CVE-1999-1104 is a vulnerability found in Microsoft Windows 95, where the password list file (.pwl), used for caching user passwords locally, employs weak encryption. This weak encryption allows local users with access to the system to decrypt the cached passwords, potentially escalating their privileges. The vulnerability arises because the encryption algorithm used for the .pwl file is easily reversible, enabling attackers to retrieve plaintext passwords without requiring network access or advanced exploitation techniques. Since the vulnerability is local and does not require authentication, any user with physical or local access to the Windows 95 machine can exploit this weakness. The vulnerability affects the confidentiality, integrity, and availability of user credentials and potentially the system itself if privilege escalation is achieved. Given the age of Windows 95 and the lack of patch availability, this vulnerability remains unmitigated in affected systems. The CVSS score of 4.6 (medium severity) reflects the limited attack vector (local access) but acknowledges the potential impact on confidentiality, integrity, and availability. Exploitation does not require user interaction beyond local access, and the scope is limited to systems running Windows 95 with password caching enabled.

For European organizations, the direct impact of this vulnerability is minimal in modern contexts, as Windows 95 is an obsolete operating system no longer in use in professional environments. However, legacy systems or industrial control systems that might still run Windows 95 could be at risk. If such systems are present, attackers with local access could decrypt cached passwords, leading to unauthorized privilege escalation and potential lateral movement within the network. This could compromise sensitive data or disrupt operations. The vulnerability undermines the confidentiality of user credentials and could lead to integrity and availability issues if attackers gain administrative control. Given the local access requirement, the threat is primarily from insiders or attackers with physical access. European organizations with legacy infrastructure should be aware of this risk, especially in sectors where legacy systems persist, such as manufacturing or critical infrastructure.

Since no patch is available for this vulnerability, mitigation must focus on compensating controls. Organizations should: 1) Identify and inventory any legacy Windows 95 systems in their environment and plan for their upgrade or decommissioning. 2) Disable password caching on Windows 95 systems if they must remain operational. 3) Restrict physical and local access to legacy systems to trusted personnel only, implementing strict access controls and monitoring. 4) Employ network segmentation to isolate legacy systems from critical network segments to limit potential lateral movement. 5) Use strong endpoint security controls and monitoring to detect unauthorized access attempts. 6) Consider replacing legacy systems with modern, supported operating systems that have robust security features and receive regular updates. 7) Educate staff about the risks of legacy systems and enforce policies to minimize their use.