Date: 16 January 2001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.020 -- Microsoft Security Bulletin (MS01-001)
Patch Available for "Web Client NTLM Authentication" Vulnerability
16 January 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Web Extender Client (WEC)
Vendor: Microsoft
Impact: Access Privileged Data
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Web Client NTLM Authentication Vulnerability
Date: January 11, 2001
Software: Office 2000, Windows 2000, and Windows Me
Impact: NTLM Credentials sent regardless of prompt setting
Bulletin: MS01-001
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-001.asp.
- - ----------------------------------------------------------------------
Issue:
======
The Web Extender Client (WEC) is a component that ships as part of
Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and
publish files via web folders, similar to viewing and adding files in
a directory through Windows Explorer. Due to an implementation flaw,
WEC does not respect the IE Security settings regarding when NTLM
authentication will be performed - instead, WEC will perform NTLM
authentication with any server that requests it. If a user
established a session with a malicious user's web site - either by
browsing to the site or by opening an HTML mail that initiated a
session with it - an application on the site could capture the user's
NTLM credentials. The malicious user could then use an offline brute
force attack to derive the password or, with specialized tools, could
submit a variant of these credentials in an attempt to access
protected resources.
The vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of
another user. It would not, by itself, allow a malicious user to gain
control of another user's computer or to gain access to resources to
which that user was authorized access. In order to leverage the NTLM
credentials (or a subsequently cracked password), the malicious user
would have to be able to remotely logon to the target system.
However, best practices dictate that remote logon services be blocked
at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target
system.
Mitigating Factors:
====================
- The client would need to be coerced into visiting a malicious web
site
or read malicious e-mail.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-001.asp
for information on obtaining this patch.
Acknowledgment:
===============
- David Litchfield (http://www.atstake.com)
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOl5RpY0ZSRQxA/UrAQF4oggAhATiZyE/xnueJyvfT1PVGMkjAG8ovrqM
uVR0qDLmWMzlAdlSnNynyu6vJyZEHLCklFyM008J8pX6Sk3K+f9DJNLvR/GY8CHX
pwjgHpnQuZxxpqBXQXY4bCgDccvqT6+toojYcdpUZT73zXB3TwihALYJccA+Mxxm
yrX/3b/WnR8i3V19bpOpL4pCJDEhGHtokHo2W6DNuAQTOS7MNPX8rDvWYu4wHeZx
afv++9pMht9mVGDnSeBDVIkAg61KYVRgY8oOKqLp7hjRvAkaDOWj+BdcQxZHttx+
TQ2gSqok2xyRCaKfC3GYugARNf5aJ8QTqLrIl3U319XgzBrIY2yxWg==
=/JDx
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOm/y0ih9+71yA2DNAQHeiAP7BcniKhJj7UUO9CIFHtzxF7OWNSXYmiw6
oMGzRAvph0UjDiv/TSj+c/zqc1YeBNumaGaGlyi8CP7cCPaJrUcv9e7ihKvysaNb
Go6XszUir+pUc/1R/mKzas7ffYzy/SbLbzPUl12WEtFSqIZcP9vH48aw79A4fT8u
9D29RNU9bB0=
=6h+a
-----END PGP SIGNATURE-----
|