|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: FW: Caching of passwords revealed after installing SP6
Noël, Richard (richard.noel
GETRONICS.COM)
Mon, 1 Nov 1999 14:29:58 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Steve Manzuik: "Re: Fwd: RFP9906 - RFPoison (fwd)"
- Previous message: scottrcMIRAMARSYS.COM: "Re: FW: Caching of passwords revealed after installing SP6"
The vulnerabilities are already known and documented in ...
http://support.microsoft.com/support/kb/articles/Q230/6/81.ASP
http://support.microsoft.com/support/kb/articles/Q233/3/03.ASP
The problem I have is that by preferring to not inconvenience the end-users
by clearing the cache during the install of SP6, Microsoft has made the
vulnerability worse by allowing anyone who has physical access to the
machine to be able to open a tunnel to a remote network (possibly a
customer's !) without having pre-existing knowledge of the credentials used
to do that. This is far different than the encrypted credentials being
stashed away in the registry (with or without your consent) which, although
still not good, would stop 99.9% of casual intruders from exploiting this
vulnerability.
Richard
-----Original Message-----
From: scottrcMIRAMARSYS.COM [mailto:scottrcMIRAMARSYS.COM]
Sent: Monday, November 01, 1999 1:17 PM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: Re: FW: Caching of passwords revealed after installing SP6
Neither of these responses address to primary point - if the setting was to
not have the information cached, why was it being cached in the first
place? Clearing the cache when installing SP6 shouldn't be necessary,
because the information shouldn't be in the cache to begin with. Changing
the setting to clear the information out would have only covered up the
basic problem.
Or am I missing something here?
Steve Manzuik <smanzuikNTSECADVICE.COM> on 11/01/99 09:30:09 AM
Please respond to "Discussions regarding Windows-related security issues."
<WIN2KSECADVICELISTSERV.NTSECURITY.NET>
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
cc: (bcc: Scott Carpenter/Miramar Systems)
Subject: FW: Caching of passwords revealed after installing SP6
-----Original Message-----
From: Microsoft Product Security Response Team
[mailto:securemicrosoft.com]
Sent: Monday, November 01, 1999 10:08 AM
To: 'noelwang.com'
Cc: 'smanzuikntsecadvice.com'
Subject: RE: Caching of passwords revealed after installing SP6
Hi Richard -
Thanks for your note. I'll find out how to clear the credential cache and
get the info to you soonest. We did consider clearing the cache as part of
SP6 installation, but the problem is that the vast majority of users choose
to cache their passwords. If we had cleared the cache, it would have been
confusing for these users, as it wouldn't make any sense that they should
need to re-enter their RAS password simply because they installed a new
service pack. I do appreciate the suggestion, though, and I'll get info to
you on clearing the cache right away. Thanks,
Securemicrosoft.com
-----Original Message-----
From: Steve Manzuik [mailto:smanzuiktelusplanet.net]
Sent: Sunday, October 31, 1999 2:42 PM
To: Microsoft Product Security Response Team
Cc: neolwang.com
Subject: FW: Caching of passwords revealed after installing SP6
Noel.
I have forwarded your message to securemicrosoft.com to see if they have
any ideas for you.
Steve Manzuik
Win2K Security Advice
-----Original Message-----
From: No
- Next message: Steve Manzuik: "Re: Fwd: RFP9906 - RFPoison (fwd)"
- Previous message: scottrcMIRAMARSYS.COM: "Re: FW: Caching of passwords revealed after installing SP6"
This archive was generated by hypermail 2.0b3 on Mon Nov 01 1999 - 13:33:26 CST