Hilgraeve HyperTerminal is shipped with Microsoft Windows 2000, Windows ME, Windows 98SE, and Windows 98. A buffer overrun has been discovered in the HyperTerminal Telnet module that can allow a malicious user to launch arbitrary commands. This exploit, in theory, could be launched remotely by way of an email containing the buffer overrun.
The overrun is performed quite simply by sending the following; telnet://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Microsoft has released a security bulletin, MS00-079 available at; http://www.microsoft.com/technet/security/bulletin/MS00-079.asp
Microsoft has also released a patch for Windows 98 and Windows 98SE available at; http://download.microsoft.com/download/win98/Update/12395/W98/EN-US/274548USA8.EXE
For Windows 2000; http://www.microsoft.com/downloads/release.asp?releaseid=25112
A patch for the pay version of HyperTerminal is available from Hilgraeve is available at http://www.hilgraeve.com