click Find Now. In the list of found files, right-click each file, and then click Properties. On the General tab, note the date on the Modified line.

On the Version tab, note the file version.

If the date on the Modified line matches one of the following dates, then the Money Password Security Update is not installed.

 Wednesday, August 04, 1999</li> Wednesday, July 19, 2000</li></ul>

If the date on the Modified line on the General tab and the file version on the Version tab both match the entries that are listed in the following table, then the Money Password Security Update is installed properly.

</li> Click OK.</li> Close the Find: Files Named Mscofd.dll Mcorehlp.dll window.</li></ol>

Additional query words: w_money money2k 9.0 m2001 dlc patch pass word

Keywords: kbinfo KB272232

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.