On last.fm: Ciara radio - Listen now!
CNET Networks Business:
BNET
TechRepublic
ZDNet

FREE Registration is required

Overview:

This patch eliminates a security vulnerability in a component that ships with Microsoft Office 2000, Windows 2000, and Windows Me. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user when requesting an Office document from a Web server.The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000, and Windows Me. WEC allows Internet Explorer to view and publish files via Web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed. Instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user's Web site, either by browsing to the site or by opening an HTML mail that initiated a session with it, an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute-force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer or to gain access to resources to which that user was authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system.Frequently asked questions regarding this vulnerability can be found here.

(Is this item miscategorized? Does it need more tags? Let us know.)

Format:SoftwareSize:1,606 KB
Date:Jan 2001Version:MS01-001
License:Free
Platform:Windows
System Req:Windows 2000, Office 2000 NOT installed

Top results from Encryption Software

Download Brightfilter Parental Control 2009 2.1.0.1 (Windows)
Download RoboForm 6.9.97 (Windows)
Download Parent Cyber Alert 4.30 (Windows)
Download USB Secure 1.2.5 (Windows)
Download AutoKrypt 8.12 (Windows)

» View all Encryption Software listings

advertisement

White Papers, Webcasts, and Resources

advertisement

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here

Returning users: Log In Here!

Already registered on BNET, TechRepublic, or ZDNet? Simply log in.

Free Membership: Sign Up Now!

Sign up for a free membership today and get instant and unlimited access to one of the largest databases of white papers, webcasts, and casestudies anywhere. Your FREE membership allows you to:

  • Download an unlimited amount of content, including classic and current white papers, case studies, webcasts and more
  • Track content on your chosen topics of interest
  • Receive targeted email alerts when your favorite content is added
  • Save content for future reading
  • Receive our member newsletter

When you register to access this library, you allow us to share your information with companies that produce products or services featured in the library--so that such companies may contact you with information and offers regarding their products and services. This enables us to keep the library a free service. As a library registrant, you will receive a complimentary subscription to the ZDNet white paper newsletter and e-mail Must-Read News Alerts. You can unsubscribe from these at any time. By clicking the Sign up button, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy (updated).