Microsoft Security Bulletin (MS01-001): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS01-001 announces the availability of a patch that eliminates a vulnerability announces the availability of a patch that eliminates a vulnerability in the Web Extender Client (WEC) component that ships with Microsoft® Office 2000, Windows 2000, and Windows Me. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could enable a malicious web site operator to obtain a copy of the cryptographically protected authentication credentials belonging to a user who visited the site. The malicious user could then subject the credentials to an offline brute force attack in the hopes of discovering the user's password.
This vulnerability would only provide the malicious user with the NTLM encrypted password credentials of another user. It would not, by itself, allow the malicious user to take any actions on the user's system.
What causes the vulnerability?
This vulnerability occurs because the authentication settings of Web Extender Client (WEC) do not adhere to settings specified by the IE security zones. As a result, WEC will participate in NTLM challenge-response authentication with any server, regardless of whether it's trusted or not.
What is WEC?
The Web Extender Client (WEC) is a protocol (introduced with IE 5.0) that provides an extension to the Hypertext Transfer Protocol (HTTP) and defines how basic file functions, such as copy, move, delete, and create folder, are performed across HTTP.
WEC is a subset of the Web Folder Behaviors feature that was introduced with IE 5.0. Web Folder Behaviors enable authors to view sites in a Web folder view, which is similar to the Microsoft Windows Explorer folder view. The WEC protocol adds additional capabilities to the Web Folder Behaviors feature. For example, using WEC with Web folder view enabled makes it possible to perform the equivalent of a DIR command on an HTTP resource and retrieve all the information necessary to fill a Windows Explorer view.
For more details on WEC and Web Folders please see Web Folder Behaviors workshop article on MSDN.
Are other platforms with IE 5.0 also affected?
Yes and no. The WEC protocol is only available by default with Office 2000, Windows 2000, and Windows Me. Other platforms may be affected, but Web Folders is not enabled by default and that feature would need to be installed in order to be affected.
For more details on how to enable this feature please see 195851.
What's NTLM?
NTLM (NT LanMan) is an authentication process that's used by all members of the Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the client's identity without requiring that either a password or a hashed password be sent across the network.
How does challenge/response work?
When the authentication process begins, the user's system (client) sends a login request to the IIS server. The server replies with a randomly generated "token" (or challenge) to the client. The client hashes the currently logged-on user's cryptographically protected password with the challenge and sends the resulting "response" to the IIS server.
The server receives the challenge-hashed response and compares it to what it knows to be the appropriate response. (The server takes a copy of the original token - which it generated - and hashes it against what it knows to be the user's password hash from its own user account database.) If the received response matches the expected response, the user is successfully authenticated to the server.
Is my password being sent across the network during NTLM authentication?
No. NTLM authentication does not send the user's password (or the hashed representation of the password) across the network. Instead, NTLM authentication uses a challenge/response mechanism to ensure that the actual password never traverses the network.
What's wrong with WEC?
The default authentication mechanism for WEC is NTLM. When a web-client session is initiated with a remote NTLM enabled IIS server, the web-client will automatically initiate a challenge/response logon process and send NTLM authentication credentials to the remote server even when the IE security settings prompts for those credentials.
How could a malicious user exploit this vulnerability?
A malicious user could create an HTML formatted document or e-mail message, that when viewed by the recipient, would automatically request a session to the malicious user's server. Because NTLM credentials would be sent to the malicious user's server by default, the malicious user could capture the unsuspecting user's authentication credentials.
Once the malicious user obtained the NTLM response, what could he or she do with it?
NTLM challenge/response pairs could be fed into a program that performs brute force password guessing. The "cracking" program would iteratively try all possible passwords, hashing each, processing the challenge with the hash, and comparing the result to the response that the malicious user obtained. When it located a match, the malicious user would know that the password that produced the hash is the user's password.
Which patch should I install?
If you are running Office 2000 on a machine apply the Office 2000 patch. Only apply the Windows 2000 or Windows Me patches if you are running one of these operating systems and do not have Office 2000 installed.
Who should use the patch?
Microsoft recommends that all customers running Office 2000, Windows 2000, or Windows Me consider installing the patch.
Note: The patch will be included in Service Pack 2 for Windows 2000.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
What does the patch do?
The patch eliminates the vulnerability by ensuring the WEC components respects the security zones specified within Internet Explorer.
How do I use the patch?
Knowledge Base article 282132 (available soon) contains detailed instructions for applying the patch to your system.
How can I tell if I installed the patch correctly?
The Knowledge Base article 282132 (available soon) provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article
What is Microsoft doing about this issue?
| • | Microsoft has delivered a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued Knowledge Base article 282132 (available soon) explaining the vulnerability and procedure in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
