What's the scope of the vulnerability?
This vulnerability could enable a malicious web site operator to obtain a copy of the cryptographically protected authentication credentials belonging to a user who visited the site. The malicious user could then subject the credentials to an offline brute force attack in the hopes of discovering the user's password.
This vulnerability would only provide the malicious user with the NTLM encrypted password credentials of another user. It would not, by itself, allow the malicious user to take any actions on the user's system.
What causes the vulnerability?
This vulnerability occurs because the authentication settings of Web Extender Client (WEC) do not adhere to settings specified by the IE security zones. As a result, WEC will participate in NTLM challenge-response authentication with any server, regardless of whether it's trusted or not.
What is WEC?
The Web Extender Client (WEC) is a protocol (introduced with IE 5.0) that provides an extension to the Hypertext Transfer Protocol (HTTP) and defines how basic file functions, such as copy, move, delete, and create folder, are performed across HTTP.
WEC is a subset of the Web Folder Behaviors feature that was introduced with IE 5.0. Web Folder Behaviors enable authors to view sites in a Web folder view, which is similar to the Microsoft Windows Explorer folder view. The WEC protocol adds additional capabilities to the Web Folder Behaviors feature. For example, using WEC with Web folder view enabled makes it possible to perform the equivalent of a DIR command on an HTTP resource and retrieve all the information necessary to fill a Windows Explorer view.
For more details on WEC and Web Folders please see Web Folder Behaviors workshop article on MSDN.
Are other platforms with IE 5.0 also affected?
Yes and no. The WEC protocol is only available by default with Office 2000, Windows 2000, and Windows Me. Other platforms may be affected, but Web Folders is not enabled by default and that feature would need to be installed in order to be affected.
For more details on how to enable this feature please see Q195851.
What's NTLM?
NTLM (NT LanMan) is an authentication process that's used by all members of the Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the client's identity without requiring that either a password or a hashed password be sent across the network.
How does challenge/response work?
When the authentication process begins, the user's system (client) sends a login request to the IIS server. The server replies with a randomly generated "token" (or challenge) to the client. The client hashes the currently logged-on user's cryptographically protected password with the challenge and sends the resulting "response" to the IIS server.
The server receives the challenge-hashed response and compares it to what it knows to be the appropriate response. (The server takes a copy of the original token - which it generated - and hashes it against what it knows to be the user's password hash from its own user account database.) If the received response matches the expected response, the user is successfully authenticated to the server.
Is my password being sent across the network during NTLM authentication?
No. NTLM authentication does not send the user's password (or the hashed representation of the password) across the network. Instead, NTLM authentication uses a challenge/response mechanism to ensure that the actual password never traverses the network.
What's wrong with WEC?
The default authentication mechanism for WEC is NTLM. When a web-client session is initiated with a remote NTLM enabled IIS server, the web-client will automatically initiate a challenge/response logon process and send NTLM authentication credentials to the remote server even when the IE security settings prompts for those credentials.
How could a malicious user exploit this vulnerability?
A malicious user could create an HTML formatted document or e-mail message, that when viewed by the recipient, would automatically request a session to the malicious user's server. Because NTLM credentials would be sent to the malicious user's server by default, the malicious user could capture the unsuspecting user's authentication credentials.
Once the malicious user obtained the NTLM response, what could he or she do with it?
NTLM challenge/response pairs could be fed into a program that performs brute force password guessing. The "cracking" program would iteratively try all possible passwords, hashing each, processing the challenge with the hash, and comparing the result to the response that the malicious user obtained. When it located a match, the malicious user would know that the password that produced the hash is the user's password.
You've got patches for Office 2000, Windows 2000 and Windows Me. I'm running Office 2000 on a Windows 2000 system. Which patch should I install?
The Office 2000 patch takes precedence over the operating system patches. That is, if you are running Office 2000, you should install the Office 2000 patch, regardless of what operating system you are running. You should only apply the Windows 2000 patch if you're using Windows 2000 but do not have Office 2000 installed on it. Likewise, you should only apply the patch for Windows Me if you're using Windows Me but do not have Office 2000 installed on it.
I'm running Office 2000 on a machine that has neither Windows 2000 nor Windows Me installed. Could I be affected?
Yes. You have an affected system if you're using Office 2000, Windows 2000 or Windows Me. If you're using Office 2000, you should apply the patch for Office 2000, regardless of the operating system you're using.
What does the patch do?
The patch eliminates the vulnerability by ensuring the WEC components respects the security zones specified within Internet Explorer.
