Microsoft issues new patch for Windows 2K telnet hole

Microsoft Corp. yesterday issued a new software patch updating one released two weeks ago in an attempt to fix a security vulnerability in the telnet client code that ships with Windows 2000.

In an advisory that was posted on the company’s Web site, Microsoft urged Windows 2000 users – including those who applied the original patch released on Sept. 14 – to install the updated version. According to the advisory, the old patch eliminated the security hole, but also prevented legitimate telnet connections from working in some cases.

Telnet is a communications protocol that lets end-user PCs establish remote terminal sessions with servers. Under certain conditions, Microsoft said, the telnet vulnerability in Windows 2000 could enable malicious hackers to steal user authentication information from an unsuspecting victim’s computer, even if the log-on credentials have been encrypted.

The vulnerability results from a default user authentication setting in Windows 2000 that uses a challenge/response process to prove a user’s identity before a remote terminal session can be established.

An attacker can exploit the hole to automatically request a telnet session from a victim’s machine and then grab a version of the user’s password during the authentication process that ensues, said Ryan Russell, an information systems manager at SecurityFocus.com, an online bulletin board and security portal in San Mateo, Calif.

“A malicious user can basically trick your computer into telnetting with their server and automatically handing over [information that can be used to crack passwords],” Russell said.

Apart from applying Microsoft’s updated patch, one workaround for the problem is to completely disable the default authentication process for a Windows 2000 telnet session, Russell said. That should ensure that authentication credentials aren’t automatically exchanged with a malicious telnet server, he added.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now