This vulnerability affects only Windows NT workstations and terminal servers where users can log on interactively. If best practices are followed, normal users will not be allowed to interactively log onto security-critical machines like database servers and web servers, says Microsoft.
If a malicious user is successful in exploiting this vulnerability, they could compromise the cryptographic keys of all subsequent users. This would allow the malicious user to access information not normally available to them.
Point of Exploitation
A registry key, HKEY_Local_Machine\Software\ Microsoft\Cryptography\Offload, is set with its permissions too loose. Microsoft states, if a malicious user changes the value of this key to reference a DLL that the user developed, all subsequent users who logged on would have their keys sent to the phony DLL. The malicious user could then have the keys stored for later recovery or sent to another location.
A user who can log on interactively can only exploit this vulnerability locally. It can't be exploited remotely. Microsoft has informed us that the malicious user could be exposed by the audit trail generated in Windows NT.
Microsoft has issued a patch that will assign the correct permissions to HKEY_Local_Machine\Software\ Microsoft\Cryptography\Offload. Also included is a tool for checking vulnerabilities in the registry.
Microsoft recommends that all users of the following effected software download the security update.
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal server Edition