L0phtCrack Security Fix Release 2.51 Now Available Vytis Fedaravicius <vytixat_private> reported a problem where L0phtCrack 2.5 created temporary files in the system TEMP directory. These files contained the password hashes that were dumped from the registry or from a SAM file import. Worse yet, the auto-save feature of L0phtCrack would default to saving the cracked passwords here unless the filename was changed by the user. We think this was a big enough problem that we put out a fix immediately. As you might imagine we take security vulnerabilities quite seriously. Especially thouse in tools purporting to be security and/or audit tools. A new version of L0phtCrack 2.51 was made available 1/5/99 from the L0pht Website at http://www.l0pht.com/l0phtcrack/dist/l0phtcrack251.exe The problem has been corrected by creating all temporary files within the L0phtCrack program directory. These temporary files are deleted now once they are not needed. Any cracked passwords are then saved by the auto-save feature into the L0phtCrack Program directory. We recommend setting the permissions on the L0phtCrack program directory to Full Control for users who have permission to run L0phtCrack and no permissions for all other users. L0phtCrack users are advised to look in their system TEMP directory and delete any 'passwd??' or 'passwed??.lc' files that may be left behind. L0phtCrack Development Team
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:37 PDT