PeopleSoft 5.0 contains includes several security weaknesses,
according to an article by Barb Cole in the 6 November issue of Network World.
The problems include storing unencrypted passwords on users' desktops
in Windows memory, passing unencrypted passwords over the network, and
storing a master identification providing access to advanced network privileges
on Windows clients where it could be found by hackers. PeopleSoft, described
as the No. 3 vendor of client/server applications, provides a suite of
pre-built financial, distribution, and human resources applications.
The flaws were reported earlier by First Albany Corp.-META Technology Research,
according to Network World. Patches to reduce the vulnerability of passwords
stored on the client side are included in PeopleSoft 5.0.1, now available.
Changes planned for early 1996 will encrypt passwords sent over networks.
A subsequent article by Ilan Greenberg in the 13 November issue of
INFOWORLD reported that the 5.0.1 release indeed solves this particular
problem. The article reports that PeopleSoft plans to incorporate
Open Horizon, Inc.'s desktop security technology (including Connection
Security Module, for better encryption and authentication of passwords),
directly into PeopleSoft's applications by next March. Representatives of
competing products from Oracle and Hyperion Software Corp. said their
products were not subject to the kinds of security holes that had troubled
the PeopleSoft product, according to INFOWORLD.