|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Caching of passwords revealed after installing SP6
Steve Manzuik (smanzuik
NTSECADVICE.COM)
Tue, 2 Nov 1999 20:32:41 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: .rain.forest.puppy.: "RFP9907: You, your servers, RDS, and thousands of script kiddies"
- Previous message: Steve Manzuik: "Re: Fwd: RFP9906 - RFPoison (fwd)"
- Next in thread: Chuck Berry, MCP: "Re: Caching of passwords revealed after installing SP6"
-----Original Message-----
From: Microsoft Product Security Response Team
[mailto:securemicrosoft.com]
Sent: Tuesday, November 02, 1999 8:23 PM
To: '"Noël, Richard"'
Cc: 'smanzuikntsecadvice.com'; 'markntshop.net'
Subject: RE: Caching of passwords revealed after installing SP6
Hi Richard -
Sorry it took so long to get an answer for you -- it turns out that clearing
the cache is pretty simple after all. All you need to do is enter a blank
password and check "save my password". When the authentication fails,
uncheck the "save my password" box and enter the correct userid/password
combination. Regards,
Securemicrosoft.com
-----Original Message-----
From: "Noël, Richard" [mailto:richard.noelgetronics.com]
Sent: Monday, November 01, 1999 9:30 AM
To: Microsoft Product Security Response Team
Cc: 'smanzuikntsecadvice.com'; 'markntshop.net'
Subject: RE: Caching of passwords revealed after installing SP6
OK but, where you are trying to correct a vulnerability, convenience should
not take precedence over security. A note in the SP6 readme file explaining
why this was necessary (i.e. clearing the cache for everyone) would have
covered you.
I take it there was no way to distinguish between those SP5 clients that
actually had "Save Password" enabled vs. those who did not even though their
credentials were being cached anyway ? If yes, it seems this could have
been used to selectively clear the cache rather than for everyone.
Richard
-----Original Message-----
From: Microsoft Product Security Response Team
[mailto:securemicrosoft.com]
Sent: Monday, November 01, 1999 12:08 PM
To: 'noelwang.com'
Cc: 'smanzuikntsecadvice.com'
Subject: RE: Caching of passwords revealed after installing SP6
Hi Richard -
Thanks for your note. I'll find out how to clear the credential cache and
get the info to you soonest. We did consider clearing the cache as part of
SP6 installation, but the problem is that the vast majority of users choose
to cache their passwords. If we had cleared the cache, it would have been
confusing for these users, as it wouldn't make any sense that they should
need to re-enter their RAS password simply because they installed a new
service pack. I do appreciate the suggestion, though, and I'll get info to
you on clearing the cache right away. Thanks,
Securemicrosoft.com
-----Original Message-----
From: Steve Manzuik [mailto:smanzuiktelusplanet.net]
Sent: Sunday, October 31, 1999 2:42 PM
To: Microsoft Product Security Response Team
Cc: neolwang.com
Subject: FW: Caching of passwords revealed after installing SP6
Noel.
I have forwarded your message to securemicrosoft.com to see if they have
any ideas for you.
Steve Manzuik
Win2K Security Advice
-----Original Message-----
From: Noël, Richard [mailto:noelWANG.COM]
Sent: Sunday, October 31, 1999 3:01 PM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: Caching of passwords revealed after installing SP6
I found something disturbing today. I installed SP6 on an NT4 SP5 server
that I've been using as a PPTP client for the past couple of years. After
installing SP6, I found that the setting for saving passwords for at least
PPTP dial-up has been enabled which is a feature I never, never use. While
this is bad, the disturbing part revealed by installing SP6 is that even
though I never used the "Save password" feature with PPTP, my password was
in fact being cached. I know this because the first four PPTP dial-up
connections I tried (i.e. four different PPTP servers) all immediately
connected and authenticated without prompting me for credentials. Two
others failed to connect immediately because the cached password did not
match the current password for my domain account.
If any of you get a chance, could you pls verify this behavior.
Thanks,
Richard
- Next message: .rain.forest.puppy.: "RFP9907: You, your servers, RDS, and thousands of script kiddies"
- Previous message: Steve Manzuik: "Re: Fwd: RFP9906 - RFPoison (fwd)"
- Next in thread: Chuck Berry, MCP: "Re: Caching of passwords revealed after installing SP6"
This archive was generated by hypermail 2.0b3 on Tue Nov 02 1999 - 21:55:27 CST