Re: NT4.0 SP3 Still vulnerable

[rkuhljr () PUERIDOMUS BR (Rubens Kuhl Jr.)]

| I reported an Internet Explorer Security hole more than 2 months ago to
| Microsoft.  The bug allows Websites to capture usernames and encrypted
| passwords from unsuspecing Windows NT users who have Internet Explorer.
|
| At first Microsoft told me they would Patch Internet Explorer.  Then
| Internet Explorer 3.02 which was supposed to fix ALL of the security
| holes from that month.  (According to MS's Web page)
|
| But IE 3.02 did not fix the security hole!
|
| Then Microsoft told me that NT 4.0 Service Pack 3 will definitely fix the
| whole.
|
| I just downloaded it.  It does NOT fix the security hole!

As far as I know, IE 3.02 corrected only sending NTLM logins thru HTTP
connections, and I suppose you are talking about capturing
username/password hashes sent via SMB/CIFS (file://aaa.bbb.ccc.ddd).

I'm still downloading SP3, but after a look at the readme it looked me that
SP3 could empower a administrator to fix such bug by enabling the SMB
signing feature; it would not fix it at installation.

And with or without SP3, filtering routers blocking 135/137/138/139 ports
make this exploit and similar ones limited to Intranets.

| To date, microsoft has not fixed this and similiar security holes!  Maybe
a
| expoit code release to BUGTRAQ is in order to help speed things up.

Hasn't one exploit code been released to SAMBA-DIGEST ? It captures the
password hashes, which someone could pass to l0phtcrack and similar
crackers.

Other exploits such as real-time password cracking hasn't been released,
but I'm not sure if such release would make Microsoft go faster.

| By the way, I have been conversing with CERT the last 2 months, and they
| still believe that Microsoft will fix the problem and CERT does not want
| to issue an Advisory until the bug is fixed.  However CERT should atleast
be
| notifing administrators to warn users not to use Internet Explorer until
| this bug is fixed.

I think that's why BugTraq exists.


Rubens Kuhl Jr.