Microsoft Security Bulletin MS00-079 (version 2.0)

[Microsoft Product Security <secnotif () MICROSOFT COM>]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
- -
Title:      HyperTerminal Buffer Overflow Vulnerability
Released:   18 October 2000
Revised:    24 May 2001 (version 2.0)
Software:   HyperTerminal on Windows 98, 98SE, Windows ME, 
              Windows NT 4.0, Windows 2000
Impact:     Privilege Elevation
Bulletin:   MS00-079

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS00-079.asp.
- ----------------------------------------------------------------------
- -

Reason for Revision:
====================
Microsoft has re-released this bulletin to inform customers of the
availability of an updated set of patches to address both the
original and a second vulnerability identified in HyperTerminal. 
Information about the second issue is discussed in the Issue section
below and in the security bulletin referenced above.

Issue:
======
The HyperTerminal application is a communications utility that
installs by default on all versions of Windows 98, 98SE, Windows ME,
Windows NT 4.0, and Windows 2000. The product contains two unchecked
buffers through which an attacker could potentially cause code of her
choice to run on another user's machine:

 - One resides in a section of the code that processes Telnet URLs.
If a user opened an HTML mail that contained a particular type of
malformed Telnet URL, and HyperTerminal were configured as the
default Telnet client, it would trigger the buffer overrun.
HyperTerminal is the default Telnet client on Windows 98, 98SE and
ME. It is not the default Telnet client on Windows 2000. 

 - The other resides in a section of the code that processes session
files - files that enable HyperTerminal users to specify session
parameters such as the connection method and the destination host. If
a user opened a session file that contained a particular type of
malformed information, it would trigger the buffer overrun.

Although HyperTerminal ships as part of several Microsoft products,
it was developed by a third party. Additional information on the
vulnerability and a patch for their full version product,
HyperTerminal Private Edition, is available from their web site at
www.hilgraeve.com

Mitigating Factors:
====================
The malicious user must entice another user into clicking on a
specially-formed telnet URL or opening a malformed HyperTerminal
session file.

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms00-079.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Luciano Martins of USSR Labs (www.ussrback.com) 
- ----------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOw6JxY0ZSRQxA/UrAQF63wf9EzzK3MXnpVdS0Mp7jcSkhqdB4f9k1eG3
hFACBsv1z0H4ljDvSJo7lYU/KDzaD7PW3nsgvTvQfCSZvVol09HuplytwbdH3gH1
c256zujIL9r1Cxwjx+akkDDoFLrzT/k34u2fdk8WDqoyaP9xFL9HnrlMprJp8z52
KCiaC7lD99oIl7iTUreZsnC9Gdv0DbR91b1j9DIgN/aRL1c0m1ifM3GBBIr1aHoD
R0q7NSIRfWXrgPk3VJHuSGsslXBueKZq0sw3ibwhZCO1N19u/fIe6Vpo5DHLfY7e
imny5atzgVDlUTwE3tvIKEXnR3xuTest199fwEkYfnGRyWjcHJAYQQ==
=d04p
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.