MS Security Bulletins - Vol. 5

[socalgal]

Continued from: MS Security Bulletins - Vol. 4

============================

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Re-release of Microsoft Security Bulletin MS99-046
--------------------------------------------------

In November, we withdrew a previously released patch that improved the
randomness of TCP initial sequence numbers in Windows NT 4.0. The patch was
withdrawn because it contained the same regression error that was present in
Windows NT 4.0 SP6. We have eliminated the regression error and re-released
the patch. The security bulletin has been updated and is available at
http://www.microsoft.com/Security/Bu...s/ms99-046.asp ; the FAQ also has
been updated and is available at
http://www.microsoft.com/Security/Bu...s99-046faq.asp

All versions of the original patch were affected by the regression error,
although the error only manifested itself in certain situations. When
applying the new patch, it's not necessary to uninstall the original patch
first. Just install the patch as normal. Here's how to determine which
patch to apply:
- If you are running Windows NT 4.0 SP4 or SP5 on an Intel machine, go
to http://www.microsoft.com/Downloads/R...eleaseID=16763 and
select q243835sp5i.exe.
- If you are running Windows NT 4.0 SP6 on an Intel machine, go to
http://www.microsoft.com/Downloads/R...eleaseID=16764 and
select q243835i.exe.
- If you are running Windows NT 4.0 SP4 or SP5 on an Alpha machine, go
to http://www.microsoft.com/Downloads/R...eleaseID=16763 and
select q243835sp5a.exe.
- If you are running Windows NT 4.0 SP6 on an Alpha machine, go
to http://www.microsoft.com/Downloads/R...eleaseID=16764 and
select q243835a.exe.

We are very sorry for any inconvenience caused by the regression error, and
will do our best to prevent similar problems in the future. Regards,

The Microsoft Security Response Team

[socalgal]

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-001)
--------------------------------------

Patch Available for "Malformed IMAP Request" Vulnerability
Originally Posted: January 04, 2000

Summary
=======
Microsoft has released a patch that eliminates a vulnerability in the
Microsoft(r) Commercial Internet System (MCIS) Mail server. The
vulnerability could allow a malicious user to remotely cause services on
the server to fail, or cause arbitrary code to run on the server.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bu...S00-001faq.asp

Issue
=====
The IMAP service included in MCIS Mail has an unchecked buffer. If a
malformed request containing random data were passed to the service, it
could cause the web publishing, IMAP, SMTP, LDAP and other services to
crash. If the malformed request contained specially crafted data, it could
also be used to run arbitrary code on the server via a classic buffer
overrun attack.

Affected Software Versions
==========================
- Microsoft Commercial Internet System 2.0 and 2.5.

Patch Availability
==================
- Intel:
http://www.microsoft.com/Downloads/R...eleaseID=17124

- Alpha:
http://www.microsoft.com/Downloads/R...eleaseID=17122

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-001,
http://www.microsoft.com/security/bu...S00-001faq.asp
- Microsoft Knowledge Base (KB) article Q246731,
MCIS: MCIS Mail Services unexpectedly stop,
http://support.microsoft.com/support.../q246/7/31.asp
(Note: It may take 24 hours from the original posting of this
bulletin for the KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support...ct/default.asp

Acknowledgments
===============
Microsoft acknowledges Tristan Goode for bringing this issue to our
attention.

Revisions
=========
- January 04, 2000: Bulletin Created.

[buitenb]

thanks for the good news ~!

jakob buitenhuis
the netherlands

[socalgal]

buitenb - you're welcome!
=========================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-003)
--------------------------------------

Patch Available for "Spoofed LPC Port Request" Vulnerability
Originally Posted: January 13, 2000

Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows NT(r) 4.0. The vulnerability could allow a user logged
onto a Windows NT 4.0 machine from the keyboard to become an administrator
on the machine.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bu...00-003faq.asp.

Issue
=====
LPC Ports is a facility that allows LPC calls on a machine. One of the
functions in the LPC Ports API set enables, by design, a server thread to
impersonate a client thread on the same machine. However, a flaw in the
validation portion of the function would allow a malicious user to create
both the client and server threads, and manipulate the impersonation request
to allow it to run in the context of any desired user on the local machine,
including the System itself.

The primary risk from this vulnerability is that a malicious user could
exploit this vulnerability to gain additional privileges on the local
machine. However, it also could be used to cause audit logs to indicate that
certain actions were taken by another user. A malicious user would require
the ability to log onto the target machine interactively and run arbitrary
programs in order to exploit this vulnerability, and as a result,
workstations and terminal servers would be at greatest risk.

Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition

Patch Availability
==================
- Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise
Edition:
Intel:
http://www.microsoft.com/downloads/r...eleaseID=17382
Alpha:
http://www.microsoft.com/downloads/r...eleaseID=17383
- Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.

NOTE: Additional security patches are available at the Microsoft Download
Center.

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS00-003: Frequently Asked Questions,
http://www.microsoft.com/security/bu...00-003faq.asp.
- Microsoft Knowledge Base (KB) article Q247869,
Local Procedure Call may Permit Unauthorized Account Usage,
http://support.microsoft.com/support...q247/8/69.asp.
(Note: It may take 24 hours from the original posting of this bulletin
for the KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support...t/default.asp.

Acknowledgments
===============
Microsoft thanks Bindview's RAZOR Security Team www.bindview.com for
reporting this issue to us and working with us to protect customers.

Revisions
=========
- January 13, 2000: Bulletin Created.

[socalgal]

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-005)
--------------------------------------

Patch Available for "Malformed RTF Control Word" Vulnerability
Originally Posted: January 17, 2000

Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
the Rich Text Format (RTF) reader that ships as part of Microsoft(r)
Windows(r) 95 and 98, and Windows NT(r) 4.0. Under certain conditions, the
vulnerability could be used to cause email programs to crash.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bu...00-005faq.asp.

Issue
=====
RTF files consist of text and control information. The control information
is specified via directives called control words. The default RTF reader
that ships as part of many Windows platforms has an unchecked buffer in the
portion of the reader that parses control words. If an RTF file contains a
specially-malformed control word, it could cause the application to crash.

Microsoft believes that this is a denial of service vulnerability only, and
that there is no capability to use this vulnerability to run arbitrary
code. The most serious risk from this vulnerability would result if a user
had preview mode enabled on a mail program like Outlook, and received an
email that exploited the vulnerability. Because preview mode causes the
mail to be parsed without user assent, the mail program would continue to
crash until a subsequent mail was received or the mail program was started
with preview mode disabled.

Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition

NOTE: Windows 2000 is not affected by this vulnerability.

Patch Availability
==================
- Windows 95:
http://www.microsoft.com/windows95/downloads/contents/WUCritical/rtfcontrol/default.asp
- Window 98:
http://www.microsoft.com/windows98/downloads/contents/WUCritical/rtfcontrol/default.asp
- Windows NT 4.0 Workstation, Windows NT 4.0 Server, and
Windows NT 4.0 Server, Enterprise Edition:
Intel:
http://www.microsoft.com/Downloads/R...eleaseID=17510
Alpha:
http://www.microsoft.com/Downloads/R...eleaseID=17511
- Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.

NOTE: The Windows 95 and 98 versions of the patch will also be available via
WindowsUpdate shortly. When this happens, we will modify the bulletin to
note this fact.

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-005,
http://www.microsoft.com/security/bu...S00-005faq.asp
- Microsoft Knowledge Base (KB) article Q249973,
Default RTF File Viewer Interrupts Normal Application Processing,
http://support.microsoft.com/support.../q249/9/73.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Rich Text Format (RTF) Specification and Sample RTF Reader Program,
Version 1.5,
http://msdn.microsoft.com/library/specs/richtextformatrtfspecificatio nsamplertfreaderprogramversion15.htm
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical
Support is available at http://support.microsoft.com/support...t/default.asp.

Revisions
=========
- January 17, 2000: Bulletin Created.


(Note: Line breaks have been removed by poster. -socalgal)



[This message has been edited by socalgal (edited 01-17-2000).]

[socalgal]

**Apologies for this late posting!
------

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-002)
--------------------------------------

Patch Available for "Malformed Conversion Data" Vulnerability
Originally Posted: January 20, 2000

Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in a
utility that converts Japanese, Korean and Chinese Microsoft(r) Word(r) 5
documents to more-recent formats. The primary shipment vehicles for the
utility are the Japanese, Korean and Chinese (both Simplified and
Traditional) versions of Word and PowerPoint(r) for Windows. (A
comprehensive listing of affected products is provided below) The
vulnerability could allow arbitrary code to be executed on a machine that
opened a specially-modified Word 5 document using an affected version of the
utility.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bu...S00-002faq.asp

Issue
=====
Microsoft Office includes a conversion utility that converts older Word
documents to more recent formats. The conversion utility for Word 5
documents in East Asian languages (Japanese, Korean, Simplified Chinese and
Traditional Chinese) has an unchecked buffer. By using a hexadecimal editor
to insert specially-malformed information into a document, a malicious user
could cause Word to run code of his or her choice when the document was
opened using an affected version of the converter.

A Word 5 converter installs by default as part of Word and PowerPoint, and
can be installed at user behest as part of a converter pack. However, the
vulnerability affects only the East Asian language versions of the
converter, and only the Windows versions of them. No other language
versions of the converter are affected, and no version of the converter for
Macintosh is affected.

Affected Software Versions
==========================
- Microsoft Converter Pack 2000 for Windows
- Microsoft Office 2000 for Windows with Multilanguage Pack
- Japanese, Korean, Chinese (Simplified and Traditional) versions of:
- Microsoft Word 97, 98 and 2000 for Windows, which is available as a
standalone product or as part of:
- Office 97, Office 97 Powered by Word 98, Office 2000 for Windows
- Works Suite 2000 for Windows
- Microsoft PowerPoint 97 and 2000 for Windows, which is available as a
standalone product or as part of:
- Office 97, Office 97 Powered by Word 98, Office 2000 for Windows

Patch Availability
==================
- Word 97 or 98, PowerPoint 98:
- US: http://officeupdate.microsoft.com/do...ils/ww5pkg.htm
- Japan: http://officeupdate.microsoft.com/ja...medData-97.htm
- Korea: http://officeupdate.microsoft.com/ko...medData-97.htm
- China: http://officeupdate.microsoft.com/ch...medData-97.htm
- Taiwan: http://officeupdate.microsoft.com/ta...medData-97.htm
- Hong Kong: http://officeupdate.microsoft.com/hk...medData-97.htm

- Converter Pack 2000; Office 2000 with Multilanguage Pack; Word 2000,
PowerPoint 2000:
- US: http://officeupdate.microsoft.com/20...ils/ww5pkg.htm
- Japan: http://officeupdate.microsoft.com/ja...medData-2K.htm
- Korea: http://officeupdate.microsoft.com/ko...medData-2K.htm
- China: http://officeupdate.microsoft.com/ch...medData-2K.htm
- Taiwan: http://officeupdate.microsoft.com/ta...medData-2K.htm
- Hong Kong: http://officeupdate.microsoft.com/hk...medData-2K.htm

(Line breaks removed. -socalgal)

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-002,
http://www.microsoft.com/security/bu...S00-002faq.asp
- Microsoft Knowledge Base (KB) article Q249881,
WD: Patch Available for "Malformed Conversion Data" Vulnerability (East
Asian Word),
http://support.microsoft.com/support.../q249/8/81.asp
(Note: It may take 24 hours from the original posting of this bulletin
for
this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical
Support is available at http://support.microsoft.com/support...ct/default.asp

Revisions
=========
- January 20, 2000: Bulletin Created.

[jad1097]

And people wonder why I don't like Microsoft!

[socalgal]

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-004)
--------------------------------------

Patch Available for "RDISK Registry Enumeration File" Vulnerability
Originally Posted: January 21, 2000

Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
an administrative utility that ships with Microsoft(r) Windows NT(r) 4.0,
Terminal Server Edition. The utility creates a temporary file during
execution that can contain security-sensitive information, but does not
appropriately restrict access to it. As a result, a malicious user on the
terminal server could read the file as it was being created.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bu...S00-004faq.asp

Issue
=====
The RDISK utility is used to create an Emergency Repair Disk (ERD) in order
to record machine state information as a contingency against system
failure. During execution, RDISK creates a temporary file containing an
enumeration of the registry. The ACLs on the file allow global read
permission, and as a result, a malicious user who knew that the
administrator was running RDISK could open the file and read the registry
enumeration information as it was being created. RDISK erases the file upon
successful completion, so under normal conditions there would be no lasting
vulnerability.

By default, the file is not shared and therefore could not be read by other
network users. Although the utility is provided as part of all versions of
Windows NT 4.0, it only poses a threat in the case of terminal servers,
because the exploit scenario requires the ability for an administrator and
a normal user to be interactively logged onto the machine simultaneously.

Affected Software Versions
==========================
- Microsoft Windows NT 4.0, Terminal Server Edition

Patch Availability
==================
- http://www.microsoft.com/Downloads/R...eleaseID=17384

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-004,
http://www.microsoft.com/security/bu...S00-004faq.asp
- Microsoft Knowledge Base (KB) article Q249108,
Registry Data Is Viewable By All Users During Rdisk Repair Update,
http://support.microsoft.com/support.../q249/1/08.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- Microsoft Knowledge Base (KB) article Q156328,
Description of Windows NT Emergency Repair Disk,
http://support.microsoft.com/support.../q156/3/28.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support...ct/default.asp

Acknowledgments
===============
Microsoft thanks Arne Vidstrom http://ntsecurity.nu for reporting this
issue to us and working with us to protect customers.

Revisions
=========
- January 21, 2000: Bulletin Created.

[Richard_Cranium72]

Thanks Socal, I also remind all to "read this first" on the Windows Update page cuz lots of items look necessary but are not relevant to your operating environment. To those who don't "like" MS products, that is your priveledge. Personally I don't care much for the open source code os's for the likelyhood of an intruder to have access to the system.. at least MS does what it can to address the issues. In the E-world all things are liquid, that is nothing is secure forever, with so many folks making new programs and wierd freaking maggots using their brilliant minds for destruction rather than a constructive usage, it's no wonder that MS has a tought time keeping up. just my $0.02 worth. DrVette md

[socalgal]

Thanks, DrVette. Valid advice to read carefully before using any patch/update, to make sure it applies to one's application/situation.
==================

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-006)
--------------------------------------

Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability

Originally Posted: January 26, 2000

Summary
=======

Microsoft has released a patch that eliminates two security vulnerabilities
in Microsoft(r) Index Server. The first vulnerability could allow a
malicious user to view -- but not to change, add or delete -- files on a
web server. The second vulnerability could reveal where web directories are
physically located on the server.

Frequently asked questions regarding this vulnerability and the patch can be
found at http://www.microsoft.com/technet/sec...n/fq00-006.asp

Issue
=====
This patch eliminates two vulnerabilities whose only relationship is that
both occur in Index Server. The first is the "Malformed Hit-Highlighting
Argument" vulnerability. The ISAPI filter that implements the
hit-highlighting (also known as "WebHits") functionality does not adequately
constrain what files can be requested. By providing a deliberately-malformed
argument in a request to hit-highlight a document, it is possible to escape
the virtual directory. This would allow any file residing on the server
itself, and on the same logical drive as the web root directory, to be
retrieved regardless of permissions.

The second vulnerability involves the error message that is returned when a
user requests a non-existent Internet Data Query file. The error message
provides the physical path to the web directory that was contained in the
request. Although this vulnerability would not allow a malicious user to
alter or view any data, it could be a valuable reconnaissance tool for
mapping the file structure of a web server.

Affected Software Versions
==========================
- Microsoft Index Server 2.0
- Indexing Service in Windows 2000

Patch Availability
==================
Index Server 2.0:
- Intel:
http://www.microsoft.com/downloads/r...eleaseID=17727
- Alpha:
http://www.microsoft.com/downloads/r...eleaseID=17728

Indexing Services for Windows 2000:
- Intel:
http://www.microsoft.com/downloads/r...eleaseID=17726

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-006,
http://www.microsoft.com/technet/sec...n/fq00-006.asp
- Microsoft Knowledge Base (KB) article Q251170,
Malformed Argument in Hit-Highlighting Request Allows Access
to Web Server Files,
http://www.microsoft.com/technet/sup....asp?ID=251170
- Microsoft Knowledge Base (KB) article Q252463,
Index Server Error Message Reveals Physical Location of Web
Directories,
http://www.microsoft.com/technet/sup....asp?ID=252463
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security

(Note: It may take 24 hours from the original posting of this bulletin for
the above KB articles to be visible.)

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support...ct/default.asp

Acknowledgments
===============
Microsoft thanks David Litchfield of Cerberus Information Security,
Ltd http://www.cerberus-infosec.co.uk for reporting the
"Malformed Hit-Highlighting Argument" vulnerability to us and
working with us to protect customers.

Revisions
=========
- January 26, 2000: Bulletin Created.



[This message has been edited by socalgal (edited 01-27-2000).]

[socalgal]

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

Microsoft Security Bulletin (MS00-007)
--------------------------------------

Patch Available for "Recycle Bin Creation" Vulnerability

Originally Posted: February 1, 2000

Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows NT 4.0. Under a very daunting set of conditions, a
malicious user could create, delete or modify files in the Recycle Bin of
another user who shared the machine. In most cases, the vulnerability would
not allow the malicious user to read the files unless they already had read
permission to do so.

Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/sec...n/fq00-007.asp

Issue
=====
The Windows NT Recycle Bin for a given user maps to a folder, whose name is
based on the owner's SID. The folder is created the first time the user
deletes a file, and the owner is given sole permissions to it. However, if a
malicious user could create the folder before the bona fide one were
created, he or she could assign any desired permissions to it. This would
allow him or her to create, modify or delete files in the Recycle Bin, but
in most cases would not enable them to read files unless he or she already
were able to.

There are several significant limitations that would make it difficult to
exploit this vulnerability:
- The malicious user would need to create the bogus Recycle
Bin before the user's bona fide one were created.
- The malicious user would need to share a machine with the
other user. The vulnerability would only enable the malicious
user to take action against the Recycle Bin on the particular
machine, and the particular partition, that was attacked.
- The malicious user could add files to the Recycle Bin, but this
vulnerability would not allow him or her to induce the other
user to retrieve them.

Affected Software Versions
==========================
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition

Patch Availability
==================
- Intel:
http://www.microsoft.com/downloads/r...eleaseID=17606
- Alpha:
http://www.microsoft.com/downloads/r...eleaseID=17607

NOTE: This patch only needs to be applied to Windows NT systems using NTFS
file volumes. The vulnerability is moot for FAT volumes, as FAT provides no
per-user data separation by design. See the FAQ for more information.

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-007,
http://www.microsoft.com/technet/sec...n/fq00-007.asp
- Microsoft Knowledge Base (KB) article Q248399,
Shared Workstation Setup may Permit Access to Recycle Bin Files.
(A link will be posted here as soon as the article is available,
in approximately 24 hours)
- Microsoft TechNet Security web site.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support...ct/default.asp

Acknowledgments
===============
Microsoft thanks Arne Vistrom and Nobuo Miwa for reporting this issue to us
and working with us to protect customers.

Revisions
=========
- February 1, 2000: Bulletin Created.

[socalgal]

Patch Available for "RDISK Registry Enumeration File" Vulnerability

Originally Posted: January 21, 2000
Revised: February 3, 2000

Summary
=======

On January 21, 2000, Microsoft released the original version of this
bulletin, discussing a security vulnerability in a Microsoft(r) Windows
NT(r) 4.0 administrative utility. The original version of the bulletin
discussed the vulnerability within the context of Windows NT 4.0 Server,
Terminal Server Edition. However, we have since learned of scenarios under
which the vulnerability could also affect Windows NT 4.0 servers and
workstations, and have revised the bulletin accordingly.

The utility creates a temporary file during execution that can contain
security-sensitive information, but does not appropriately restrict access
to it. Under certain conditions, it could be possible for a malicious user
to read the file as it was being created.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/sec...n/fq00-004.asp

Issue
=====
The RDISK utility is used to create an Emergency Repair Disk (ERD) in order
to record machine state information as a contingency against system
failure. During execution, RDISK creates a temporary file containing an
enumeration of the registry. The ACLs on the file allow global read
permission, and as a result, a malicious user who knew that the
administrator was running RDISK could open the file and read the registry
enumeration information as it was being created. RDISK erases the file upon
successful completion, so under normal conditions there would be no lasting
vulnerability.

By default, the file is not shared and therefore could not be read by other
network users.

Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0, Enterprise Edition
- Microsoft Windows NT 4.0, Terminal Server Edition

Patch Availability
==================
Windows NT 4.0 Workstation; Windows NT 4.0 Server; Windows NT 4.0 Server,
Enterprise Edition:
- Intel: http://www.microsoft.com/Downloads/R...eleaseID=17745
- Alpha: http://www.microsoft.com/Downloads/R...eleaseID=17747

Windows NT 4.0 Server, Terminal Server Edition:
- http://www.microsoft.com/Downloads/R...eleaseID=17384

NOTE: Additional security patches are available at the Microsoft Download
Center

More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-004,
http://www.microsoft.com/technet/sec...n/fq00-004.asp
- Microsoft Knowledge Base (KB) article Q249108,
Registry Data Is Viewable By All Users After Rdisk Repair Update,
http://www.microsoft.com/technet/sup....asp?ID=249108
- Microsoft Knowledge Base (KB) article Q156328,
Description of Windows NT Emergency Repair Disk,
http://www.microsoft.com/technet/sup....asp?ID=156328
- Microsoft Security web site,
http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support...ct/default.asp

Acknowledgments
===============
Microsoft thanks Arne Vidstrom http://ntsecurity.nu for reporting this
issue to us and working with us to protect customers.

Revisions
=========
- January 21, 2000: Bulletin Created.
- February 3, 2000: Bulletin revised to address other affected versions

***************
Note: I'll start a new thread with the next Bulletin. - socalgal


EDIT: Continued at MS Security Bulletins - Vol. 6


[This message has been edited by socalgal (edited 02-16-2000).]