CVE-1999-0387

Vulnerability

The vulnerability resides in a legacy RAM-based credential caching mechanism carried forward from Windows for Workgroups into Windows 95 and Windows 98 [1]. Although this mechanism is not used by either operating system, it persists and stores the plaintext network password of the last user who established a network session. The affected versions are Windows 95 and Windows 98; Windows 98 Second Edition is not vulnerable [1].

Exploitation

An attacker must have physical access to the target machine, and the machine must not have been rebooted since the last networking session [1]. With physical access, the attacker can query the legacy credential cache to retrieve the plaintext network credentials of the last user who logged onto the network [1].

Impact

Successful exploitation allows the attacker to read the plaintext network password of the last user to perform network access on the machine [1]. This leads to a direct disclosure of credentials, which can then be used to impersonate the user and gain unauthorized access to network resources [1]. The compromise is limited to the password cached in memory and does not immediately grant elevated privileges on the local system beyond the user's network identity.

Mitigation

Microsoft released a security patch for this vulnerability, described in Microsoft Security Bulletin MS99-052 [1]. The patch eliminates the cached plaintext credentials. Windows 98 Second Edition is not affected by this vulnerability [1]. No further workarounds are documented in the available references.