EmperorNero
Golden Member
attached to the email is a file named "26705-i386-update.exe" the email (below) looks professional and the newest virus updates showed no positive. I have never seen MS attach a litte program so either someone who's very creative sent me some kind of malicious app that the newest virus updates can't catch yet or it's a legitimate email and the security flaw is so major that MS had to send everyone a patch.
the complete header is (edited out personal info):
-----------------
From support@microsoft.com Sun Feb 11 17:43:47 2001
Received: from [123.456.789.130] by hotmail.com (3.2) with ESMTP id MHotMailBC508A5F008ED82197A0D5F7848213700; Sun Feb 11 17:41:53 2001
Received: from orion3 (orion3.ieway.com [209.211.199.62])
by srv.lantech.ru (8.9.3/8.9.3) with SMTP id EAA25948
for <asdfasdfasdf@hotmail.com>; Mon, 12 Feb 2001 04:43:50 +0300
From: support@microsoft.com
To: <asdfasdfsda@hotmail.com>
Subject: New critical update
Date: Sun, 11 Feb 2001 18:13:10 -0000
Message-Id: <36933.759151377315000.1521660@localhost>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=lcghidsjcetocnfs
-------------
the email:
Microsoft Security Bulletin (MS01-001)
Patch Available for "Web Client NTLM Authentication" Vulnerability
Originally posted: January 11, 2001
Summary
Microsoft has released a patch that eliminates a security vulnerability in a
component that ships with Microsoft® Office 2000, Windows 2000, and Windows
Me. The vulnerability could, under certain circumstances, allow a malicious user
to obtain cryptographically protected logon credentials from another user when
requesting an Office document from a web server.
Frequently asked questions regarding this vulnerability and the patch can be
found at http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Issue
The Web Extender Client (WEC) is a component that ships as part of Office 2000,
Windows 2000, and Windows Me. WEC allows IE to view and publish files via
web folders, similar to viewing and adding files in a directory through Windows
Explorer. Due to an implementation flaw, WEC does not respect the IE Security
settings regarding when NTLM authentication will be performed - instead, WEC
will perform NTLM authentication with any server that requests it. If a user
established a session with a malicious user's web site - either by browsing to
the site or by opening an HTML mail that initiated a session with it - an
application on the site could capture the user's NTLM credentials. The malicious
user could then use an offline brute force attack to derive the password or, with
specialized tools, could submit a variant of these credentials in an attempt to
access protected resources.
The vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of another user. It
would not, by itself, allow a malicious user to gain control of another user's
computer or to gain access to resources to which that user was authorized
access. In order to leverage the NTLM credentials (or a subsequently cracked
password), the malicious user would have to be able to remotely logon to the
target system. However, best practices dictate that remote logon services be
blocked at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target system.
Affected Software Versions
Microsoft Office 2000
Microsoft Windows 2000
Microsoft Windows Me
Patch Availability
Microsoft Office 2000 (All Platforms):
http://officeupdate.microsoft.com/2000/downloaddetails/wecsec.htm
Microsoft Windows 2000 (Without Office 2000):
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26889
Microsoft Windows Me (Without Office 2000):
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26705
Note: Since the affected component ships with the above products independent of
Office 2000, we have provided patches for affected systems that may not be
running Office 2000. As discussed in the FAQ, the patch and vulnerability only
affect machines running Internet Explorer 5.0 or later with Web Folders enabled.
Note: This patch will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS01-001,
http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Microsoft Knowledge Base article Q282132,
http://www.microsoft.com/technet/support/kb.asp?ID=282132
Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product
Support Services is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
David Litchfield of @stake.
Matt Scarborough (matt.scarborough@gte.net)
Revisions
January 11, 2001: Bulletin Created.
January 15, 2001: Correction to Acknowledgement section.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
the complete header is (edited out personal info):
-----------------
From support@microsoft.com Sun Feb 11 17:43:47 2001
Received: from [123.456.789.130] by hotmail.com (3.2) with ESMTP id MHotMailBC508A5F008ED82197A0D5F7848213700; Sun Feb 11 17:41:53 2001
Received: from orion3 (orion3.ieway.com [209.211.199.62])
by srv.lantech.ru (8.9.3/8.9.3) with SMTP id EAA25948
for <asdfasdfasdf@hotmail.com>; Mon, 12 Feb 2001 04:43:50 +0300
From: support@microsoft.com
To: <asdfasdfsda@hotmail.com>
Subject: New critical update
Date: Sun, 11 Feb 2001 18:13:10 -0000
Message-Id: <36933.759151377315000.1521660@localhost>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=lcghidsjcetocnfs
-------------
the email:
Microsoft Security Bulletin (MS01-001)
Patch Available for "Web Client NTLM Authentication" Vulnerability
Originally posted: January 11, 2001
Summary
Microsoft has released a patch that eliminates a security vulnerability in a
component that ships with Microsoft® Office 2000, Windows 2000, and Windows
Me. The vulnerability could, under certain circumstances, allow a malicious user
to obtain cryptographically protected logon credentials from another user when
requesting an Office document from a web server.
Frequently asked questions regarding this vulnerability and the patch can be
found at http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Issue
The Web Extender Client (WEC) is a component that ships as part of Office 2000,
Windows 2000, and Windows Me. WEC allows IE to view and publish files via
web folders, similar to viewing and adding files in a directory through Windows
Explorer. Due to an implementation flaw, WEC does not respect the IE Security
settings regarding when NTLM authentication will be performed - instead, WEC
will perform NTLM authentication with any server that requests it. If a user
established a session with a malicious user's web site - either by browsing to
the site or by opening an HTML mail that initiated a session with it - an
application on the site could capture the user's NTLM credentials. The malicious
user could then use an offline brute force attack to derive the password or, with
specialized tools, could submit a variant of these credentials in an attempt to
access protected resources.
The vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of another user. It
would not, by itself, allow a malicious user to gain control of another user's
computer or to gain access to resources to which that user was authorized
access. In order to leverage the NTLM credentials (or a subsequently cracked
password), the malicious user would have to be able to remotely logon to the
target system. However, best practices dictate that remote logon services be
blocked at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target system.
Affected Software Versions
Microsoft Office 2000
Microsoft Windows 2000
Microsoft Windows Me
Patch Availability
Microsoft Office 2000 (All Platforms):
http://officeupdate.microsoft.com/2000/downloaddetails/wecsec.htm
Microsoft Windows 2000 (Without Office 2000):
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26889
Microsoft Windows Me (Without Office 2000):
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26705
Note: Since the affected component ships with the above products independent of
Office 2000, we have provided patches for affected systems that may not be
running Office 2000. As discussed in the FAQ, the patch and vulnerability only
affect machines running Internet Explorer 5.0 or later with Web Folders enabled.
Note: This patch will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS01-001,
http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Microsoft Knowledge Base article Q282132,
http://www.microsoft.com/technet/support/kb.asp?ID=282132
Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product
Support Services is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
David Litchfield of @stake.
Matt Scarborough (matt.scarborough@gte.net)
Revisions
January 11, 2001: Bulletin Created.
January 15, 2001: Correction to Acknowledgement section.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
