Microsoft Plus! Compressed Folder Password Disclosure

2001-03-28T00:00:00
ID OSVDB:7293
Type osvdb
Reporter Microsoft Product Security(secnotif@microsoft.com)
Modified 2001-03-28T00:00:00

Description

Vulnerability Description

Windows ME and Plus! contain a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords by reading the dynazip.log file, which may lead to a loss of confidentiality and/or integrity.

Solution Description

Apply the patch appropriate as listed in Microsoft Security Bulletin MS01-019, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

In addition to the patch, the file c:\windows\dynazip.log must be deleted.

Short Description

Windows ME and Plus! contain a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords by reading the dynazip.log file, which may lead to a loss of confidentiality and/or integrity.

References:

Microsoft Security Bulletin: MS01-019 ISS X-Force ID: 6294 CVE-2001-0152 Bugtraq ID: 2516