Security problem with tftp.exe firmware update program.

The Windows firmware update program “tftp.exe”, supplied by Linksys and UMAX as part of their firmware update .exe files, stores the password to the router’s Administration server in clear text in the system registry in the following key:

For Linksys
HKEY_CURRENT_USER > Software >Software > tftp > Settings >Password

For UMAX
HKEY_CURRENT_USER > Software >Software > UG3K > Settings >Password

 

If you clear this key, it is just rewritten the next time you run the tftp.exe program.

To fix this problem do the following:

1) Download the new version of the program by clicking here.

2) Run the program. It will clear the password from the Registry.  You will also see a blank Password box in the program window.

3) Find and Delete (or rename) the old program.

4) Copy the new program to the same folder as the old one.

attentionsml.gif (1034 bytes)NOTE:
 – You don’t have to actually do a firmware update. The password is cleared when the program’s window comes up.

– You will have to enter your Administration password each time you run tftp.exe.  The program will no longer store the password.

– Linksys will be making the new tftp.exe file available from their FTP site soon and also including it in new firmware updaters.