How to obtain help and support for this security update
For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support Web site:
North American customers can also obtain instant access to unlimited no-charge e-mail support or to unlimited individual chat support by visiting the following Microsoft Web site:
What does this security bulletin address? This security update addresses reflection protection in the Telnet protocol. For more information about Reflection Protection, please review the following security bulletin:
What is Extended Protection? This security update contains a defense in-depth fix to allow for the Telnet client and server to opt in to extended protection. By default, this functionality is disabled. Please review this security update and the following security advisory closely which describe Extended Protection in more detail to make sure that you know the affect of these changes:
973811
(http://support.microsoft.com/kb/973811/
)
Microsoft Security Advisory: Extended protection for authentication
How do I enable Extended Protection on my computer? Before you enable Extended Protection, make sure that the following update is installed on both the client and server computers:
968389
(http://support.microsoft.com/kb/968389/
)
Extended Protection for Authentication
To be able to enable Extended Protection for Telnet, make sure that the updates in Security Advisory 968389 and in this article are installed on both the client and server computers.
Note The client-side setting that enables Extended Protection is a system-wide setting. When this setting is enabled, Extended Protection is enabled for all components on the client computer.
On a server, Extended Protection has to be enabled for each component individually. Make sure that all client components for a particular server are updated for Extended Protection before you enable it on server or else authentication failures may occur.After both security updates are installed, you will then have to enable Extended Protection on both client and server computers.
To enable Extended Protection on your computer, the following changes are required.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in Windows
If the computer is a Telnet client:
Verify that the registry values SuppressExtendedProtection and LmCompatibilityLevel are located in the following registry subkey:
On the Edit menu, point to New, and then click DWORD Value.
Type SuppressExtendedProtection, and then press ENTER.
On the Edit menu, click Modify.
Type 0, and then click OK.
On the Edit menu, point to New, and then click DWORD Value.
Type LmCompatibilityLevel, and then press ENTER.
On the Edit menu, click Modify.
Note This step changes NTLM authentication requirements. Please review the following article in the Microsoft Knowledge Base to make sure you are familiar with this behavior.
239869
(http://support.microsoft.com/kb/239869/
)
How to enable NTLM 2 authentication
Type 3, and then click OK.
Exit Registry Editor.
On a Telnet server: Before you make the following changes, refer to the following MSDN article before setting any hardening modes:
On the Edit menu, point to New, and then click DWORD Value.
Type ExtendedProtection, and then press ENTER.
On the Edit menu, click Modify.
Set the registry value by using one of the following values, based on your Telnet requirements, and then click OK:
Legacy: Allow all kinds of clients. Set ExtendedProtection to 0.
Partial: (Legacy + EP) Allow clients that do not to send a service principal name (SPN), or allow clients that send the correct SPN.
Set ExtendedProtection to 1.
Fully Hardened: (Only EP) Allow clients that send only the correct SPN.
Set ExtendedProtection to 2.
Exit Registry Editor.
When you install this package The following registry key and value are created on computers that are running Windows XP or on servers that are running Windows Server 2003 only:
The default value for ExtendedProtection is set to 0. On Windows Vista, you have to manually create this key and provide the appropriate value as per the hardening mode that is selected.
To add the registry value, follow the steps that are listed earlier in this article under "How do I enable Extended Protection on my computer?"
Default allowed SPNs on a Telnet server:
By default, the Telnet server will allow the following list of names and IPs:
"localhost" as a string in English.
All the variants of IP (IPv4 & IPv6) of your own server or computer.
127.0.0.1 & ::1
Hostname in NetBIOS format
Hostname in FQDN format.
If the administrator decides to allow other SPNs, he can add more names as follows. The name will not be converted from NetBIOS to FQDN or from FQDN to NetBIOS:
If the AllowedSPN registry value is not present, start Registry Editor and then follow these steps:
Locate and then click the following key in the registry:
On computers that are running Windows XP, or on servers that are running Windows Server 2003, you may experience the following localhost failure on IPv6 addresses and computer aliases:
Microsoft Telnet clients will not connect to local IPv6 addresses and all localhost aliases except for "localhost" and "hostname."
To resolve this issue, follow the appropriate steps:
For an IPv6 address failure, follow the steps in the "Known issues with this security update" section of the following Knowledge Base article:
960803
(http://support.microsoft.com/kb/960803/
)
MS09-013: Vulnerabilities in Windows HTTP services could allow remote code execution
For a localhost alias failure, use Method 1 in the "Workaround" section of the following Knowledge Base article:
896861
(http://support.microsoft.com/kb/896861/
)
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
When you try create a Telnet session to any IP address in the address range of 127.*.*.*, the Telnet session will fail except for the IP address 127.0.0.1.
This issue will occur on Windows 2000, on Windows XP, and on Windows Server 2003.
By default, Reflection Protection is not available on Windows 2000.
Relay (Extended) Protection is available only on the following operating systems:
All versions of Windows Vista
Windows Server 2003 Service Pack 2 QFE and Windows Server 2003 Service Pack 2 GDR
Windows XP Service Pack 2 QFE, Windows XP Service Pack 2 GDR, Windows XP Service Pack 3 QFE, and Windows XP Service Pack 3 GDR
You cannot Telnet on a cluster name and FQDN. You will have to add the cluster name and FQDN to the AllowedSPN registry value. See the "When you install this package" section for information about how to do this.
You cannot Telnet to a server by using an alias name. You will have to add the alias name to the AllowedSPN registry value. See the "When you install this package" section for information about how to do this.
This update will not be offered to Windows 2000 customers who have Services for Unix installed on their systems.
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
Windows XP and Windows Server 2003 file information
The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the "SP requirement" and "Service branch" columns.
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.
In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.
For all supported x86-based versions of Windows XP
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Telnet.exe
5.1.2600.3587
76,288
12-Jun-2009
11:50
x86
SP2
SP2GDR
Tlntsess.exe
5.1.2600.3587
80,896
12-Jun-2009
11:50
x86
SP2
SP2GDR
Telnet.exe
5.1.2600.3587
76,288
12-Jun-2009
11:49
x86
SP2
SP2QFE
Tlntsess.exe
5.1.2600.3587
80,896
12-Jun-2009
11:49
x86
SP2
SP2QFE
Telnet.exe
5.1.2600.5829
76,288
12-Jun-2009
12:31
x86
SP3
SP3GDR
Tlntsess.exe
5.1.2600.5829
80,896
12-Jun-2009
12:31
x86
SP3
SP3GDR
Telnet.exe
5.1.2600.5829
76,288
12-Jun-2009
12:03
x86
SP3
SP3QFE
Tlntsess.exe
5.1.2600.5829
80,896
12-Jun-2009
12:03
x86
SP3
SP3QFE
For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Telnet.exe
5.2.3790.4528
104,448
01-Jul-2009
22:53
x64
SP2
SP2GDR
Tlntsess.exe
5.2.3790.4528
129,536
01-Jul-2009
22:53
x64
SP2
SP2GDR
Telnet.exe
5.2.3790.4528
104,448
01-Jul-2009
22:50
x64
SP2
SP2QFE
Tlntsess.exe
5.2.3790.4528
129,536
01-Jul-2009
22:50
x64
SP2
SP2QFE
For all supported x86-based versions of Windows Server 2003
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Telnet.exe
5.2.3790.4528
76,288
11-Jun-2009
14:39
x86
SP2
SP2GDR
Tlntsess.exe
5.2.3790.4528
83,968
11-Jun-2009
14:39
x86
SP2
SP2GDR
Telnet.exe
5.2.3790.4528
76,288
11-Jun-2009
13:59
x86
SP2
SP2QFE
Tlntsess.exe
5.2.3790.4528
83,968
11-Jun-2009
13:59
x86
SP2
SP2QFE
For all supported IA-64-based versions of Windows Server 2003
Windows Vista and Windows Server 2008 file information
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Collapse this tableExpand this table
Version
Product
Milestone
Service branch
6.0.6000.16xxx
Windows Vista
RTM
GDR
6.0.6000.20xxx
Windows Vista
RTM
LDR
6.0.6001.18xxx
Windows Vista SP1 and Windows Server 2008 SP1
SP1
GDR
6.0.6001.22xxx
Windows Vista SP1 and Windows Server 2008 SP1
SP1
LDR
6.0.6002.18xxx
Windows Vista SP2 and Windows Server 2008 SP2
SP2
GDR
6.0.6002.22xxx
Windows Vista SP2 and Windows Server 2008 SP2
SP2
LDR
Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,168
10-Jun-2009
11:52
Not Applicable
Telnet.exe
6.0.6000.16868
206,848
10-Jun-2009
11:41
x86
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,168
10-Jun-2009
11:50
Not Applicable
Telnet.exe
6.0.6000.21065
206,848
10-Jun-2009
11:36
x86
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
11:58
Not Applicable
Telnet.exe
6.0.6001.18270
206,336
10-Jun-2009
11:45
x86
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
15:25
Not Applicable
Telnet.exe
6.0.6001.22447
206,336
10-Jun-2009
11:33
x86
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
11:23
Not Applicable
Telnet.exe
6.0.6002.18049
71,168
10-Jun-2009
09:43
x86
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
11:27
Not Applicable
Telnet.exe
6.0.6002.22150
71,168
10-Jun-2009
09:46
x86
Tlntsess.exe
6.0.6000.16868
88,576
10-Jun-2009
10:06
x86
Tlntsess.exe
6.0.6000.21065
88,576
10-Jun-2009
09:54
x86
Tlntsess.exe
6.0.6001.18270
88,576
10-Jun-2009
09:56
x86
Tlntsess.exe
6.0.6001.22447
88,576
10-Jun-2009
10:02
x86
Tlntsess.exe
6.0.6002.18049
88,576
10-Jun-2009
09:43
x86
Tlntsess.exe
6.0.6002.22150
88,576
10-Jun-2009
09:46
x86
For all supported x64-based versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,168
10-Jun-2009
12:03
Not Applicable
Telnet.exe
6.0.6000.16868
211,456
10-Jun-2009
11:54
x64
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,168
10-Jun-2009
12:01
Not Applicable
Telnet.exe
6.0.6000.21065
211,456
10-Jun-2009
11:53
x64
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
12:12
Not Applicable
Telnet.exe
6.0.6001.18270
211,968
10-Jun-2009
12:01
x64
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
12:02
Not Applicable
Telnet.exe
6.0.6001.22447
211,968
10-Jun-2009
11:53
x64
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
11:39
Not Applicable
Telnet.exe
6.0.6002.18049
78,848
10-Jun-2009
10:10
x64
Telnet-client-ppdlic.xrm-ms
Not Applicable
3,197
10-Jun-2009
11:46
Not Applicable
Telnet.exe
6.0.6002.22150
78,848
10-Jun-2009
10:11
x64
Tlntsess.exe
6.0.6000.16868
103,424
10-Jun-2009
10:25
x64
Tlntsess.exe
6.0.6000.21065
103,424
10-Jun-2009
10:25
x64
Tlntsess.exe
6.0.6001.18270
103,424
10-Jun-2009
10:28
x64
Tlntsess.exe
6.0.6001.22447
103,424
10-Jun-2009
10:31
x64
Tlntsess.exe
6.0.6002.18049
103,424
10-Jun-2009
10:10
x64
Tlntsess.exe
6.0.6002.22150
103,424
10-Jun-2009
10:11
x64
For all supported IA-64-based versions of Windows Server 2008
Back to the top
