Forwarded From: MJE <mark@NTSHOP.NET>
January 5, 1999 - NTSD - Weld Pond of L0pht Heavy Industries released a
security advisory last evening on Bugtraq that reveals insecurities
discovered in the Windows 95 and Windows 98 challenge/response mechanism.
In summary, it was discovered that the operating systems reuse the
challenge issued to a connecting user during the authentication phase, and
if that user tries to reconnect during the following 15 minute window of
time.
As Weld states, "Reusing a challenge is a classic cryptographic
mistake." We have no word yet from Microsoft as to how they will address
this discovery.
For more information, including the relevant links to the Lopht Advisory
and Web site, please visit:
http://www.ntsecurity.net/scripts/load.asp?iD=/security/win9598-challenge.htm
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Tue Jan 5 19:36:16 1999