From secnotif@MICROSOFT.COM Sat May 26 00:25:51 2001 From: Microsoft Product Security To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Date: Fri, 25 May 2001 09:35:39 -0700 Subject: Microsoft Security Bulletin MS00-079 (version 2.0) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- - - Title: HyperTerminal Buffer Overflow Vulnerability Released: 18 October 2000 Revised: 24 May 2001 (version 2.0) Software: HyperTerminal on Windows 98, 98SE, Windows ME, Windows NT 4.0, Windows 2000 Impact: Privilege Elevation Bulletin: MS00-079 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS00-079.asp. - ---------------------------------------------------------------------- - - Reason for Revision: ==================== Microsoft has re-released this bulletin to inform customers of the availability of an updated set of patches to address both the original and a second vulnerability identified in HyperTerminal. Information about the second issue is discussed in the Issue section below and in the security bulletin referenced above. Issue: ====== The HyperTerminal application is a communications utility that installs by default on all versions of Windows 98, 98SE, Windows ME, Windows NT 4.0, and Windows 2000. The product contains two unchecked buffers through which an attacker could potentially cause code of her choice to run on another user's machine: - One resides in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particular type of malformed Telnet URL, and HyperTerminal were configured as the default Telnet client, it would trigger the buffer overrun. HyperTerminal is the default Telnet client on Windows 98, 98SE and ME. It is not the default Telnet client on Windows 2000. - The other resides in a section of the code that processes session files - files that enable HyperTerminal users to specify session parameters such as the connection method and the destination host. If a user opened a session file that contained a particular type of malformed information, it would trigger the buffer overrun. Although HyperTerminal ships as part of several Microsoft products, it was developed by a third party. Additional information on the vulnerability and a patch for their full version product, HyperTerminal Private Edition, is available from their web site at www.hilgraeve.com Mitigating Factors: ==================== The malicious user must entice another user into clicking on a specially-formed telnet URL or opening a malformed HyperTerminal session file. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms00-079.asp for information on obtaining this patch. Acknowledgment: =============== - Luciano Martins of USSR Labs (www.ussrback.com) - ---------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOw6JxY0ZSRQxA/UrAQF63wf9EzzK3MXnpVdS0Mp7jcSkhqdB4f9k1eG3 hFACBsv1z0H4ljDvSJo7lYU/KDzaD7PW3nsgvTvQfCSZvVol09HuplytwbdH3gH1 c256zujIL9r1Cxwjx+akkDDoFLrzT/k34u2fdk8WDqoyaP9xFL9HnrlMprJp8z52 KCiaC7lD99oIl7iTUreZsnC9Gdv0DbR91b1j9DIgN/aRL1c0m1ifM3GBBIr1aHoD R0q7NSIRfWXrgPk3VJHuSGsslXBueKZq0sw3ibwhZCO1N19u/fIe6Vpo5DHLfY7e imny5atzgVDlUTwE3tvIKEXnR3xuTest199fwEkYfnGRyWjcHJAYQQ== =d04p -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.