Microsoft warns of 'man-in-the-middle' VPN password hack

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9230448/Microsoft_warns_of_man_in_the_middle_VPN_password_hack

By Gregg Keizer
Computerworld
August 21, 2012

Microsoft yesterday warned Windows users of possible "man-in-the-middle" 
attacks able to steal passwords for some wireless networks and VPNs, or 
virtual private networks.

It won't issue a security update for the problem, however.

The security advisory was Microsoft's reaction to a disclosure several 
weeks ago by security researcher Moxie Marlinspike at the Defcon 
conference.

In a blog post written shortly after his Defcon talk, Marlinspike 
explained his interest in MS-CHAP v2 (Microsoft Challenge Handshake 
Authentication Protocol version 2). "Even as an aging protocol with some 
prevalent criticism, it's still used quite pervasively," Marlinspike 
said. "It shows up most notably in PPTP VPNs, and is also used quite 
heavily in WPA2 Enterprise environments."

[...]