COMMAND

    MS Money

SYSTEMS AFFECTED

    Microsoft Money 2000, 2001

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-061).
    Microsoft  Money  provides  a  password  protection  feature  that
    prevents unauthorized access to your Money file.  However, due  to
    the way  the password  is currently  handled, the  password may be
    written in plaintext under certain conditions.

    The vulnerability  only affects  Money data  stored on  the user's
    local computer - it does not affect the security of Money's online
    services in any way. Moreover, a malicious user would need to gain
    physical  access  to  an  affected  file  in  order to exploit the
    vulnerability  -  it  could  not  be  exploited  remotely.    It's
    important  to  note  that  password  protection  in  Money  is not
    intended to  be a  substitute for  file-level access  control, and
    even  in  the  absence  of  this  vulnerability, customers need to
    protect  such  files.   Microsoft  recommends  that computer users
    follow  best  practices  when  securing  their  systems, including
    ensuring that machines with important data are physically  secure,
    and not  sharing important  data files  with untrusted  or unknown
    sources.

    Microsoft thanks Ken  for reporting this  issue to MS  and working
    with them to protect customers.

SOLUTION

    This patch is available  for automatic download using  the "Update
    Internet Information" feature in Money:

        1. On the Tools menu, click Update Internet Information.
        2. Follow the instructions on the screen to install the patch.
        3. Microsoft  recommends  users  change  their password  after
           applying this fix as a best practice.