HyperTerminal Buffer Overflow vulnerability (Patch available) ------------------------------------------------------------------------ SUMMARY Microsoft has released a patch that eliminates a security vulnerability in the HyperTerminal application that ships with several Microsoft operating systems. This vulnerability could, under certain circumstances, allow a malicious user to execute arbitrary code on another user's system. DETAILS Affected Software Versions: - Microsoft Windows 98 and Windows 98SE - Microsoft Windows Me - Microsoft Windows 2000 The HyperTerminal application is a utility that installs, by default, on all versions of Windows 98, 98SE, Windows ME, Windows NT, and Windows 2000. The product contains an unchecked buffer in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particularly malformed Telnet URL, it would result in a buffer overrun that could enable the creator of the mail to cause arbitrary code to run on the user's system. Please note that, although a Telnet URL is involved in this vulnerability, there is no relationship between this vulnerability and the "Windows 2000 Telnet Client NTLM Authentication" vulnerability discussed in < http://www.securiteam.com/windowsntfocus/Microsoft_releases_a_patch_for_the_telnet_Client_NTLM_Authentication_problem.html > MS00-067. HyperTerminal is the default Telnet client on Windows 98, 98SE and ME. However, it is not the default Telnet client on Windows 2000, and Windows 2000 users who have not taken steps to make it the default Telnet client would not be affected by the vulnerability. Although HyperTerminal ships as part of several Microsoft products, it was developed by a third party - Hilgraeve, Inc. Additional information on the vulnerability and a patch for their full version product, HyperTerminal Private Edition, is available from their web site at: <http://www.hilgraeve.com> http://www.hilgraeve.com Patch Availability: - Windows 98 and 98SE: <http://download.microsoft.com/download/win98/Update/12395/W98/EN-US/274548USA8.EXE> http://download.microsoft.com/download/win98/Update/12395/W98 /EN-US/274548USA8.EXE - Windows Me: <http://download.microsoft.com/download/winme/Update/12395/WinMe/EN-US/274548USAM.EXE> http://download.microsoft.com/download/winme/Update/12395/WinMe /EN-US/274548USAM.EXE - Windows 2000 (can be applied to both Gold and Service Pack 1): <http://www.microsoft.com/downloads/release.asp?releaseid=25112> http://www.microsoft.com/downloads/release.asp?releaseid=25112 Note: The above URLs may have been wrapped for readability. What's the scope of the vulnerability? If a user opened an HTML mail that contained a particularly malformed Telnet URL, it could enable the creator of the mail to cause arbitrary code to run on the user's system. HyperTerminal is the default Telnet client on Windows 95, 98 and Me. However, it is not the default Telnet client on Windows 2000, and Windows 2000 users who have not taken steps to make it the default Telnet client would not be affected by the vulnerability. What causes the vulnerability? A buffer overflow exists in the HyperTerminal application. A specially formed telnet URL could allow arbitrary code to be executed on the user's system. The creator of the malicious email containing the specially formed telnet URL would need to entice users into opening the HTML email in order for the overflow to occur. What is HyperTerminal? HyperTerminal is a program that you can use to connect to other computers, Internet telnet sites, bulletin board systems (BBSs), online services, and host computers, using either your modem or your network card. Although HyperTerminal ships as part of several Microsoft products, it was developed by a third party - Hilgraeve, Inc. Additional information on the vulnerability and a patch for their full version product, HyperTerminal Private Edition, is available from their web site at <http://www.hilgraeve.com> http://www.hilgraeve.com. HyperTerminal also ships with NT4. Why is this version not vulnerable? The HyperTerminal client that ships with Windows NT4 does not include a TCP/IP connection method. As such, the NT4 HyperTerminal client cannot be setup as the default telnet client, and would not launch in response to a supplied Telnet URL. How do I register HyperTerminal as my default Telnet client on Windows 2000? HyperTerminal will automatically register itself as the default telnet client the first time that the HyperTerminal application is launched. Once registered as the default telnet client, invoking a telnet URL (via browser or HTML email) will launch the HyperTerminal application. Is the built-in telnet client vulnerable? The default telnet client for Windows 2000 is the command-line client "telnet.exe". The command-line client is not affected by this vulnerability. What does the patch do? The patch eliminates the vulnerability by properly handling the malformed telnet URL. Who should use the patch? Microsoft recommends that users running the referenced Operating Systems consider installing the patch. How do I use the patch? Knowledge Base articles <http://www.microsoft.com/technet/support/kb.asp?ID=274548> Q274548 (Win9x/Me) and <http://www.microsoft.com/technet/support/kb.asp?ID=276471> Q276471 (Win2K) contain detailed instructions for applying the patch to your site How can I tell if I installed the patch correctly? The Knowledge Base articles <http://www.microsoft.com/technet/support/kb.asp?ID=274548> Q274548 (Win9x/Me) and <http://www.microsoft.com/technet/support/kb.asp?ID=276471> Q276471 (Win2K) provide a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
