What's this bulletin about?
Microsoft Security Bulletin MS00-079 announces the availability of a patch that eliminates a vulnerability in the versions of HyperTerminal that ship with Microsoft® Windows® 98, 98SE, Windows Me, and Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
Why was this bulletin re-released?
After the original release of this bulletin, we discovered a problem with the original patch and retracted it for rework. While the rework was underway, we learned of an additional vulnerability affecting HyperTerminal. We therefore added the fix for the new vulnerability to the patch.
What is HyperTerminal?
HyperTerminal is a program that you can use to connect to other computers, Internet telnet sites, bulletin board systems (BBSs), online services, and host computers, using either your modem or your network card.
Although HyperTerminal ships as part of several Microsoft products, it was developed by a third party. Additional information on the vulnerability and a patch for their full version product, HyperTerminal Private Edition, is available from their web site at www.hilgraeve.com
What are the two vulnerabilities eliminated by the patch?
The patch eliminates two vulnerabilities affecting HyperTerminal:
- The vulnerability that was discussed in the original version of the bulletin
- A new vulnerability that was discovered after releasing the original version of the bulletin
What's the scope of the original vulnerability?
If a user opened an HTML mail that contained a particularly malformed Telnet URL, it could enable the creator of the mail to cause arbitrary code to run on the user's system. This would enable the attacker to take any action on the user's computer that the user himself could take, such as creating, deleting or changing data, communicating with web sites, or reformatting the hard drive.
HyperTerminal is the default Telnet client on Windows 95, 98 and Me. However, it is not the default Telnet client on Windows 2000, and Windows 2000 users who have not taken steps to make it the default Telnet client would not be affected by the vulnerability.
What causes the vulnerability?
A buffer overflow exists in the HyperTerminal application. A specially formed telnet URL could allow arbitrary code to be executed on the user's system. The creator of the malicious email containing the specially formed telnet URL would need to entice users into opening the HTML email in order for the overflow to occur.
HyperTerminal also ships with Windows NT 4.0. Is that version vulnerable to this vulnerability?
The HyperTerminal client that ships with Windows NT 4.0 does not include a TCP/IP connection method. As such, the NT4 HyperTerminal client cannot be set up as the default telnet client, and would not launch in response to a supplied Telnet URL.
How do I register HyperTerminal as my default Telnet client on Windows 2000?
HyperTerminal will automatically register itself as the default telnet client the first time that the HyperTerminal application is launched. Once registered as the default telnet client, invoking a telnet URL (via browser or HTML email) will launch the HyperTerminal application.
How can I un-register the HyperTerminal client on Windows 2000 once it's been set as the default telnet client?
The default telnet client is referenced in the registry key below. In this example, it shows that HyperTerminal is the default client:
HKEY_Classes_Root/telnet/shell/open
command:REG_SZ: C:\Program Files\Windows NT\hypertrm.exe /t %1
(where C:\ is the systemdrive.)
To revert back to the command line client, set the open key to the following value:
command:REG_SZ: rundll32.exe url.dll,TelnetProtocolHandler %1
Is the built-in telnet client vulnerable?
The default telnet client for Windows 2000 is the command-line client "telnet.exe". The command-line client is not affected by this vulnerability.
What's the scope of the new vulnerability?
Like the original vulnerability, the new one could enable an attacker to run code on another user's machine. However, the exploit scenario for this vulnerability would be more challenging. The attacker would need to not only deliver a specially modified file to another user, she also would need to convince him to open it. There is no capability to cause the file to automatically open.
What causes the vulnerability?
The vulnerability results because the part of the software that reads session files doesn't properly check the lengths of the data strings it reads in. By creating a session file that contains specially malformed data and persuading another user to open it, the attacker could cause code of her choice to run on the user's machine.
What's a session file?
A session file captures all of the parameters associated with a particular HyperTerminal session - for instance, the communications parameters, destination host, and so forth. By opening a session file, a user can automatically set all the HyperTerminal parameters to those specified in the file.
What's wrong with the way HyperTerminal handles session files?
HyperTerminal doesn't correctly check the lengths of the inputs as it reads them from a session file. This renders it susceptible to a buffer overrun attack.
What could an attacker use this vulnerability to do?
If an attacker created a session file containing specially malformed data, she could cause a buffer overrun to occur in HyperTerminal when it attempted to process the file. This would give her the ability to run code on the user's machine. Such code could do anything the user himself could do.
Could the attacker force the session file to open automatically?
No. This is a significant restriction on the scope of the vulnerability. Even after creating the file and delivering it to the user, the attacker still would need to rely on social engineering in order to persuade the user to actually open it. The attack could not force it to open without the user's approval.
How does the patch eliminate these two vulnerabilities?
The patch eliminates the vulnerability by enforcing proper buffer checking throughout HyperTerminal.
How do I use the patch?
Knowledge Base articles Q274548 (Windows 98/ME) and Q276471 (Windows 2000) contain detailed instructions for applying the patch to your site
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
The Knowledge Base articles Q274548 (Windows 98/ME) and Q276471 (Windows 2000) provide a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued Knowledge Base articles explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
