VULHUB ™

Microsoft Security Bulletin (MS01-001) - The Web Extender Client (WEC), a component that ships as part of Office 2000, Windows 2000, and Windows Me, does not respect the IE Security settings regarding when NTLM authentication will be performed - instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user's web site - either by browsing to the site or by opening an HTML mail that initiated a session with it - an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack, or with specialized tools, could submit a variant of these credentials in an attempt to protected resources. Microsoft FAQ on this issue available here.

Microsoft Security Bulletin (MS01-001) - The Web Extender Client (WEC), a component that ships as part of Office 2000, Windows 2000, and Windows Me, does not respect the IE Security settings regarding when NTLM authentication will be performed - instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user's web site - either by browsing to the site or by opening an HTML mail that initiated a session with it - an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack, or with specialized tools, could submit a variant of these credentials in an attempt to protected resources. Microsoft FAQ on this issue available here.