Security Bulletin

Microsoft Security Bulletin MS00-077 - Important

Patch Available for 'NetMeeting Desktop Sharing' Vulnerability

Published: October 13, 2000 | Updated: June 20, 2001

Version: 1.2

Originally posted: October 13, 2000
Updated: June 20, 2001

Summary

On October 13, 2000, Microsoft released the original version of this bulletin, to discuss the availability of a patch that eliminates a security vulnerability in NetMeeting, an application that ships with Microsoft® Windows 2000 and is also available as a separate download for Windows NT® 4.0. The vulnerability could allow a malicious user to temporarily prevent an affected machine from providing any NetMeeting services and possibly consume 100% CPU utilization during an attack.

On June 20, 2001, the bulletin was updated to advise that a patch is available, to address a new variant of the vulnerability. The effect of the new variant is exactly the same as that of the original one. Customers who applied the original patch should apply the updated patch, which contains fixes to both issues.

Affected Software:

• NetMeeting Version 3.01 (4.4.3385) on Windows 2000 or Windows NT 4.0.

Vulnerability Identifiers

• NetMeeting Desktop Sharing Vulnerability: CVE-2000-0983
• NetMeeting Desktop Sharing Variant Vulnerability: CVE-2001-0503

General Information

Technical details

Technical description:

A remote denial of service vulnerability has been discovered in a component of NetMeeting. The denial of service can occur when a malicious client sends a particular malformed string to a port which the NetMeeting service is listening on and with Remote Desktop Sharing enabled.

Although the NetMeeting application is provided as part of Windows 2000 products, the application and affected component is not enabled by default, and customers who have not enabled it would not be at risk from this vulnerability.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-077 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000 and also the latest version that is available for Windows NT 4.0. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

Why was the bulletin re-released on June 20, 2001?
The bulletin was re-released to announce the availability of a new patch that addresses a newly-discovered variant of the vulnerability as well as the original vulnerability. The scope of the new variant is exactly the same as that of the original, and customers who applied the original patch should apply the new one to ensure that they are fully protected against all known variants of the vulnerability.

What's the scope of the vulnerability?
This is a Denial of Service vulnerability. A malicious user could use the vulnerability to temporarily cause the NetMeeting application on an affected machine to stop responding to client during an attack. NetMeeting services will return to normal once an attack has terminated or by terminating the NetMeeting application. By default, NetMeeting or Remote Desktop Sharing is not enabled on Windows 2000, is an extra download for Windows NT 4.0, and only customers who have enabled it would be at risk from this vulnerability. The vulnerability could be used to deny NetMeeting services, but could not be used for any broader attack - that is, it could not be used to compromise data on an affected server or usurp administrative control.

What causes the vulnerability?
There is a flaw in a NetMeeting feature which drives CPU utilization to 100% and also causes the application to hang when sent a particular malformed input string from a malicious client machine.

What is NetMeeting?
NetMeeting is an application included with Windows 2000 (or can be downloaded from https: for Windows NT 4.0) that enables real-time audio, video, and data communication over the Internet. The feature of NetMeeting at issue in this vulnerability is Remote Desktop Sharing.

What's the problem with the NetMeeting Application?
The affected version of NetMeeting, with Remote Desktop Sharing enabled, does not correctly handle a particular kind of malformed input string sent to it from a client. If such data were received by an affected system, it could temporarily cause the NetMeeting application to hang and also temporarily drive CPU utilization to 100%.

What would be the effect of the NetMeeting application failing?
If the NetMeeting application temporarily failed, it would cause any existing NetMeeting sessions to fail, with the loss of any work that was in progress at the time. It could also hinder the affected machine from performing other tasks due to 100% CPU utilization during an attack.

Is NetMeeting running by default in Windows 2000 or Windows NT 4.0?
The NetMeeting application is not enabled by default on a standard Windows 2000 installation and needs to be downloaded for Windows NT 4.0.

Who could exploit this vulnerability?
Any malicious user who could send data to an affected machine could exploit the vulnerability. If an affected machine were directly connected to the Internet, the vulnerability could be exploited by a malicious user; on the other hand, an affected machine that provided NetMeeting services only within an intranet could only be attacked by an intranet user.

Note: NetMeeting listens on port 1720 -- if that were blocked on Corporate firewalls intranet user's would not be affected by this vulnerability from an external attack.

What is the scope of the new variant?
The scope of the new variant is identical to the original vulnerability. The exploit used was a little different than the original and the fix was completed to take into account the symptom of the new exploit.

Who should use the patch?
Microsoft recommends that anyone who enables the NetMeeting application with the Remote Desktop Sharing service should install the patch.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How do I use the patch?
Knowledge Base article 273854 contains detailed instructions for applying the patch to your machine.

How can I tell if I installed the patch correctly?
If the NetMeeting application temporarily failed, it would cause any existing NetMeeting sessions to fail, with the loss of any work that was in progress at the time. It could also hinder the affected machine from performing other tasks due to 100% CPU utilization during an attack.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletinand this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base articles 273854 and 299796 explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Servicescan provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

• Windows NT 4.0:

  https://www.microsoft.com/download/details.aspx?FamilyID=26c9da7c-f778-4422-a6f4-efb8abba021e&DisplayLang;=en

• Windows 2000:

  https://www.microsoft.com/download/details.aspx?FamilyId=DD418CE9-699F-4D62-8282-5C4337BE5785&displaylang;=en

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

• Microsoft Knowledge Base articles 273854 and 299796 discuss this issue in more detail.

Other information:

Acknowledgments

Microsoft thanks the following people for working with us to protect customers:

• Kirk Corey of Diversified Software Industries, Inc. (www.dsi-inc.net) for reporting the original issue.
• Peter Grundl for reporting the new variant.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• October 13, 2000: Bulletin Created.
• November 14, 2000: Updated to add new Windows 2000 patch
• June 20, 2001: Bulletin re-released to advise that both the original vulnerability and a new variant could be remediated via a new patch.

Built at 2014-04-18T13:49:36Z-07:00 </https:>