VPN Hack Used to Steal Passwords: Microsoft

Microsoft has revealed that a new Virtual Private Network (VPN) hack could be used to steal passwords and other sensitive information. It's called a "man-in-the-middle" attack.

Security researcher Moxie Marlinspike first disclosed this VPN hack in a security advisory earlier this month. After investigating the issue, Microsoft has acknowledged that the threat is legitimate.

Hacker Could Take Control of System, Network

"An attacker who successfully exploited...cryptographic weaknesses could obtain user credentials," Microsoft said in its own advisory, released earlier this week.

"Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource." (Source: computerworld.com)

In other words, the VPN flaw could be used by a hacker to gain remote control of a victim's system and even an entire network.

Hackers Likely to Spoof Legitimate WiFi Hotspots

In order to exploit the flaw -- which is associated with the MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) system used to authenticate PPTP (Point-to-Point Tunneling Protocol) VPNs -- a hacker would need to capture information transmitted over a Virtual Private Network or WiFi connection.

Most versions of Windows, including Windows XP, Windows Vista, Windows 7, and Windows Server 2003 / 2008 / 2008 R2 use MS-CHAP v2.

Experts believe that hackers looking to take advantage of this weakness would most likely try imitating a legitimate wireless hotspot, hoping to lure WiFi users into connecting. (Source: itworldcanada.com)

Microsoft will apparently not be issuing a fix for this cryptographic weakness.

"This is not a security vulnerability that requires Microsoft to issue a security update," Microsoft's advisory read.

Instead, the software giant suggests that IT administrators begin using a system called Protected Extensible Authentication Protocol (PEAP) to protect network passwords during VPN sessions.

"This issue is due to known cryptographic weaknesses in the MS-CHAP v2 protocol," the advisory continued, "and is addressed through implementing configuration changes." (Source: computerworld.com)

Microsoft says that so far it has not received any reports of hackers taking advantage of the VPN vulnerability originally reported by Marlinspike.