|
Home : Advisories : Web Client NTLM Authentication Vulnerability
Title: |
Web Client NTLM Authentication Vulnerability |
Released by: |
MS |
Date: |
11th January 2001 |
Printable version: |
Click here |
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Web Client NTLM Authentication Vulnerability
Date: January 11, 2001
Software: Office 2000, Windows 2000, and Windows Me
Impact: NTLM Credentials sent regardless of prompt setting
Bulletin: MS01-001
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-001.asp.
- ----------------------------------------------------------------------
Issue:
======
The Web Extender Client (WEC) is a component that ships as part of
Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and
publish files via web folders, similar to viewing and adding files in
a directory through Windows Explorer. Due to an implementation flaw,
WEC does not respect the IE Security settings regarding when NTLM
authentication will be performed - instead, WEC will perform NTLM
authentication with any server that requests it. If a user
established a session with a malicious user's web site - either by
browsing to the site or by opening an HTML mail that initiated a
session with it - an application on the site could capture the user's
NTLM credentials. The malicious user could then use an offline brute
force attack to derive the password or, with specialized tools, could
submit a variant of these credentials in an attempt to access
protected resources.
The vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of
another user. It would not, by itself, allow a malicious user to gain
control of another user's computer or to gain access to resources to
which that user was authorized access. In order to leverage the NTLM
credentials (or a subsequently cracked password), the malicious user
would have to be able to remotely logon to the target system.
However, best practices dictate that remote logon services be blocked
at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target
system.
Mitigating Factors:
====================
- The client would need to be coerced into visiting a malicious web
site
or read malicious e-mail.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-001.asp
for information on obtaining this patch.
Acknowledgment:
===============
- David Litchfield (http://www.atstake.com)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOl5RpY0ZSRQxA/UrAQF4oggAhATiZyE/xnueJyvfT1PVGMkjAG8ovrqM
uVR0qDLmWMzlAdlSnNynyu6vJyZEHLCklFyM008J8pX6Sk3K+f9DJNLvR/GY8CHX
pwjgHpnQuZxxpqBXQXY4bCgDccvqT6+toojYcdpUZT73zXB3TwihALYJccA+Mxxm
yrX/3b/WnR8i3V19bpOpL4pCJDEhGHtokHo2W6DNuAQTOS7MNPX8rDvWYu4wHeZx
afv++9pMht9mVGDnSeBDVIkAg61KYVRgY8oOKqLp7hjRvAkaDOWj+BdcQxZHttx+
TQ2gSqok2xyRCaKfC3GYugARNf5aJ8QTqLrIl3U319XgzBrIY2yxWg==
=/JDx
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
|