Microsoft Corp. yesterday issued a new software patch updating one released two weeks ago in an attempt to fix a security vulnerability in the telnet client code that ships with Windows 2000.
In an advisory that was posted on the company’s Web site, Microsoft urged Windows 2000 users – including those who applied the original patch released on Sept. 14 – to install the updated version. According to the advisory, the old patch eliminated the security hole, but also prevented legitimate telnet connections from working in some cases.
Telnet is a communications protocol that lets end-user PCs establish remote terminal sessions with servers. Under certain conditions, Microsoft said, the telnet vulnerability in Windows 2000 could enable malicious hackers to steal user authentication information from an unsuspecting victim’s computer, even if the log-on credentials have been encrypted.
The vulnerability results from a default user authentication setting in Windows 2000 that uses a challenge/response process to prove a user’s identity before a remote terminal session can be established.
An attacker can exploit the hole to automatically request a telnet session from a victim’s machine and then grab a version of the user’s password during the authentication process that ensues, said Ryan Russell, an information systems manager at SecurityFocus.com, an online bulletin board and security portal in San Mateo, Calif.
“A malicious user can basically trick your computer into telnetting with their server and automatically handing over [information that can be used to crack passwords],” Russell said.
Apart from applying Microsoft’s updated patch, one workaround for the problem is to completely disable the default authentication process for a Windows 2000 telnet session, Russell said. That should ensure that authentication credentials aren’t automatically exchanged with a malicious telnet server, he added.