Microsoft Security Bulletin MS01-001 - Important
Web Client Will Perform NTLM Authentication Regardless of Security Settings
Published: January 11, 2001 | Updated: July 10, 2003
Originally posted: January 11, 2001
Updated: July 10, 2003
Who should read this bulletin:
Customers running Office 2000, Windows Me, and Windows 2000.
Impact of vulnerability:
Logon credentials could be retrieved by a malicious server.
Customers with an affected version of the products listed should consider installing this patch.
- Microsoft Office 2000
- Microsoft Windows 2000
- Microsoft Windows Me
The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and publish files via web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed - instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user's web site - either by browsing to the site or by opening an HTML mail that initiated a session with it - an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.
The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer or to gain access to resources to which that user was authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system.
- Customers who do not browse malicous web servers or open e-mail from untrusted sources cannot be affected by this vulnerability.
Vulnerability identifier: CAN-2001-0003
Frequently asked questions
What's the scope of the vulnerability?
This vulnerability could enable a malicious web site operator to obtain a copy of the cryptographically protected authentication credentials belonging to a user who visited the site. The malicious user could then subject the credentials to an offline brute force attack in the hopes of discovering the user's password. This vulnerability would only provide the malicious user with the NTLM encrypted password credentials of another user. It would not, by itself, allow the malicious user to take any actions on the user's system.
What causes the vulnerability?
This vulnerability occurs because the authentication settings of Web Extender Client (WEC) do not adhere to settings specified by the IE security zones. As a result, WEC will participate in NTLM challenge-response authentication with any server, regardless of whether it's trusted or not.
What is WEC?
The Web Extender Client (WEC) is a protocol (introduced with IE 5.0) that provides an extension to the Hypertext Transfer Protocol (HTTP) and defines how basic file functions, such as copy, move, delete, and create folder, are performed across HTTP. WEC is a subset of the Web Folder Behaviors feature that was introduced with IE 5.0. Web Folder Behaviors enable authors to view sites in a Web folder view, which is similar to the Microsoft Windows Explorer folder view. The WEC protocol adds additional capabilities to the Web Folder Behaviors feature. For example, using WEC with Web folder view enabled makes it possible to perform the equivalent of a DIR command on an HTTP resource and retrieve all the information necessary to fill a Windows Explorer view. For more details on WEC and Web Folders please see Web Folder Behaviors workshop article on MSDN.
Are other platforms with IE 5.0 also affected?
Yes and no. The WEC protocol is only available by default with Office 2000, Windows 2000, and Windows Me. Other platforms may be affected, but Web Folders is not enabled by default and that feature would need to be installed in order to be affected. For more details on how to enable this feature please see Q195851.
NTLM (NT LanMan) is an authentication process that's used by all members of the Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the client's identity without requiring that either a password or a hashed password be sent across the network.
How does challenge/response work?
When the authentication process begins, the user's system (client) sends a login request to the IIS server. The server replies with a randomly generated "token" (or challenge) to the client. The client hashes the currently logged-on user's cryptographically protected password with the challenge and sends the resulting "response" to the IIS server. The server receives the challenge-hashed response and compares it to what it knows to be the appropriate response. (The server takes a copy of the original token - which it generated - and hashes it against what it knows to be the user's password hash from its own user account database.) If the received response matches the expected response, the user is successfully authenticated to the server.
Is my password being sent across the network during NTLM authentication?
No. NTLM authentication does not send the user's password (or the hashed representation of the password) across the network. Instead, NTLM authentication uses a challenge/response mechanism to ensure that the actual password never traverses the network.
What's wrong with WEC?
The default authentication mechanism for WEC is NTLM. When a web-client session is initiated with a remote NTLM enabled IIS server, the web-client will automatically initiate a challenge/response logon process and send NTLM authentication credentials to the remote server even when the IE security settings prompts for those credentials.
How could a malicious user exploit this vulnerability?
A malicious user could create an HTML formatted document or e-mail message, that when viewed by the recipient, would automatically request a session to the malicious user's server. Because NTLM credentials would be sent to the malicious user's server by default, the malicious user could capture the unsuspecting user's authentication credentials.
Once the malicious user obtained the NTLM response, what could he or she do with it?
NTLM challenge/response pairs could be fed into a program that performs brute force password guessing. The "cracking" program would iteratively try all possible passwords, hashing each, processing the challenge with the hash, and comparing the result to the response that the malicious user obtained. When it located a match, the malicious user would know that the password that produced the hash is the user's password.
You've got patches for Office 2000, Windows 2000 and Windows Me. I'm running Office 2000 on a Windows 2000 system. Which patch should I install?
The Office 2000 patch takes precedence over the operating system patches. That is, if you are running Office 2000, you should install the Office 2000 patch, regardless of what operating system you are running. You should only apply the Windows 2000 patch if you're using Windows 2000 but do not have Office 2000 installed on it. Likewise, you should only apply the patch for Windows Me if you're using Windows Me but do not have Office 2000 installed on it.
I'm running Office 2000 on a machine that has neither Windows 2000 nor Windows Me installed. Could I be affected?
Yes. You have an affected system if you're using Office 2000, Windows 2000 or Windows Me. If you're using Office 2000, you should apply the patch for Office 2000, regardless of the operating system you're using.
What does the patch do?
The patch eliminates the vulnerability by ensuring the WEC components respects the security zones specified within Internet Explorer.
Download locations for this patch
Microsoft Office 2000:
Microsoft Windows 2000:
Microsoft Windows Me:
Note: Priority should be given to the Office 2000 patch. That is, a customer who is using Office 2000 should install the Office 2000 patch, regardless of the operating system he or she is using. The Windows 2000 or Windows Me patches should only be applied in the case where Office 2000 is not installed on the machine.
Additional information about this patch
- The Office 2000 patch can be installed on systems running SR-1a.
- The Windows 2000 patch can be installed on systems running Windows 2000 Gold or Service Pack 1.
- The Windows Me patch can be installed on systems running Windows Me Gold.
Inclusion in future service packs:
The Windows 2000 fix will be included in Windows 2000 Service Pack 2.
Verifying patch installation:
- To ensure that the patch has been properly applied on the machine, verify that the files listed in the patch manifest in Knowledge Base article Q282132 have been installed on the machine.
In order to install the Office 2000 patch you must have SR-1a previously installed.
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches are available from the WindowsUpdate web site
Microsoft thanks the following people for working with us to protect customers:
- David Litchfield of @stake.
- Matt Scarborough (firstname.lastname@example.org)
- Microsoft Knowledge Base article Q282132 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (January 11, 2001): Bulletin Created.
- V1.1 (January 15, 2001): Correction to Acknowledgement section.
- V1.2 (February 28, 2003): Corrected links to Office 2000 SR1a links in Additional Information section.
- V1.3 (July 10, 2003): Corrected links to Windows Update in Additional Information.
Built at 2014-04-18T13:49:36Z-07:00