Money: Description of the Money Password Security Update (272232)


The information in this article applies to:

  • Microsoft Money 2000
  • Microsoft Money 2000 Business and Personal
  • Microsoft Money 2000 Deluxe
  • Microsoft Money 2001
This article was previously published under Q272232

SUMMARY

This article describes the Money Password Security Update for Microsoft Money 2000 and Microsoft Money 2001.

Microsoft Money provides a password protection feature that prevents unauthorized access to a Money file. However, because of the method that Money currently uses to store the password in the Money data file, the password may be written in plain text under certain conditions.

This vulnerability only affects Money data that is stored on the local computer. It does not affect the security for the Online Services feature of Money.

In addition, to exploit the vulnerability, a malicious user would need to gain physical access to an affected Money data file. As a result, this vulnerability cannot be exploited remotely.

NOTE: Password protection in Money is not intended to be a substitute for file-level access control, and even in the absence of this vulnerability, you must protect your sensitive files. Microsoft recommends that you follow best practices when you secure your computer, including ensuring that any computer that contains important data is physically secure, and that important data files are not shared with untrusted or unknown users.

Microsoft has released the Money Password Security Update to fix this vulnerability. Microsoft recommends users change their password after applying this fix as a best practice.

The Money Password Security Update is available for automatic download using the Update Internet Information feature of Money. To receive the latest updates for Money, update your Money Internet information:
  1. On the Tools menu, click Update Internet Information.
  2. In Money 2000, follow the instructions on the screen to install the Money Password Security update.

    In Money 2001, the update is silent and automatically takes effect the next time that you start Money.

MORE INFORMATION

For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS00-061.mspx

To determine if the Money Password Security Update is installed on your computer:
  1. Click Start, point to Find, and then click Files or Folders.
  2. In the Named box, type mscofd.dll mcorehlp.dll.
  3. In the Look in box, click My Computer.
  4. Make sure that the Include subfolders check box is selected, and then click Find Now.
  5. In the list of found files, right-click each file, and then click Properties.
  6. On the General tab, note the date on the Modified line.

    On the Version tab, note the file version.

    If the date on the Modified line matches one of the following dates, then the Money Password Security Update is not installed.

    • Wednesday, August 04, 1999
    • Wednesday, July 19, 2000


    If the date on the Modified line on the General tab and the file version on the Version tab both match the entries that are listed in the following table, then the Money Password Security Update is installed properly.

    Product versionFile nameFile versionFile date
    Money 2000Mscofd.dll8.0.0.801 or laterWednesday, August 16, 2000 or later
    Money 2000Mcorehlp.dll8.0.0.816 or laterWednesday, August 16, 2000 or later
    Money 2001Mscofd.dll9.0.0.816 or laterDate of download
    Money 2001Mcorehlp.dll8.0.0.816 or laterDate of download
  7. Click OK.
  8. Close the Find: Files Named Mscofd.dll Mcorehlp.dll window.
Modification Type:MajorLast Reviewed:6/16/2004
Keywords:kbinfo KB272232
©2004 Microsoft Corporation. All rights reserved.