Re: Win2k Telnet.exe malicious server vulnerability

[Blue Boar <BlueBoar () THIEVCO COM>]

Regarding various dates that people were notified, advisories released,
patches made, etc..

Umm... I suppose It's possible that I'm smarter (and better lookin to
boot!) that all the other parties involved here....  but didn't
Dildog and Sir Dystic pretty much announce the same vulnerability
during the cDc talk at Defcon this year?  Just before the gorilla
came on stage, and they started flinging meat at everyone.

So, didn't a couple thousand of us pick up on what was being said
about this at that time?  I point this out only because it leads
some credence to the idea that lots of folks knew about this,
and perhaps some amount of pressure on MS to hurry was appropriate.

When Dildog mentioned being able to trick an MS box into connecting
to you, and when it came time to issue a challenge, connecting to
the same victim, and using the challenge it gave back against itself..
And then he immediately mentions that the telnet client in W2K
tries MS-CHAP by default...  well *I* knew exactly what he was
getting at... was I alone?

                                        BB