Multiple Vulnerabilities in WinRoute Pro

Reported January 2, 2001, by Peter Miller

DESCRIPTION

Two vulnerabilities have been discovered in WinRoute Pro 4.1. The first is a low-risk flaw that causes the software to not function if you've enabled memory write protection under Windows 2000. During the installation process, WinRoute Pro disables memory write protection, which leaves the system less stable and vulnerable to various security threats.

The second vulnerability presents a medium security risk. By default, WinRoute Pro lets anyone use Windows NT domain credentials to access mailboxes. If you use POP3 to access mail, WinRoute Pro lets you send this information in clear text, which could lead to the compromise of your network.

VENDOR RESPONSE

Tiny Software http://www.tinysoftware.com has been notified and claims that there is no easy way to address the first issue. The company plans to address the second issue with its new version of software, expected release time of June 2001.

The original advisories released by Peter Miller to the Win2KSecAdvice mailing list are available at: 

http://www.windowsitsecurity.com/go/win2ks-l.asp?A2=IND0101A&L=WIN2KSECADVICE&P=985

http://www.windowsitsecurity.com/go/win2ks-l.asp?A2=IND0101A&L=WIN2KSECADVICE&P=877

CREDIT
Discovered by Peter Miller