Security Bulletin

Microsoft Security Bulletin MS00-026 - Critical

Patch Available for "Mixed Object Access" Vulnerability

Published: April 20, 2000

Version: 1.0

Originally Posted: April 20, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000 that could, under very specific conditions, allow a malicious user to change information in the Active Directory that he should not be able to change.

Frequently asked questions regarding this vulnerability and the patch can be found at https://www.microsoft.com/technet/security/bulletin/fq00-026.mspx

General Information

Issue

Active Directory allows for access control of directory objects on a per-attribute basis. However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a particular way with ones involving attributes that he does have permission to modify.

The vulnerability does not afford the malicious user an opportunity to modify all objects in a class - only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by whom.

Affected Software Versions

• Windows 2000 Server
• Windows 2000 Advanced Server
  Note The vulnerability only affects the above products when they are used as domain controllers.

Vulnerability Identifier: CVE-2000-0311

Patch Availability

• https://www.microsoft.com/download/details.aspx?FamilyId=7237F230-A28B-447B-9034-6654DD7CD05E&displaylang;=en
  Note Additional security patches are available at the Microsoft Download Center

More Information

Please see the following references for more information related to this issue.

• Frequently Asked Questions: Microsoft Security Bulletin MS00-026, https://www.microsoft.com/technet/security/bulletin/fq00-026.mspx
• Microsoft TechNet Security web site, https:

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at </https:>https:.

Acknowledgments

Microsoft thanks Sebastien Malbois of Bouygues Construction for reporting this issue to us and working with us to protect customers.

Revisions

• April 20, 2000: Bulletin Created.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00 </https:>