Security 10748 Published by

Microsoft has updated the "Windows 2000 Telnet Client NTLM Authentication" Vulnerability Patch.

Summary
=======
On September 14, 2000, Microsoft released the original version of
this bulletin, which was revised the following day to advise of a
problem with the patch. On September 21, 2000, a new version of the
patch was released, and the bulletin was updated to advise of its
availability. Microsoft recommends that all customers, including
those who applied the original version of the patch, apply the new
version.

The patch eliminates a security vulnerability in the telnet client
that ships with Microsoft(r) Windows 2000. The vulnerability could,
under certain circumstances, allow a malicious user to obtain
cryptographically protected logon credentials from another user.

Frequently asked questions regarding this vulnerability and
the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp

Patch Availability
==================
- Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24399

Note: Customers who applied the original version of the patch should
consider applying the current version. The original version
eliminated the vulnerability; however, if a malicious user attempted
to exploit the vulnerability, the patch caused the Telnet client to
fail. The current version of the patch eliminates the vulnerability
without interfering with Telnet connections.

Note: This patch will also be included in the next Service Pack for
Windows 2000. It can be applied to computers with or without Service
Pack 1.