- Quick specs
- Price: Free
- Operating system: Windows Me
- Date added: January 12, 2001
- Total Downloads: 61,248
- Downloads last week: 7
- See full specifications
- Average user rating: stars out of 18 votes
See all user reviews
Publisher's description
From Microsoft :This patch eliminates a security vulnerability in a component that ships with Microsoft Office 2000, Windows 2000, and Windows Me. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user when requesting an Office document from a Web server.
The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and publish files via Web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed. Instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user's Web site, either by browsing to the site or by opening an HTML mail that initiated a session with it, an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute-force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.
The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer or to gain access to resources to which that user was authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system.
Frequently asked questions regarding this vulnerability can be found here.
More popular Encryption Software downloads
- 52,623 downloads 1. RoboForm
- 27,875 downloads 2. Hotspot Shield
- 26,862 downloads 3. Computer Use Reporter
- 8,814 downloads 4. Easy File Encryption
- 8,095 downloads 5. Easy Private Disk
- See all Encryption Software downloads
User reviews
- Average user rating: 0 stars Not yet available
- My rating: 0 stars Write review
-
Showing 2 of 2 user reviewsSee all 2 user reviews
This software version | All versions -
Version: Microsoft Web Client NTLM Authentication Vulnerability Patch (Windows Me) MS01-001
"Dosen't Work with Windows XP"
-
Version: Microsoft Web Client NTLM Authentication Vulnerability Patch (Windows Me) MS01-001
"Not appropriate for Windows98"
Summary: I am currently running Web Client NTLM Authentication Vulnerability Version: 4.0.2.4022 with Windows 98. The update program informs me that I should install Latest Version: Fix 4.0.2.4715. However, this is only for people running Windows 2000 Wind... read more >>
- See all 2 user reviews Write review
Submit your review
- See more CNET content tagged:
- Microsoft Office 2000,
- authentication,
- credential,
- malicious user,
- vulnerability
%20-%20Free%20software%20downloads%20and%20software%20reviews%20-%20CNET%20Download.com&srcUrl=http://download.cnet.com/Microsoft-Web-Client-NTLM-Authentication-Vulnerability-Patch-Windows-Me/3000-2092_4-10053782.html){kind=small}