Microsoft said it will release a software patch later today to
hole in its Windows 2000 operating system that could leak usernames and
passwords to unauthorized individuals.
The problem involves the Windows 2000 Telnet client, a program that lets
someone connect a PC to a network server and execute commands on a second
The security hole stems from Microsoft's convenient single sign-on feature
that saves people the hassle of logging in for each Telnet session by
automatically providing the required user ID and encrypted password.
Security experts warned that once an individual obtains an encrypted
password, or "password hash," a password cracker can be used to determine
the actual pass code.
Although Telnet is not a frequently used program, a password thief could
steal passwords by embedding links in a Web page or an email that could
launch a victim's Telnet program.
"The risk is that the malicious user can create or craft a document and
send it to another user, and that action would initiate a connection to the
remote Telnet user," said Eric Schultze, security program manager for
Microsoft Security Response Centers. "The patch we are issuing later today
will prompt the user and say, 'We're about to send your password to that
remote server, do you want to continue?'"
Microsoft was first notified about the problem Aug. 1 by Boston-based
Internet security company @Stake. The companies have worked together to
produce the software patch.
The security bulletin will be posted to the Microsoft.com security Web site and will be
sent to members of the Microsoft security-notification mailing list later
According to security expert Elias Levy, the vulnerability mirrors a
similar problem Microsoft faced more than two years ago, when the company's
Web browser, Internet Explorer, provided people with the same single
When opening a Web site that was connected to a remote computer, IE would
provide that computer with the person's user identification and password
To address this problem, Microsoft released a patch that let people
configure their control panel settings to either opt in or out of this
"You could say, on my intranet, my company, I want Internet Explorer to
automatically log me into servers, but on the Internet zone, I don't want
it going out," said Levy, chief technology officer at the information
security portal SecurityFocus.com. "Then it prompts you and asks you to
input your username and password."
Levy said he knows of no instances where passwords have been stolen by the
security vulnerability in Windows 2000 Telnet but says he can think of
possible instances when they might be.
"If you're a criminal and you want to break into Company A and you have
people's email addresses, you could send them email that would launch
Telnet and try to get their passwords that way," he said.
Microsoft said that people concerned about their security can disable the
feature, even before the patch is released, by disabling a default function
that is set to authenticate a person's Telnet connection to a remote computer.