[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Web Client NTLM Authentication Vulnerability

Title: Web Client NTLM Authentication Vulnerability
Released by: MS
Date: 11th January 2001
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----



- ----------------------------------------------------------------------

Title:      Web Client NTLM Authentication Vulnerability

Date:       January 11, 2001

Software:   Office 2000, Windows 2000, and Windows Me

Impact:     NTLM Credentials sent regardless of prompt setting

Bulletin:   MS01-001



Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/security/bulletin/MS01-001.asp.

- ----------------------------------------------------------------------



Issue:

======



The Web Extender Client (WEC) is a component that ships as part of

Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and

publish files via web folders, similar to viewing and adding files in

a directory through Windows Explorer. Due to an implementation flaw,

WEC does not respect the IE Security settings regarding when NTLM

authentication will be performed - instead, WEC will perform NTLM

authentication with any server that requests it. If a user

established a session with a malicious user's web site - either by

browsing to the site or by opening an HTML mail that initiated a

session with it - an application on the site could capture the user's

NTLM credentials. The malicious user could then use an offline brute

force attack to derive the password or, with specialized tools, could

submit a variant of these credentials in an attempt to access

protected resources.



The vulnerability would only provide the malicious user with the

cryptographically protected NTLM authentication credentials of

another user. It would not, by itself, allow a malicious user to gain

control of another user's computer or to gain access to resources to

which that user was authorized access. In order to leverage the NTLM

credentials (or a subsequently cracked password), the malicious user

would have to be able to remotely logon to the target system.

However, best practices dictate that remote logon services be blocked

at border devices, and if these practices were followed, they would

prevent an attacker from using the credentials to logon to the target

system.



Mitigating Factors:

====================

 - The client would need to be coerced into visiting a malicious web

site

   or read malicious e-mail.



Patch Availability:

===================

 - A patch is available to fix this vulnerability. Please read the

   Security Bulletin

   http://www.microsoft.com/technet/security/bulletin/ms01-001.asp

   for information on obtaining this patch.



Acknowledgment:

===============

 - David Litchfield (http://www.atstake.com)



- ---------------------------------------------------------------------



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED

"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL

WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT

SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY

DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,

CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF

MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION

OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO

THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----

Version: PGP Personal Privacy 6.5.3



iQEVAwUBOl5RpY0ZSRQxA/UrAQF4oggAhATiZyE/xnueJyvfT1PVGMkjAG8ovrqM

uVR0qDLmWMzlAdlSnNynyu6vJyZEHLCklFyM008J8pX6Sk3K+f9DJNLvR/GY8CHX

pwjgHpnQuZxxpqBXQXY4bCgDccvqT6+toojYcdpUZT73zXB3TwihALYJccA+Mxxm

yrX/3b/WnR8i3V19bpOpL4pCJDEhGHtokHo2W6DNuAQTOS7MNPX8rDvWYu4wHeZx

afv++9pMht9mVGDnSeBDVIkAg61KYVRgY8oOKqLp7hjRvAkaDOWj+BdcQxZHttx+

TQ2gSqok2xyRCaKfC3GYugARNf5aJ8QTqLrIl3U319XgzBrIY2yxWg==

=/JDx

-----END PGP SIGNATURE-----



   *******************************************************************

You have received  this e-mail bulletin as a result  of your registration

to  the   Microsoft  Product  Security  Notification   Service.  You  may

unsubscribe from this e-mail notification  service at any time by sending

an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM

The subject line and message body are not used in processing the request,

and can be anything you like.



To verify the digital signature on this bulletin, please download our PGP

key at http://www.microsoft.com/technet/security/notify.asp.



For  more  information on  the  Microsoft  Security Notification  Service

please  visit  http://www.microsoft.com/technet/security/notify.asp.  For

security-related information  about Microsoft products, please  visit the

Microsoft Security Advisor web site at http://www.microsoft.com/security.








(C) 1999-2000 All rights reserved.