Bugtraq mailing list archives
Re: Win2k Telnet.exe malicious server vulnerability
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 14 Sep 2000 08:04:54 -0700
-----BEGIN PGP SIGNED MESSAGE----- As Eric mentioned in his note below, we will be delivering a patch and security bulletin shortly that will eliminate this vulnerability. Specifically, the patch will enable the user to specify whether Telnet should participate in NTLM authentication, based on the IE security zone that the Telnet server resides in. However, customers who are concerned about this vulnerability already have the means to globally disable NTLM authentication for all Telnet sessions. Here's how: - Open a command prompt, type "telnet" and hit enter. - At the Telnet prompt, type "unset ntlm" and hit enter. - Type "quit" to save your changes and exit Telnet. To verify that NTLM authentication is disabled, do the following: - Open a command prompt, type "telnet" and hit enter. - At the Telnet prompt, type "display" and hit enter. - Read the response to the "display" command. If you see "Will auth (NTLM authentication", it means that Telnet *will* participate in NTLM authentication. If you see "Won't auth (NTLM authentication)", it means that Telnet will *not* participate in NTLM authentication. Please note that this vulnerability only affects the Windows 2000 Telnet client. No other Microsoft Telnet client participates in NTLM authentication under any conditions. Regards, Scott Culp Security Program Manager Microsoft Security Response Center - -----Original Message----- From: Microsoft Security Response Center Sent: Thursday, September 14, 2000 2:34 AM To: BUGTRAQ () SECURITYFOCUS COM Cc: Microsoft Security Response Center Subject: RE: Win2k Telnet.exe malicious server vulnerability - -----BEGIN PGP SIGNED MESSAGE----- Weld Pond and Dildog of @Stake Inc. reported this vulnerability to Microsoft August 1st and have been working with Microsoft since that time to develop a patch and an advisory. Their commitment to vendor notification, responsible reporting and the protection of customer's assets with respect to this and other investigations has been beyond reproach. Microsoft has developed and @Stake has tested a patch for this vulnerability. The patch is undergoing final packaging and should be ready for release as a security bulletin by end of the day Thursday, September 14. The security bulletin will be posted to the Microsoft.com/security web site, will be sent to members of the Microsoft Security Notification Mailing list, and will be submitted to various security-related mailing lists. The patch will be hosted on the Microsoft download center - the URL will be included as part of the security bulletin. With regard to "Monti's" post on this topic: Monti contacted Microsoft on August 7th with details of this vulnerability. Monti informed us that he was planning to release the vulnerability to Bugtraq (with exploit code) and would proceed with his plan should he fail to hear back from Microsoft within one week's time. He also stated that he would postpone his release if Microsoft provided reasonable explanation for needing additional time to provide a patch. Nowhere in his email did he mention a three-week timeframe as he claims in his advisory. Microsoft responded to Monti on August 7th, thanked him for his email, and informed him that we had received this issue from another party and had already opened an investigation. We stated we would keep him in the loop with regards to patch availability, provided him with a tracking number, and encouraged him to contact us should he have any questions on the investigation. Monti replied on August 8th, asking for an ETA on a patch. We responded to Monti on August 8th, stating: " I don't have an ETA at the moment -- we only learned of the issue last week, and we do need to make sure we've done our due diligence and understand the solution thoroughly. It's a slower process than we'd like, but when you consider the millions of customers' machines that are affected by any change we make, it's pretty clear that we need to be very careful about our engineering and testing. I'll definitely keep you in the loop as we go forward, though, and please feel free to ping me as needed for status information. Sound OK?" We never heard back from Monti. Microsoft remains committed to protecting its customers. We answer every inquiry sent to Secure () Microsoft com. Each person submitting a vulnerability report to Microsoft is given a tracking number and is encouraged to contact us anytime they'd like to discuss the investigation. Most individuals are willing to work us within this framework. Others, as Monti has demonstrated, are more concerned about building their own reputation (and unnecessarily putting users at risk) than they are about checking with us on the status of an investigation. In closing, we applaud the relationship we've had with @Stake on this and prior Microsoft security investigations. Their respect for protecting our mutual customers is something that should be emulated by all individuals involved in the vulnerability reporting and disclosure process. Regards, Eric Schultze Security Program Manager Microsoft Security Response Center - -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOcCbl40ZSRQxA/UrAQG+DQf/UkiQdE3R8D2aulpOfpPi24b0GyCU3k5u +le/ToFqDyAPX3iPBhMbGJDMV+TuZGIOPY5ps4dAnSFFYxJuu/gyXTaWuMu8h5dW y0ePbc9zy677DlLddR7NnM0IEglhi/C2qwQS7+Au6/1Hc6MgzEoJ9h3IvGrAVazB hU/nyNhg6gxJSeCSqQWcgEbynJ7hW+CbnT+Z/8oEZs/JhS58CGg3ItKZwGzPf1xY Oq1elhMy4xHtg4vHcC/URRQ5Pa4XmQbvlHn+ufUcOWzZNA3ezcC3dN9dd0dpFCJC nrRjhbufAb9FBcD0xBvaWTUQETNKj3OiiM3GKEW1/sOrynxWt3qFaQ== =EYE0 - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOcDo3o0ZSRQxA/UrAQENJgf/SpvzdQyn8lLB1yZ83ePoIzX0pd6NBOJt YWNvhI01k7xPlToKKo9t/ictM5URy4N2B/jBb9pZF1xfZsWUyoLlQD7sDcGDKYlc jJCGK3RdZ6973PaoQfcRaGwTYIbwknMxXRDek5GTsOewoimIRhTWlLkY+rBV9oY2 gkBs5jnNev7K0o/+LOiKprN+tUi+tDN2krhUc9O6DYpPXs3UQphAc+kXOpbMACaj 1rXkddsE95wPGlhQiNI2WiKKjWXwckaJ9cdp14NT/C9Yp2vOssc/gq55mEXvNiHE a/J3MmMcYzJgsK6JBZxbqYtOzJYV2bK61m03/ZKfRvcdW72G4xuSyw== =4zpH -----END PGP SIGNATURE-----
Current thread:
- Win2k Telnet.exe malicious server vulnerability monti (Sep 13)
- Re: Win2k Telnet.exe malicious server vulnerability Jim Paris (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Micah Webner (Sep 14)
- <Possible follow-ups>
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability monti (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Tim Hollebeek (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Blue Boar (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Рягин Михаил Юрьевич (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)
- Re: Win2k Telnet.exe malicious server vulnerability J Edgar Hoover (Sep 18)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)