Security Bulletin

Microsoft Security Bulletin MS04-011 - Critical

Security Update for Microsoft Windows (835732)

Published: April 13, 2004 | Updated: August 10, 2004

Version: 2.1

Issued: April 13, 2004
Updated: August 10, 2004
Version: 2.1

Summary

Who should read this document: Customers who use Microsoft® Windows®

Impact of vulnerability:  Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: The security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires, as a prerequisite, the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To download the SRP, visit the following Web site. You must install the SRP before you install the security update that is provided in this security bulletin. If you are not using Windows NT Server 4.0 Terminal Server Edition Service Pack 6 you do not need to install the SRP.

Microsoft Knowledge Base Article 835732 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 835732.

Tested Software and Security Update Download Locations:

Affected Software:

  • Microsoft Windows NT® Workstation 4.0 Service Pack 6a - Download the update
  • Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
  • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update
  • Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 - Download the update
  • Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update
  • Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
  • Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
  • Microsoft Windows Server™ 2003 - Download the update
  • Microsoft Windows Server 2003 64-Bit Edition - Download the update
  • Microsoft NetMeeting
  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems.

The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

General Information

Technical Details

Executive Summary:

Microsoft re-issued this bulletin on June 15, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation update for the Pan Chinese language.

This revised update corrects an installation issue that some customers experienced with the original update. This issue is unrelated to the security vulnerability discussed in this bulletin. However, this issue has caused some customers difficulty installing the update. If you have previously applied this security update, this update does need to be installed to avoid potential issues when installing future security updates. This issue only affects the Pan Chinese language version of the update and only those versions of the update are being re-released. Other language versions of this update are not affected and are not being re-released.

This update resolves several newly-discovered vulnerabilities. Each vulnerability is documented in this bulletin in its own section.

An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Microsoft recommends that customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact of Vulnerability Windows 98, 98 SE, ME Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003
LSASS Vulnerability - CAN-2003-0533 Remote Code Execution None None Critical Critical Low
LDAP Vulnerability - CAN-2003-0663 Denial Of Service None None Important None None
PCT Vulnerability - CAN-2003-0719 Remote Code Execution None Critical Critical Important Low
Winlogon Vulnerability - CAN-2003-0806 Remote Code Execution None Moderate Moderate Moderate None
Metafile Vulnerability - CAN-2003-0906 Remote Code Execution None Critical Critical Critical None
Help and Support Center Vulnerability - CAN-2003-0907 Remote Code Execution None None None Critical Critical
Utility Manager Vulnerability - CAN-2003-0908 Privilege Elevation None None Important None None
Windows Management Vulnerability - CAN-2003-0909 Privilege Elevation None None None Important None
Local Descriptor Table Vulnerability - CAN-2003-0910 Privilege Elevation None Important Important None None
H.323 Vulnerability* - CAN-2004-0117 Remote Code Execution Not Critical None Important Important Important
Virtual DOS Machine Vulnerability - CAN-2004-0118 Privilege Elevation None Important Important None None
Negotiate SSP Vulnerability - CAN-2004-0119 Remote Code Execution None None Critical Critical Critical
SSL Vulnerability - CAN-2004-0120 Denial Of Service None None Important Important Important
ASN.1 “Double Free” Vulnerability - CAN-2004-0123 Remote Code Execution Not Critical Critical Critical Critical Critical
Aggregate Severity of All Vulnerabilities Not Critical Critical Critical Critical Critical

*Note The severity rating of H.323 Vulnerability - CAN-2004-0117 is Important for the standalone version of NetMeeting. To download an updated version of NetMeeting that addresses this vulnerability, visit the following Web site. This version of NetMeeting can be installed on all systems that are running Windows 98, Windows 98 Second Edition, Windows Millennium Edition, and Windows NT 4.0. The updated version of NetMeeting that addresses this vulnerability is version 3.01 (4.4.3399).

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Why has Microsoft re-issued this bulletin?
Microsoft re-issued this bulletin on June 15, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation update for the Pan Chinese language.

This revised update corrects an installation issue that some customers experienced with the original update. This issue is unrelated to the security vulnerability discussed in this bulletin. However, this issue has caused some customers difficulty installing the update. If you have previously applied this security update, this update does need to be installed to avoid potential issues when installing future security updates. This issue only affects the Pan Chinese language version of the update and only those versions of the update are being re-released. Other language versions of this update are not affected and are not being re-released.

Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that contain almost identical files, customers can install only this update.

What updates does this release replace?
This security update replaces several prior security bulletins. The security bulletin IDs and operating systems that are affected are listed in the table below.

Bulletin ID Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003
MS99-023 Replaced Not Applicable Not Applicable Not Applicable
MS00-027 Not Replaced Replaced Not Applicable Not Applicable
MS00-032 Not Applicable Replaced Not Applicable Not Applicable
MS00-070 Not Replaced Replaced Not Applicable Not Applicable
MS02-050 Replaced Not Replaced Not Replaced Not Applicable
MS02-051 Not Applicable Replaced Not Replaced Not Applicable
MS02-071 Replaced Replaced Not Replaced Not Applicable
MS03-007 Not Replaced Replaced Not Replaced Not Applicable
MS03-013 Replaced Replaced Not Replaced Not Applicable
MS03-025 Not Applicable Replaced Not Applicable Not Applicable
MS03-041 Replaced Not Replaced Not Replaced Not Replaced
MS03-045 Replaced Replaced Not Replaced Not Replaced
MS04-007 Replaced Replaced Replaced Replaced

Is this update a Cumulative Security Update or a Security Update Roll-up?
Neither. A Cumulative Security Update would typically include support for all prior updates. This update does not include support for all prior updates on all operating systems.

A Security Update Roll-up is typically used to combine previous releases into a single update to allow for easier installation and faster download. Security Update Roll-ups typically do not include modifications to address new vulnerabilities; this update does.

How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.

Does this update contain any other changes to functionality?
Yes. In addition to the changes that are listed in each of the vulnerability details sections of this bulletin, this update includes the following change in functionality: files that end with the file name extension “.folder” are no longer associated with a directory. Files that have this extension are still supported by the affected operating system. However, those files will no longer appear as a directory in Windows Explorer and in other programs.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
Yes. MBSA will determine if this update is required. However, MBSA does not currently support the stand-alone version of NetMeeting for detection. MBSA will not offer the required update to the stand-alone version of NetMeeting if it has been installed on Windows NT 4.0 systems. To download the updated stand-alone version of NetMeeting that addresses the H.323 Vulnerability (CAN-2004-0117), visit the following Web site. MBSA does detect if the update for the H.323 Vulnerability (CAN-2004-0117) is required for the version of NetMeeting that shipped as part of Windows 2000, Windows XP, or Windows Server 2003.

For more information about the H.323 Vulnerability (CAN-2004-0117), see that vulnerability details section of this bulletin. For more information about MBSA, visit the MBSA Web site. For more information about MBSA detection limitations, see Microsoft Knowledge Base Article 306460.

How did this change from the initial release of the bulletin?
When the bulletin was released on April 13, 2004, MBSA detection for this security update was disabled for Windows NT 4.0 because of the lack of detection support for the stand-alone version of NetMeeting that is described earlier in this bulletin. This changed on April 21, 2004. MBSA will now detect if this security update is required for Windows NT 4.0 even though this limitation exists.

Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to the stand-alone version of NetMeeting.

Can I use Systems Management Server (SMS) to determine if the stand-alone version of NetMeeting has been installed on Windows NT 4.0 systems?
Yes. SMS can help detect if the updated stand-alone version of NetMeeting is required for Windows NT 4.0 systems. SMS can search for the presence of the file “Conf.exe.” All versions before version 3.01 (4.4.3399) should be updated.

Vulnerability Details

LSASS Vulnerability - CAN-2003-0533:

A buffer overrun vulnerability exists in LSASS that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Mitigating Factors for LSASS Vulnerability - CAN-2003-0533:

  • Only Windows 2000 and Windows XP can be remotely attacked by an anonymous user. While Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 contain the vulnerability, only a local administrator could exploit it.
  • Windows NT 4.0 is not affected by this vulnerability.
  • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Workarounds for LSASS Vulnerability - CAN-2003-0533:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Create a file called %systemroot%\debug\dcpromo.log and make the file read-only. To do this, type the following command:

    echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

    Note This is the most effective mitigation technique as it completely mitigates this vulnerability by causing the vulnerable code to never be executed. This work-around will work for packets sent to any vulnerable port.

  • Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.

    If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.

    To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.

    To configure Internet Connection Firewall manually for a connection, follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
    3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
    4. Click the Advanced tab.
    5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.

    Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services needed.

  • Block the following at the firewall:

    • UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
    • All unsolicited inbound traffic on ports greater than 1024
    • Any other specifically configured RPC port

    These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site.

  • Enable advanced TCP/IP filtering on systems that support this feature.

    You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.

  • Block the affected ports by using IPSec on the affected systems.

    Use Internet Protocol Security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Articles 313190 and 813878.

FAQ for LSASS Vulnerability - CAN-2003-0533:

What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?
An unchecked buffer in the LSASS service.

What is LSASS?
Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Who could exploit the vulnerability?
On Windows 2000 and Windows XP, any anonymous user who could deliver a specially crafted message to the affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?
An attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system, which could then cause the affected system to execute code.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What systems are primarily at risk from the vulnerability?
Windows 2000 and Windows XP are primarily at risk from this vulnerability.

Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 provide additional protection that would require an administrator to log on locally to an affected system to exploit this vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that LSASS validates the length of a message before it passes the message to the allocated buffer.

This update also removes the vulnerable code from Windows 2000 Professional and from Windows XP because these operating systems do not require the vulnerable interface. This helps protect against possible future vulnerabilities in this service.

LDAP Vulnerability - CAN-2003-0663:

A denial of service vulnerability exists that could allow an attacker to send a specially crafted LDAP message to a Windows 2000 domain controller. An attacker could cause the service responsible for authenticating users in an Active Directory domain to stop responding.

Mitigating Factors for LDAP Vulnerability - CAN-2003-0663:

  • To exploit this vulnerability, an attacker would have to send a specially crafted LDAP message to the domain controller. If the LDAP ports are not blocked by a firewall, an attacker would not require any additional privileges to exploit this vulnerability.
  • This vulnerability only affects Windows 2000 Server domain controllers; Windows Server 2003 domain controllers are not affected.
  • Windows NT 4.0 and Windows XP are not affected by this vulnerability.
  • If an attacker successfully exploited this vulnerability, the affected system might display a warning that it would automatically restart after a 60-second countdown. At the end of this 60-second countdown, the affected system would automatically restart. After restart, the affected system would be restored to normal functionality. However, the affected system could be susceptible to a new denial of service attack unless the update is applied.
  • Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Workarounds for LDAP Vulnerability - CAN-2003-0663:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall.

    These ports are used to initiate an LDAP connection with a Windows 2000 domain controller. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability that originate outside the enterprise perimeter. While other ports could be used to exploit this vulnerability, the ports listed are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

    Impact of workaround: Active Directory domain authentication will not be possible over a network connection where these ports are blocked.

FAQ for LDAP Vulnerability - CAN-2003-0663:

What’s the scope of the vulnerability?

This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the server to automatically restart and, during that time, stop the server from responding to authentication requests. This vulnerability exists in Windows 2000 Server systems that perform the role of a domain controller. The only effect on other Windows 2000 systems is that clients may not be able to log on to the domain if their domain controller stops responding.

What causes the vulnerability?

The processing of specially crafted LDAP messages by the Local Security Authority Subsystem Service (LSASS).

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol that enables authorized users to query or modify the data in a metadirectory. For example, in Windows 2000, LDAP is one protocol that is used to access data in Active Directory.

What’s wrong with the way the specially crafted LDAP messages are handled?

An attacker could send a specially crafted LDAP message to the LSASS service and cause it to stop responding.

What is LSASS?

Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.

What might an attacker use the vulnerability to do?

An attacker who exploited this vulnerability could cause LSASS to stop responding and the affected system to restart. The affected system might display a warning that it would automatically restart after a 60-second countdown. During this 60 second countdown, local authentication at the console of the affected system and user domain authentication with the affected system would not be possible. At the end of this 60-second countdown, the affected system would automatically restart. If users cannot perform domain authentication with the affected system, they might not be able to access domain resources. After restart, the affected system would be restored to normal functionality. However, it could be susceptible to a new denial of service attack unless the update is applied.

Who could exploit the vulnerability?

Any anonymous user who could deliver the specially crafted LDAP message to the affected system could exploit this vulnerability.

How could an attacker exploit the vulnerability?

An attacker could exploit this vulnerability by sending a specially crafted LDAP message to the domain controllers in a single forest or multiple forests, potentially causing a denial of service to domain authentication throughout an enterprise. This could cause LSASS to stop responding and cause the affected system to restart. An attacker does not have to have a valid user account in the domain to send this specially crafted LDAP message. This attack can be performed by using anonymous access.

What systems are primarily at risk from the vulnerability?

Only Windows 2000 domain controllers are vulnerable.

I am running Windows 2000. What systems do I have to update?

The update to address this vulnerability must be installed on systems that are used as Windows 2000 domain controllers. However, the update can be safely installed on Windows 2000 Servers in other roles. Microsoft recommends that you install this update on systems that might be promoted to domain controllers in the future.

What does the update do?

The update removes the vulnerability by modifying the way that LSASS processes the specially crafted LDAP message.

PCT Vulnerability - CAN-2003-0719:

A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for PCT Vulnerability - CAN-2003-0719:

  • Only systems that have enabled SSL are affected, typically only server systems. SSL support is not enabled by default on any of the affected systems. However, SSL is generally used on Web servers to support electronic commerce programs, online banking, and other programs that require secure communications.
  • Windows Server 2003 is only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).
  • In some situations, the Web Publishing features of ISA Server 2000 or Proxy Server 2.0 can successfully block attempts to exploit this vulnerability. Testing has shown that the Web publishing features of ISA Server 2000, with Packet Filtering enabled and all Packet Filtering options selected can successfully block this attack with no noticeable side effects. Proxy Server 2.0 also successfully blocks this attack. However, until the security update is applied on the Proxy Server 2.0 system, this attack causes Proxy Server 2.0 Web services to stop responding and the system must be restarted.
  • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Workarounds for PCT Vulnerability - CAN-2003-0719:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Disable PCT support through the registry

    This workaround is fully documented in Microsoft Knowledge Base Article 187498. This article is summarized below.

    The following steps demonstrate how to disable the PCT 1.0 protocol that prevents the affected system from negotiating its use.

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

    For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    Note It is a good idea to back up the registry before you edit it.

    1. Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.

    2. In Registry Editor, locate the following registry key:

      HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server

    3. In the Edit menu, click Add Value to create a new REG_DWORD value called "Enabled" in the Server subkey.

    4. In the Data Type list, click REG_DWORD.

    5. In the Value Name text box, type "Enabled" (without the quotation marks), and then click OK.

      Note If this value is already present, double-click on the value to edit its current value, and then go to step 6.

    6. In the Binary Editor, set the new keys value to equal 0 by typing the following string: 00000000.

    7. Click OK, and then restart the system.

      Note To enable PCT, change the value of the Enabled registry key to 00000001, and then restart the system.

      Note If you are using Windows XP RTM you must also create a second registry key to fully disable PCT. This is not required on later versions of Windows XP or other affected operating systems. Use the instructions provided earlier and create a second REG_DWORD value named “Client”. Use the same values as documented earlier.

FAQ for PCT Vulnerability - CAN-2003-0719:

What’s the scope of the vulnerability?

A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable.

All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections.

Windows Server 2003 and Internet Information Services 6.0 are only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

The process used by the SSL Library to check message inputs.

What is the SSL library?

The Microsoft Secure Sockets Layer (SSL) library contains support for a number of secure communication protocols. These include Transport Layer Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0), and the older and seldom-used Secure Sockets Layer 2.0 (SSL 2.0), and Private Communication Technology 1.0 (PCT 1.0) protocol.

These protocols provide an encrypted connection between a server and a client system. SSL can help protect information when transmitted across public networks such as the Internet. SSL support requires an SSL certificate, which must be installed on a server. For more information about SSL, see Microsoft Knowledge Base Article 245152.

What is PCT?

Private Communication Technology (PCT) is a protocol developed by Microsoft and Visa International for encrypted communication on the Internet. It was developed as an alternative to SSL 2.0. It is similar to SSL. The message formats are similar enough that a server can interact with clients that support SSL as well as clients that support PCT.

PCT is an earlier protocol that has been replaced by SSL 3.0 and is no longer generally used. The Microsoft Secure Sockets Layer (SSL) library supports PCT only for backward compatibility. Most modern programs and servers use SSL 3.0, and PCT is no longer required. For more detailed information, visit the MSDN Library Web site.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Who could exploit the vulnerability?

Any anonymous attacker who could deliver a specially crafted TCP message to an SSL enabled service on an affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by communicating with an affected system through an SSL enabled service and sending a specially crafted TCP message. Receipt of such a message could cause the affected service on the vulnerable system to fail in such a way that it could execute code.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What systems are primarily at risk from the vulnerability?

All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections.

Windows Server 2003 and Internet Information Services 6.0 are only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).

Active Directory domains that have an Enterprise Root certification authority installed are also affected by this vulnerability because Windows 2000 domain controllers will automatically listen for SSL connections.

How is Windows Server 2003 affected?

The way that Windows Server 2003 implements PCT contains the same buffer overrun that is found on other platforms. However, PCT is disabled by default. If the PCT protocol were enabled by using a registry key, Windows Server 2003 could then be vulnerable to this issue. Microsoft is therefore releasing a security update for Windows Server 2003 that corrects the buffer overrun while continuing to leave PCT disabled.

What does the update do?

The update removes the vulnerability by altering the way that the PCT implementation validates the information passed to it and also disables the PCT protocol.

Does this update introduce any behavioral changes?

Yes. While the update does address the vulnerability in PCT, it also disables PCT because this protocol is no longer used and has been replaced by SSL 3.0. This behavior is consistent with the default settings of Windows Server 2003. If administrators require the use of PCT, they can enable it by using the registry key that is described in the Workaround section of this bulletin.

Winlogon Vulnerability - CAN-2003-0806:

A buffer overrun vulnerability exists in the Windows logon process (Winlogon). It does not check the size of a value used during the logon process before inserting it into the allocated buffer. The resulting overrun could allow an attacker to remotely execute code on an affected system. Systems that are not members of a domain are not affected by this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for Winlogon Vulnerability - CAN-2003-0806:

  • Only Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain are affected by this vulnerability. Windows Server 2003 is not affected by this vulnerability.
  • An attacker would require permission to modify user objects in a domain to attempt to exploit this vulnerability. Typically, only members of the Administrators or Account Operators groups would have this permission. However, this permission may have been delegated to other user accounts in the domain.
  • Domains typically support auditing of changes to user objects. These audit records could be reviewed to determine which user account may have maliciously modified other user accounts to attempt to exploit this vulnerability.

Workarounds for Winlogon Vulnerability - CAN-2003-0806:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Reduce the number of users that have account modification permissions.

    To exploit this vulnerability an attacker requires the ability to modify user objects in the domain. Some organizations add user accounts to the Administrators or Account Operators groups unnecessarily. For example, if a Helpdesk representative only requires the ability to reset user passwords, the administrator should directly delegate that permission without adding the representative to the Account Operator group. Reducing the number of user accounts in administrative groups helps block known attack vectors. Only trusted employees should be members of administrative groups. For more information about domain best practices, visit the following Web site.

FAQ for Winlogon Vulnerability - CAN-2003-0806:

What is the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

Winlogon reads a value from the domain but does not check the size of this value before inserting it into the allocated buffer.

What is winlogon?

The Windows logon process (Winlogon) is the component of the Windows operating system that provides interactive logon support. Winlogon.exe is the process that manages security-related user interactions in Windows. It handles logon and logoff requests, locking or unlocking the system, changing the password, and other requests. It reads data from the domain during the logon process and uses this data to configure a user’s environment. For more information about Winlogon, visit the MSDN Library Web site.

What is a domain?

A domain can be used to store information about virtually any network object such as printers, file share locations, and personal information. For more information about creating domains using Windows 2000 Server or Windows Server 2003, visit the following Web site.

What could this vulnerability enable an attacker to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Who could exploit the vulnerability?

An attacker would require permission to modify user objects in a domain to attempt to exploit this vulnerability. Typically, only members of the Administrators or Account Operators groups would have this permission. However, this permission may have been delegated to other user accounts in the domain. User accounts that do not have this permission or anonymous users could not exploit this vulnerability.

How could an attacker exploit this vulnerability?

An attacker could specially modify a value stored in the domain to include malicious data. When this value is passed to an unchecked buffer in Winlogon during the logon process, Winlogon could allow malicious code to be executed.

What systems are primarily at risk from the vulnerability?

Only Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain are affected by this vulnerability.

What does the update do?

This update removes the vulnerability by modifying the way the Winlogon process validates the length of a value before passing it to the allocated buffer.

Metafile Vulnerability - CAN-2003-0906:

A buffer overrun vulnerability exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for Metafile Vulnerability - CAN-2003-0906:

  • The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.
  • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
  • An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
  • Windows Server 2003 is not affected by this vulnerability.

Workarounds for Metafile Vulnerability - CAN-2003-0906:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector.

    Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view all non-digitally signed e-mail messages or non-encrypted e-mail messages in plain text only.

    Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

    For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

    Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:

    • The changes are applied to the preview pane and open messages.
    • Pictures become attachments so they are not lost.
    • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

FAQ for Metafile Vulnerability - CAN-2003-0906:

What is the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

An unchecked buffer in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.

What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?

A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.

An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format and contains extended features.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web Site.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

How could an attacker exploit this vulnerability?

Any program that renders the affected image types could be vulnerable to this attack. Here are some examples:

  • An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer 6 and then persuade a user to view the Web site.
  • An attacker could also create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Outlook 2002 or Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message.
  • An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.
  • An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the directory using Windows Explorer in Windows XP.

What systems are primarily at risk from the vulnerability?

The vulnerability could only be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

What does the update do?

The update removes the vulnerability by modifying the way that Windows validates the affected image types.

Help and Support Center Vulnerability - CAN-2003-0907:

A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. An attacker could exploit the vulnerability by constructing a malicious HCP URL that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for Help and Support Center Vulnerability - CAN-2003-0907:

  • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

  • By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The Restricted sites zone helps reduce attacks that could attempt to exploit this vulnerability.

    The risk of attack from the HTML e-mail vector can be significantly reduced if you meet all of the following conditions:

    • Apply the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
    • Use Internet Explorer 6 or later.
    • Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later in its default configuration.
  • An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

  • Windows NT 4.0 and Windows 2000 are not affected by this vulnerability.

Workarounds for Help and Support Center Vulnerability - CAN-2003-0907:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Unregister the HCP Protocol.

    To help prevent an attack, unregister the HCP Protocol by deleting the following key from the registry: HKEY_CLASSES_ROOT\HCP. To do so, follow these steps:

    1. Click Start, and then click Run.

    2. Type regedit, and then click OK.

      The registry editor program launches.

    3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.

    4. Right-click on the HCP key, and then click Delete.

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

    Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.

  • Install Outlook E-mail Security Update if you are using Outlook 2000 SP1 or earlier.

    By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed.

    Customers who use any of these products could be at a reduced risk from an e-mail-borne attack that tries to exploit this vulnerability unless the user clicks a malicious link in the e-mail message.

  • Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector.

    Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view all non-digitally signed e-mail messages or non-encrypted e-mail messages in plain text only.

    Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

    For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

    Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:

    • The changes are applied to the preview pane and open messages.
    • Pictures become attachments so they are not lost.
    • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

FAQ for Help and Support Center Vulnerability - CAN-2003-0907:

What is the scope of the vulnerability?

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts that have full privileges.

What causes the vulnerability?

The process used by the Help and Support Center to validate data inputs.

What is the Help and Support Center?

Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For example, HSC can teach users about Windows features, how to download and install software updates, how to determine whether a particular hardware device is compatible with Windows, and how to receive help from Microsoft. Users and programs can use URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of “https://”.

What is the HCP protocol?

Similar to the way that the HTTP protocol can use execute URL links to open a Web browser, the HCP protocol can execute URL links to open the Help and Support Center feature.

What is wrong with the Help and Support Center?

An error in input validation occurs.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an attacker would have to host a malicious Web site and then persuade a user to view that Web site. An attacker could also create an HTML e-mail message that has a specially crafted link, and then persuade a user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with an HCP URL of the attacker's choice, which could then allow arbitrary code execution.

What systems are primarily at risk from the vulnerability?

Windows XP and Windows Server 2003 contain the affected version of Help and Support Center. Windows NT 4.0 and Windows 2000 are not affected because they do not contain the Help and Support Center.

I am running Internet Explorer on Windows Server 2003. Does Windows Server 2003 mitigate this vulnerability?

No. By default Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as the Internet Explorer Enhanced Security Configuration. However, the HCP protocol is allowed to access the Help and Support Center by default. Therefore, Windows Server 2003 is vulnerable. For more information about Internet Explorer Enhanced Security Configuration, visit the following Web site.

What does the update do?

This update removes the vulnerability by modifying the validation of data passed to the Help and Support Center.

Utility Manager Vulnerability - CAN-2003-0908:

A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and take complete control of the system.

Mitigating Factors for Utility Manager Vulnerability - CAN-2003-0908:

  • An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited by anonymous users.
  • Windows NT 4.0, Windows XP, and Windows Server 2003 are not affected by this vulnerability. Windows NT 4.0 does not implement the Utility Manager.
  • The Windows 2000 Hardening Guide recommends disabling the Utility Manger service. Environments that comply with these guidelines could be at a reduced risk from this vulnerability.

Workarounds for Utility Manager Vulnerability - CAN-2003-0908:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Use Group Policies to disable the Utility Manager on all affected systems that do not require this feature.

    Because the Utility Manager is a possible attack vector, disable it using Group Policies. The Utility Manager process name is Utilman.exe. The following guide provides information about how to require users to run only approved applications using Group Policies.

    Note You may also review the Windows 2000 Hardening Guide. This guide includes information about how to disable the Utility Manager.

    Impact of Workaround:

    The Utility Manager provides easy access to many of the accessibility features of the operating system. This access would be unavailable until the restrictions are removed. To find information about how to manually start many of the accessibility features, visit this Web site.

FAQ for Utility Manager Vulnerability - CAN-2003-0908:

What is the scope of the vulnerability?

This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

The process used by Utility Manager to launch applications. It is possible that Utility Manager could launch applications with system privileges.

What is Utility Manager?

Utility Manager is an accessibility utility that allows users to check the status of accessibility programs such as Microsoft Magnifier, Narrator, or On-Screen Keyboard, and to start or stop them.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Who could exploit the vulnerability?

An attacker must be able to log on to the system and then, after starting Utility Manager, run a program that sends a specially crafted message to Utility Manager to attempt to exploit the vulnerability.

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an attacker would first have to start Utility Manager on Windows 2000 and then run a specially designed application that could exploit the vulnerability. In default configurations of Window 2000, Utility Manager is installed but is not running. This vulnerability could allow an attacker to gain complete control over a Windows 2000 system.

What systems are primarily at risk from the vulnerability?

Only Windows 2000 is affected by this vulnerability. Workstations and terminal servers that are based on Windows 2000 are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

I am using Windows 2000, but I am not using Utility Manager or any of the accessibility features. Am I still vulnerable?

Yes. By default, Utility Manager is installed and enabled. However, Utility Manager is not running by default.

Could the vulnerability be exploited over the Internet?

No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely using this vulnerability.

What does the update do?

This update removes the vulnerability by modifying the way that Utility Manager launches applications.

Windows Management Vulnerability - CAN-2003-0909

A privilege elevation vulnerability exists in the way that Windows XP allows tasks to be created. Under special conditions, a non-privileged user could create a task that could execute with system permissions and therefore take complete control of the system.

Mitigating Factors for Windows Management Vulnerability - CAN-2003-0909:

  • An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited by an anonymous user.
  • Windows NT 4.0, Windows 2000, and Windows Server 2003 are not affected by this vulnerability.

Workarounds for Windows Management Vulnerability - CAN-2003-0909:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

Delete the affected Windows Management Interface Provider.

An administrator with local administrative permissions can delete the affected Windows Management Interface (WMI) Provider by inserting the following script into a text file that has a ‘.vbs’ file name extension and then running it.

To delete the affected WMI Provider:

set osvc = getobject("winmgmts:root\cimv2")set otrigger = osvc.get("__win32provider='cmdtriggerconsumer'")otrigger.delete_

The installation of the update automatically re-registers the affected WMI Provider that is referenced above. You do not have to take any additional steps to restore the system to typical functionality after the update has been applied.

Impact of Workaround: Tasks that are created as event-based triggers will not function while this provider is not registered. For more information about event-based triggers, visit the following Web site.

Note In rare cases, Windows XP could re-register this WMI Provider. For example, if Windows XP detects that the WMI repository has become corrupted, it could try to re-register the affected WMI Provider.

FAQ for Windows Management Vulnerability - CAN-2003-0909:

What is the scope of the vulnerability?

This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

Under special conditions, a non-privileged user of Microsoft Windows XP could create a task that could execute with system permissions.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

How could an attacker exploit this vulnerability?

To exploit the vulnerability, an attacker must be able to log on to the system and create a task. Because an attacker must have valid logon credentials to exploit the vulnerability, remote systems are not at risk.

What systems are primarily at risk from the vulnerability?

Only Windows XP is affected by this vulnerability.

What does the update do?

The update removes the vulnerability by preventing users from creating tasks at an elevated level of privilege.

Does this update contain any other behavioral changes?

Yes. This update also includes several changes in functionality, documented below:

  • Before this update, a user could sometimes create event-based triggers by using the Eventtriggers.exe command-line tool without having to supply a user name and password. After this update has been installed, a user may have to supply a valid user name and password to create event-based-triggers using Eventttrigers.exe. For detailed information about the Eventtriggers.exe command-line options, visit the following Web site.
  • Previously, administrators could create event-based triggers with the Task Scheduler service stopped or disabled. Now, the Task Scheduler service must be running. For more information about Task Scheduler, visit the following Web site.
  • A new limit of 1,000 triggers has also been established as part of this update. Existing event-based triggers over this limit will continue to function after the update has been installed. However, no additional event-based triggers may be created.
  • Permissions have been strengthened on event-based triggers that are created after the update has been installed.

Local Descriptor Table Vulnerability - CAN-2003-0910

A privilege elevation vulnerability exists in a programming interface that is used to create entries in the Local Descriptor Table (LDT). These entries contain information about segments of memory. An attacker who is logged on locally, could create a malicious entry and thereby gain access to protected memory, could take complete control of the system.

Mitigating Factors for Local Descriptor Table Vulnerability - CAN-2003-0910:

  • An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. It could not be exploited remotely.
  • Windows XP and Windows Server 2003 are not affected by this vulnerability.

Workarounds for Local Descriptor Table Vulnerability - CAN-2003-0910:

None.

FAQ for Local Descriptor Table Vulnerability - CAN-2003-0910:

What is the scope of the vulnerability?

This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

The programming interface that is used to create entries in the LDT. These entries contain information about segments of memory. An attacker could create a malicious entry to gain access to protected kernel memory.

What is the Local Descriptor Table?

The Local Descriptor Table (LDT) contains entries called descriptors. These descriptors contain information that defines a particular segment of memory.

What is wrong with the way that a descriptor entry can be created in the LDT?

The programming interface should not allow programs to create descriptor entries in the LDT that point to areas of protected memory.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited the vulnerability could take complete control of the affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts that have full privileges.

Who could exploit the vulnerability?

An attacker must be able to log on locally to the system and run a program to exploit this vulnerability.

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially designed program that could exploit the vulnerability and potentially gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?

Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on and to run programs. However, best practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?

No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely using this vulnerability.

What does the update do?

The update removes the vulnerability by modifying the way descriptors entries are created in the LDT.

H.323 Vulnerability - CAN-2004-0117

A remote code execution vulnerability exists in the way the Microsoft H.323 protocol implementation handles malformed requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for H.323 Vulnerability - CAN-2004-0117:

  • In the most common scenarios, NetMeeting (which uses H.323) must be running to become vulnerable.
  • In the most common scenarios, systems that use Internet Connection Firewall (ICF) and that do not run any H.323-based applications are not vulnerable.
  • Windows NT 4.0 is not affected by this vulnerability unless the stand-alone version of NetMeeting has been manually installed by an administrator.

Workarounds for H.323 Vulnerability - CAN-2004-0117:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Block ports TCP 1720 and TCP 1503 both inbound and outbound at the firewall.

    Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

    Impact of Workaround:

    If inbound and outbound TCP ports 1503 and 1720 are blocked, users will not be able to connect to the Internet Locator Service (ILS) or to other NetMeeting clients.

FAQ for H.323 Vulnerability - CAN-2004-0117:

What is the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

Unchecked buffers in Microsoft’s H.323 implementation.

What is H.323?

H.323 is an ITU standard that specifies how PCs, equipment, and services for multimedia communicate over networks that do not provide a guaranteed level of service, such as the Internet. H.323 terminals and equipment can carry real-time video, voice, data, or any combination of these elements. Products that use H.323 for audio and video let users connect and communicate with other people over the Internet, just as people using different makes and models of telephones can communicate using the telephone.

What affected applications use the H.323 protocol?

The H.323 protocol is implemented in a number of Microsoft applications and operating system components. This issue may affect systems that have one or more of the following services or applications running:

  • Telephony Application Programming Interface (TAPI)-based applications
  • NetMeeting
  • Internet Connection Firewall (ICF)
  • Internet Connection Sharing
  • The Microsoft Routing and Remote Access service

What is TAPI?

Windows Telephony Applications Programming Interface (TAPI) is a part of the Windows Open System Architecture. By using TAPI, developers can create telephony applications. TAPI is an open industry standard, defined with significant and ongoing input from the worldwide telephony and computing community. Because TAPI is hardware-independent, compatible applications can run on a variety of PC and telephony hardware and can support a variety of network services. TAPI implements the H.323 protocol. Applications that use TAPI could be vulnerable to the issue that is described in this bulletin.

Are any TAPI-based H.323 applications installed by default on any of the affected systems?

Microsoft Phone Dialer is the only H.323 TAPI-based application that is installed by default on Windows 2000 and Windows XP. Third-party applications could enable and use the H.323 functionality in TAPI.

Note Microsoft Phone Dialer is not included in Windows Server 2003.

What is NetMeeting?

NetMeeting delivers a complete Internet and enterprise conferencing solution for all users of Windows, with multipoint data conferencing, text chat, whiteboard, and file transfer, and point-to-point audio and video. NetMeeting implements the H.323 protocol and is installed by default, but is not running by default, on all affected systems.

If I am running NetMeeting but I am not running Internet Connection Sharing, ICF, or the Routing and Remote Access service. Am I vulnerable?

Yes. When you are running NetMeeting, you are vulnerable to this issue.

If I am running NetMeeting but I am not connected to an ILS server or in a peer-to-peer NetMeeting session, am I vulnerable?

Yes, unless TCP ports 1720 and 1503 are blocked on the system.

If I have never installed the stand-alone version of NetMeeting, am I vulnerable?

NetMeeting was included as part of Windows 2000, Windows XP, and Windows Server 2003. This update addresses the versions of NetMeeting that were included with these operating systems. NetMeeting is also available as a stand-alone download for other operating systems and as part of other applications, which could also be vulnerable to this issue. If you have installed the stand-alone version of NetMeeting, install an updated version that addresses this vulnerability. To download the updated version, visit the following Web site. The updated version that addresses this vulnerability is Version 3.01 (4.4.3399).

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?

No. Although these operating systems may contain NetMeeting, the vulnerability is not critical on these operating systems. As a method of addressing this vulnerability, you can download and install the stand-alone version of NetMeeting for these operating systems from the following Web site. For more information about severity ratings, visit the following Web site.

What is Internet Connection Firewall?

Internet Connection Firewall (ICF) provides basic intrusion-prevention functionality to systems that run either Windows XP or Windows Server 2003. It is designed for systems that are directly connected to a public network or systems that are part of a home network when used with Internet Connection Sharing.

If I am running only Internet Connection Firewall on Windows XP or on Windows Server 2003, am I vulnerable?

No, not automatically. However, if you use NetMeeting, even with ICF running, you could be vulnerable to this issue. NetMeeting opens ports in ICF that could expose this vulnerability.

Manually opening TCP ports 1720 and 1503 could also expose this vulnerability. Third-party applications may also cause ICF to open ports in response to H.323 communication.

What is Internet Connection Sharing?

By using Internet Connection Sharing users can connect one system to the Internet and share Internet service with several other systems on a home or small office network. The Network Setup Wizard in Windows XP automatically provides all the network settings that are necessary to share one Internet connection with all the systems in a network. Each system can use programs such as Internet Explorer and Outlook Express as if the system were directly connected to the Internet.

Internet Connection Sharing is a feature of Windows 2000, Windows XP, and Windows Server 2003 but is not enabled by default on any of the affected systems.

If I have enabled Internet Connection Sharing, but I have not enabled Internet Connection Firewall, am I vulnerable?

Yes, Internet Connection Sharing enables the ports that could allow a system to become vulnerable to this issue.

If ICF and Internet Connection Sharing are running, this attack could not occur unless the user was also using NetMeeting, or had manually opened port 1503 or port 1720.

What is the Microsoft Routing and Remote Access service?

The Microsoft Routing and Remote Access service makes it possible for a system that is running Windows 2000 Server or the Windows Server 2003 to function as a network router. Remote access allows users who have remote systems to create a logical connection to an organization’s network or to the Internet. The Microsoft Routing and Remote Access service supports H.323 requests that are routed either to or from a network.

If I am running the Microsoft Routing and Remote Access service on Windows 2000, am I vulnerable?

Yes. By default, Windows 2000 uses the Microsoft Routing and Remote Access service with Network Address Translation (NAT) functionality, which exposes the vulnerability. However, an administrator can disable the H.323 functionality by using the netsh command. Detailed steps are outlined in Microsoft Knowledge Base Article 838834.

Note If a system is configured to run another Microsoft Routing and Remote Access service without NAT (for example, Virtual Private Network, OSPF, or Routing Information Protocol), it would not be affected by this vulnerability.

If I am running the Microsoft Routing and Remote Access service on Windows Server 2003, am I vulnerable?

No. By default, Windows Server 2003 Routing and Remote Access service does not enable the H.323 functionality. However, an administrator could enable the H.323 functionality and then expose the system to this vulnerability.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Who could exploit the vulnerability?

Any anonymous user who could deliver a specially crafted H.323 request to any of the above affected systems.

How could an attacker exploit this vulnerability?

An attacker could attempt to exploit the vulnerability by locating users running NetMeeting, an H.323-based TAPI program, or both.

An attacker could also attempt to exploit the vulnerability through Internet Connection Sharing by remotely executing code on systems that have Internet Connection Sharing enabled. If ICF and Internet Connection sharing are running, this attack would not be possible unless the user was also using NetMeeting.

What systems are primarily at risk from the vulnerability?

Systems that are running NetMeeting or that are running an H.323-based program.

What does the update do?

The update modifies the way that the affected systems process the specially crafted H.323 requests.

Virtual DOS Machine Vulnerability - CAN-2004-0118:

A privilege elevation vulnerability exists in the operating system component that handles the Virtual DOS Machine (VDM) subsystem. This vulnerability could allow a logged on user to take complete control of the system.

Mitigating Factors for Virtual DOS Machine Vulnerability - CAN-2004-0118:

  • An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. It could not be exploited remotely.
  • Windows XP and Windows Server 2003 are not affected by this vulnerability.

Workarounds for Virtual DOS Machine Vulnerability - CAN-2004-0118:

None.

FAQ for Virtual DOS Machine Vulnerability - CAN-2004-0118:

What is the scope of the vulnerability?

This is a privilege evaluation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. To exploit the vulnerability, an attacker must be able to log on locally to the system and run a program.

What causes the vulnerability?

The operating system component that handles the VDM subsystem could be used to gain access to protected kernel memory. In certain circumstances, some privileged operating system functions might not validate system structures and could allow an attacker to execute malicious code with system privileges.

What is the Virtual DOS Machine subsystem?

A Virtual DOS Machine (VDM) is a environment that emulates MS-DOS and DOS-based Windows in Windows NT-based operating systems. A VDM is created whenever a user starts an MS-DOS application on a Windows NT-based operating system.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Who could exploit the vulnerability?

To exploit the vulnerability, an attacker must be able to log on locally to a system and run a program.

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed application that could exploit the vulnerability, and thereby gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?

Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?

No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.

What does the update do?

This update modifies the way that Windows validates data when referencing memory locations that are allocated to a VDM.

Negotiate SSP Vulnerability - CAN-2004-0119

A buffer overrun vulnerability exists in the Negotiate Security Software Provider (SSP) interface that could allow remote code execution. This vulnerability exists because of the way the Negotiate SSP interface validates a value that is used during authentication protocol selection. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for Negotiate SSP Vulnerability - CAN-2004-0119:

  • In the most common scenarios, this vulnerability is a denial of service vulnerability.
  • The Negotiate SSP interface is also enabled by default in Internet Information Services (IIS). However, only Windows 2000 (IIS 5.0) and Windows Server 2003 Web Server Edition (IIS 6.0) install Internet Information Services (IIS) by default.
  • Windows NT 4.0 is not affected by this vulnerability.

Workarounds for Negotiate SSP Vulnerability - CAN-2004-0119:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Workarounds for the Internet Information Services Attack Vector
    • Disable Integrated Windows Authentication

      Administrators can help reduce the risk of attack through Internet Information Services by disabling Integrated Windows Authentication. Information about how to enable or disable this option is available at the following Web site.

      Impact of Workaround: Any IIS-based applications that require Windows NT Challenge/Response authentication (NTLM) or Kerberos authentication will no longer function correctly.

    • Disable the Negotiate SSP

      Administrators can disable just the Negotiate SSP (which keeps NTLM enabled) by following the instructions in Microsoft Knowledge Base Article 215383, which is summarized below:

      To disable Negotiate (and therefore prevent Kerberos authentication), use the following command . Notice that “NTLM” must be uppercase to avoid any adverse effects):

      cscript adsutil.vbs set w3svc/NTAuthenticationProviders “NTLM”

      Impact of Workaround: Any IIS-based applications that require Kerberos authentication will no longer function correctly.

FAQ for Negotiate SSP Vulnerability - CAN-2004-0119:

What is the scope of the vulnerability?

This is a buffer overrun vulnerability. However, it is most likely a denial of service vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

An unchecked buffer in the Negotiate SSP interface.

What is the Negotiate Security Support Provided Interface?

Because Windows supports many different types of authentication, the authentication method used when a client connects to a server must be negotiated. The Negotiate SSP Interface is the operating system component that provides this functionality. It is based on the Simple and Protected GSS-API Negotiate Mechanism (SPNEGO) that is defined in RFC 2478. For more information about Windows authentication methods, visit the following Web site.

Why is Internet Information Services affected?

The Negotiate SSP Interface is also enabled by default in Internet Information Services (IIS) so that IIS can use authentication protocols such as NTLM or Kerberos to provide secure access to resources. For more information about the methods of authentication supported by IIS, visit the following Web site.

What might an attacker use the vulnerability to do?

Although it is most likely that only a denial of service would result, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. If an attacker caused the affected system to become unresponsive, an administrator could restore normal functionality by restarting the affected system. However, the system could remain susceptible to a new denial of service attack until the update was applied.

Who could exploit the vulnerability?

Any anonymous user who could deliver a specially crafted message to an affected system could attempt to exploit this vulnerability. Because this feature is enabled by default on all affected systems, any user who could establish a connection with an affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by creating a specially crafted network message and sending the message to the affected system.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What systems are primarily at risk from the vulnerability?

All affected systems could be vulnerable to this issue by default. Furthermore, by default, systems that are running Internet Information Services 5.0, Internet Information Services 5.1, and Internet Information Services 6.0 are also vulnerable to this issue through any listening port.

What does the update do?

The update removes the vulnerability by modifying the way that the Negotiate SSP Interface validates the length of a message before passing the message to the allocated buffer.

SSL Vulnerability - CAN-2004-0120:

A denial of service vulnerability exists in the Microsoft Secure Sockets Layer (SSL) library. The vulnerability results from the way that the Microsoft SSL library handles malformed SSL messages. This vulnerability could cause the affected system to stop accepting SSL connections on Windows 2000 and Windows XP. On Windows Server 2003, the vulnerability could cause the affected system to automatically restart.

Mitigating Factors for SSL Vulnerability - CAN-2004-0120:

  • Only systems that have enabled SSL are affected, typically only server systems. SSL support is not enabled by default on any of the affected systems. However, SSL is generally used on Web servers to support electronic commerce programs, online banking, and other programs that require secure communications.
  • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
  • Windows NT 4.0 is not affected by this vulnerability.

Workarounds for SSL Vulnerability - CAN-2004-0120:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Block ports 443 and 636 at the firewall

    Port 443 is used to receive SSL traffic. Port 636 is used for LDAP SSL connections (LDAPS). Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Other ports may be found that could be used to exploit this vulnerability. However, the ports listed here are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

    Impact of Workaround: If ports 443 or 636 are blocked, the affected systems can no longer accept external connections using SSL or LDAPS.

FAQ for SSL Vulnerability - CAN-2004-0120:

What is the scope of the vulnerability?

A denial of service vulnerability in the Microsoft Secure Sockets Layer (SSL) library affects how it handles specially crafted SSL messages. This vulnerability could cause the affected system to stop accepting SSL connections in Windows 2000 and in Windows XP. The vulnerability in Windows Server 2003 could cause the affected system to automatically restart.

Note that the denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected system to stop accepting requests.

What causes the vulnerability?

The process used by the SSL Library to check message inputs.

What is the Microsoft Secure Sockets Layer library?

The Microsoft Secure Sockets Layer library contains support for a number of secure communication protocols. These include Transport Layer Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0), the older and seldom-used Secure Sockets Layer 2.0 (SSL 2.0), and Private Communication Technology 1.0 (PCT 1.0) protocol.

These protocols provide an encrypted connection between a server and a client system. SSL can help protect information when users connect across public networks such as the Internet. SSL support requires an SSL certificate, which must be installed on a server. For more information about SSL, see Microsoft Knowledge Base Article 245152.

What might an attacker use the vulnerability to do?

In Windows 2000 and Windows XP, an attacker who successfully exploited this vulnerability could cause an affected system to stop accepting SSL connections. In Windows Server 2003, an attacker could cause the affected system to automatically restart. During that time, the affected system would not be able to respond to authentication requests. After restart, the affected system would be restored to typical functionality. However, it would still be susceptible to a new denial of service attack unless the update is applied.

If an attacker exploits this vulnerability, a system error event may be recorded. The event ID 5000 may be recorded in the System event log, with the SymbolicName value of "SPMEVENT_PACKAGE_FAULT" and the following description:

"The security package NAME generated an exception", Where NAME contains the value of "Schannel" or "Microsoft Unified Security Protocol Provider."

Who could exploit the vulnerability?

Any anonymous user who could deliver a specially crafted SSL message to an affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by creating a program that could communicate with a vulnerable server through an SSL-enabled service to send a specific kind of specially crafted TCP message. Receipt of such a message could cause the vulnerable system to fail in such a way that it could cause a denial of service.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What systems are primarily at risk from the vulnerability?

All systems that have SSL enabled are vulnerable. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use SSL.

Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections.

What does the update do?

The update removes the vulnerability by modifying the handling of specially crafted SSL messages.

ASN.1 “Double Free” Vulnerability - CAN-2004-0123

A remote code execution vulnerability exists in the Microsoft ASN.1 Library. The vulnerability is caused by a possible "double-free" condition in the Microsoft ASN.1 Library that could lead to memory corruption on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, under the most likely attack scenario this issue is a denial of service vulnerability.

Mitigating Factors for ASN.1 “Double Free” Vulnerability - CAN-2004-0123:

  • Because of the unique layout of the memory structures on each affected system, exploiting this vulnerability on a mass scale could potentially be difficult.

Workarounds for ASN.1 “Double Free” Vulnerability - CAN-2004-0123:

None.

FAQ for ASN.1 “Double Free” Vulnerability - CAN-2004-0123:

What is the scope of the vulnerability?

While potentially a remote code execution vulnerability, this is most likely a denial of service vulnerability. However, an attacker who successfully exploited this vulnerability to allow code execution could gain complete control over an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?

A potential "double-free" condition exists that could lead to memory corruption in the Microsoft ASN.1 Library.

What is a “double free” condition?

An attacker could cause an affected system, while processing a specially crafted message, to try to release or “free” memory that may have been set aside for use multiple times. Releasing memory that has already been freed could lead to memory corruption. An attacker could add arbitrary code to memory that is then executed when the corruption occurs. This code could then be executed at a system level of privilege.

Typically, this vulnerability will cause a denial of service to occur. However, on a limited basis, code execution could occur. Because of the unique layout of the memory on each affected system, exploiting this vulnerability on a mass scale could potentially be difficult.

What is ASN.1?

Abstract Syntax Notation 1 (ASN.1) is a language that is used to define standards. It is used by many applications and devices in the technology industry to allow data exchange across various platforms. ASN.1 has no direct relationship to any specific standard, encoding method, programming language, or hardware platform. For more information about ASN.1, see Microsoft Knowledge Base Article 252648.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability to allow code execution could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

In the most likely scenario, an attacker could cause a denial of service condition. An administrator could restart the affected system to restore typical functionality.

How could an attacker exploit this vulnerability?

Because ASN.1 is a standard for many applications and devices, there are many potential attack vectors. To successfully exploit this vulnerability, an attacker must force a system to decode specially crafted ASN.1 data. For example, by using authentication protocols that are based on ASN.1, an attacker could construct a specially crafted authentication request that could expose this vulnerability.

What systems are primarily at risk from this vulnerability?

Server systems are at greater risk than client systems because they are more likely to have a server process running that decodes ASN.1 data.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?

No. Although Windows Millennium Edition does contain the affected component, the vulnerability is not critical. For more information on severity ratings, visit the following Web site.

What does the update do?

The update removes the vulnerability by modifying the handling of specially crafted data by the ASN.1 Library.

How does this vulnerability relate to the vulnerability corrected by MS04-007?

Both vulnerabilities were in the ASN.1 component. However, this update corrects a newly reported vulnerability that was not addressed as part of MS04-007. MS04-007 fully protects against the vulnerabilities discussed in that bulletin, but this update includes all the updates provided in MS04-007 and replaces it. If you install this update, you do not need to install MS04-007.

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link:

Windows Server 2003 (all versions)

Prerequisites This security update requires a released version of Windows Server 2003.

Inclusion in Future Service Packs: The update for this issue will be included in Windows Server 2003 Service Pack 1.

Installation Information

This security update supports the following setup switches:

/help                 Displays the command line options

Setup Modes

/quiet            Use Quiet mode (no user interaction or display)

/passive            Unattended mode (progress bar only)

/uninstall          Uninstalls the package

Restart Options

/norestart          Do not restart when installation is complete

/forcerestart      Restart after installation

Special Options

/l           Lists installed Windows hotfixes or update packages

/o          Overwrite OEM files without prompting

/n          Do not backup files needed for uninstall

/f           Force other programs to close when the computer shuts down

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb835732-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb835732-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, and Windows Server 2003 Datacenter Edition:

Date Time Version Size File name Platform Folder
-----------------------------------------------------------------------------
16-Mar-2004 02:00 5.2.3790.132 364,544 Callcont.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.121 61,440 Eventlog.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 256,000 H323.tsp X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 601,600 H323msp.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.125 783,360 Helpctr.exe X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.142 448,512 Ipnathlp.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.134 799,232 Lsasrv.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.139 60,928 Msasn1.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 253,952 Mst120.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 73,728 Nmcom.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.121 565,760 Rtcdll.dll X86 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 153,088 Schannel.dll X86 RTMGDR
16-Mar-2004 02:09 5.2.3790.132 364,544 Callcont.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.121 64,000 Eventlog.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 256,000 H323.tsp X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 601,600 H323msp.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.125 783,360 Helpctr.exe X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.142 448,512 Ipnathlp.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.134 801,280 Lsasrv.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.139 60,928 Msasn1.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 253,952 Mst120.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 73,728 Nmcom.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.121 565,760 Rtcdll.dll X86 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 153,088 Schannel.dll X86 RTMQFE

Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 64-Bit Datacenter Edition:

Date Time Version Size File name Platform Folder
-----------------------------------------------------------------------------
16-Mar-2004 01:54 5.2.3790.121 160,768 Eventlog.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.132 816,128 H323.tsp IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMGDR
05-Feb-2004 00:43 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.134 2,034,176 Lsasrv.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.139 160,256 Msasn1.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.132 479,744 Schannel.dll IA64 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 256,000 Wh323.tsp X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.132 601,600 Wh323msp.dll X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.132 153,088 Wschannel.dll X86 RTMGDR\WOW
16-Mar-2004 02:12 5.2.3790.121 167,424 Eventlog.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.132 816,128 H323.tsp IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMQFE
05-Feb-2004 00:42 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.134 2,038,272 Lsasrv.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.139 160,256 Msasn1.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.132 479,744 Schannel.dll IA64 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 256,000 Wh323.tsp X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.132 601,600 Wh323msp.dll X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.132 153,088 Wschannel.dll X86 RTMQFE\WOW

Note When you install this security update on Windows Server 2003 or on Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB835732\Filelist

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.

Windows XP (all versions)

Note For Windows XP 64-Bit Edition Version 2003, this security update is the same as the Windows Server 2003 64-Bit Edition security update.

Prerequisites This security update requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge Base Article 322389.

The updates for these issues will be included in Windows XP Service Pack 2.

Installation Information

This security update supports the following setup switches:

/help                Displays the command line options

Setup Modes

/quiet           Use Quiet mode (no user interaction or display)

/passive            Unattended mode (progress bar only)

/uninstall          Uninstalls the package

Restart Options

/norestart          Do not restart when installation is complete

/forcerestart      Restart after installation

Special Options

/l           Lists installed Windows hotfixes or update packages

/o          Overwrite OEM files without prompting

/n          Do not backup files needed for uninstall

/f           Force other programs to close when the computer shuts down

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows XP:

Windowsxp-kb835732-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:

Windowsxp-kb835732-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:

Date Time Version Size File name Folder
-----------------------------------------------------------------------
27-Mar-2004 01:01 5.1.2600.105 48,640 Browser.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.133 364,544 Callcont.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.136 40,960 Evtgprov.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.132 241,664 Gdi32.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.134 253,440 H323.tsp (pre-sp1)
27-Mar-2004 01:01 5.1.2600.134 593,408 H323msp.dll (pre-sp1)
05-Feb-2004 22:14 5.1.2600.128 727,040 Helpctr.exe (pre-sp1)
27-Mar-2004 01:01 5.1.2600.137 454,656 Ipnathlp.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.134 648,192 Lsasrv.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.132 36,864 Mf3216.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.137 51,712 Msasn1.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.128 969,216 Msgina.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.133 253,952 Mst120.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.122 301,568 Netapi32.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.133 73,728 Nmcom.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.134 550,400 Rtcdll.dll (pre-sp1)
27-Mar-2004 01:01 5.1.2600.136 136,704 Schannel.dll (pre-sp1)
26-Mar-2004 19:43 5.1.2600.1348 364,544 Callcont.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1363 40,960 Evtgprov.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1346 257,536 Gdi32.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1348 253,440 H323.tsp (with sp1)
26-Mar-2004 19:43 5.1.2600.1348 593,408 H323msp.dll (with sp1)
26-Mar-2004 19:30 5.1.2600.1340 741,376 Helpctr.exe (with sp1)
26-Mar-2004 19:43 5.1.2600.1364 439,808 Ipnathlp.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1361 667,648 Lsasrv.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1331 36,864 Mf3216.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1362 51,712 Msasn1.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1343 971,264 Msgina.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1348 253,952 Mst120.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1343 306,176 Netapi32.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1348 73,728 Nmcom.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1351 548,352 Rtcdll.dll (with sp1)
26-Mar-2004 19:43 5.1.2600.1347 136,704 Schannel.dll (with sp1)
10-Mar-2004 17:59 5.1.2600.1363 593,408 Xpsp2res.dll (with sp1)

Windows XP 64-Bit Edition Service Pack 1:

Date Time Version Size File name Platform
--------------------------------------------------------------------------
26-Mar-2004 19:40 5.1.2600.1363 134,656 Evtgprov.dll IA64
26-Mar-2004 19:40 5.1.2600.1346 884,736 Gdi32.dll IA64
26-Mar-2004 19:40 5.1.2600.1348 1,035,264 H323.tsp IA64
26-Mar-2004 19:40 5.1.2600.1348 2,230,272 H323msp.dll IA64
05-Feb-2004 21:40 5.1.2600.1340 2,426,368 Helpctr.exe IA64
26-Mar-2004 19:40 5.1.2600.1364 1,782,784 Ipnathlp.dll IA64
26-Mar-2004 19:40 5.1.2600.1361 2,069,504 Lsasrv.dll IA64
26-Mar-2004 19:40 5.1.2600.1331 128,512 Mf3216.dll IA64
26-Mar-2004 19:40 5.1.2600.1362 179,200 Msasn1.dll IA64
26-Mar-2004 19:40 5.1.2600.1343 1,272,320 Msgina.dll IA64
26-Mar-2004 19:40 5.1.2600.1343 903,168 Netapi32.dll IA64
26-Mar-2004 19:40 5.1.2600.1347 508,416 Schannel.dll IA64
26-Mar-2004 19:43 5.1.2600.1346 237,568 Wgdi32.dll X86
26-Mar-2004 19:43 5.1.2600.1348 253,440 Wh323.tsp X86
26-Mar-2004 19:43 5.1.2600.1348 593,408 Wh323msp.dll X86
26-Mar-2004 19:43 5.1.2600.1364 439,808 Wipnathlp.dll X86
26-Mar-2004 19:43 5.1.2600.1331 36,864 Wmf3216.dll X86
26-Mar-2004 19:43 5.1.2600.1362 51,712 Wmsasn1.dll X86
26-Mar-2004 19:43 5.1.2600.1343 971,264 Wmsgina.dll X86
26-Mar-2004 19:43 5.1.2600.1343 306,176 Wnetapi32.dll X86
26-Mar-2004 19:43 5.1.2600.1347 136,704 Wschannel.dll X86
10-Mar-2004 17:59 5.1.2600.1363 593,408 Wxpsp2res.dll X86
10-Mar-2004 17:59 5.1.2600.1363 592,896 Xpsp2res.dll IA64

Windows XP 64-Bit Edition Version 2003:

Date Time Version Size File name Platform Folder
-----------------------------------------------------------------------------
16-Mar-2004 01:54 5.2.3790.121 160,768 Eventlog.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.132 816,128 H323.tsp IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMGDR
05-Feb-2004 00:43 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.134 2,034,176 Lsasrv.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.139 160,256 Msasn1.dll IA64 RTMGDR
16-Mar-2004 01:54 5.2.3790.132 479,744 Schannel.dll IA64 RTMGDR
16-Mar-2004 02:00 5.2.3790.132 256,000 Wh323.tsp X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.132 601,600 Wh323msp.dll X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMGDR\WOW
16-Mar-2004 02:00 5.2.3790.132 153,088 Wschannel.dll X86 RTMGDR\WOW
16-Mar-2004 02:12 5.2.3790.121 167,424 Eventlog.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.132 816,128 H323.tsp IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMQFE
05-Feb-2004 00:42 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.134 2,038,272 Lsasrv.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.139 160,256 Msasn1.dll IA64 RTMQFE
16-Mar-2004 02:12 5.2.3790.132 479,744 Schannel.dll IA64 RTMQFE
16-Mar-2004 02:09 5.2.3790.132 256,000 Wh323.tsp X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.132 601,600 Wh323msp.dll X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMQFE\WOW
16-Mar-2004 02:09 5.2.3790.132 153,088 Wschannel.dll X86 RTMQFE\WOW

Note The Windows XP and Windows XP 64-Bit Edition Version 2003 versions of this security update are packaged as dual-mode packages, which contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, see Microsoft Knowledge Base Article 328848.

When you install the Windows XP 64-Bit Edition Version 2003 security update, the installer checks to see if any of the files that are being updated on your system previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry keys:

For Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist

For Windows XP 64-Bit Edition Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB835732\Filelist

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.

Windows 2000 (all versions)

Prerequisites For Windows 2000, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs: The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

/help                 Displays the command line options

Setup Modes

/quiet            Use Quiet mode (no user interaction or display)

/passive            Unattended mode (progress bar only)

/uninstall          Uninstalls the package

Restart Options

/norestart          Do not restart when installation is complete

/forcerestart      Restart after installation

Special Options

/l           Lists installed Windows hotfixes or update packages

/o          Overwrite OEM files without prompting

/n          Do not backup files needed for uninstall

/f           Force other programs to close when the computer shuts down

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb835732-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb835732-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Date Time Version Size File name Folder
-----------------------------------------------------------------------
24-Mar-2004 02:17 5.0.2195.6876 388,368 Advapi32.dll
24-Mar-2004 02:17 5.0.2195.6824 42,256 Basesrv.dll
24-Mar-2004 02:17 5.0.2195.6866 69,904 Browser.dll
24-Mar-2004 02:17 5.0.2195.6901 394,512 Callcont.dll
21-Sep-2003 00:45 5.0.2195.6824 236,304 Cmd.exe
24-Mar-2004 02:17 5.131.2195.6824 543,504 Crypt32.dll
24-Mar-2004 02:17 5.131.2195.6824 61,200 Cryptnet.dll
24-Mar-2004 02:17 5.0.2195.6868 76,048 Cryptsvc.dll
24-Mar-2004 02:17 5.0.2195.6824 134,928 Dnsapi.dll
24-Mar-2004 02:17 5.0.2195.6876 92,432 Dnsrslvr.dll
24-Mar-2004 02:17 5.0.2195.6883 47,888 Eventlog.dll
24-Mar-2004 02:17 5.0.2195.6898 242,448 Gdi32.dll
24-Mar-2004 02:17 5.0.2195.6901 255,248 H323.tsp
24-Mar-2004 00:46 502 Hfsecper.inf
17-Mar-2004 21:50 502 Hfsecupd.inf
24-Mar-2004 02:17 5.0.2195.6902 442,640 Ipnathlp.dll
24-Mar-2004 02:17 5.0.2195.6890 143,632 Kdcsvc.dll
11-Mar-2004 02:37 5.0.2195.6903 210,192 Kerberos.dll
24-Mar-2004 02:17 5.0.2195.6897 742,160 Kernel32.dll
21-Sep-2003 00:32 5.0.2195.6824 71,888 Ksecdd.sys
11-Mar-2004 02:37 5.0.2195.6902 520,976 Lsasrv.dll
25-Feb-2004 23:59 5.0.2195.6902 33,552 Lsass.exe
24-Mar-2004 02:17 5.0.2195.6898 37,136 Mf3216.dll
10-Feb-2004 19:47 5.0.2195.6897 30,160 Mountmgr.sys
24-Mar-2004 02:17 5.0.2195.6824 54,544 Mpr.dll
24-Mar-2004 02:17 5.0.2195.6905 53,520 Msasn1.dll
24-Mar-2004 02:17 5.0.2195.6895 335,120 Msgina.dll
24-Mar-2004 02:17 5.0.2195.6901 249,616 Mst120.dll
11-Mar-2004 02:37 5.0.2195.6897 123,152 Msv1_0.dll
24-Mar-2004 02:17 5.0.2195.6897 312,592 Netapi32.dll
24-Mar-2004 02:17 5.0.2195.6891 371,472 Netlogon.dll
24-Mar-2004 02:17 5.0.2195.6901 62,224 Nmcom.dll
24-Mar-2004 02:17 5.0.2195.6899 497,936 Ntdll.dll
24-Mar-2004 02:17 5.0.2195.6896 1,028,880 Ntdsa.dll
25-Feb-2004 23:55 5.0.2195.6902 1,699,904 Ntkrnlmp.exe
25-Feb-2004 23:55 5.0.2195.6902 1,699,264 Ntkrnlpa.exe
25-Feb-2004 23:55 5.0.2195.6902 1,720,064 Ntkrpamp.exe
11-Mar-2004 02:37 5.0.2195.6902 1,726,032 Ntoskrnl.exe
24-Mar-2004 02:17 5.0.2195.6824 115,984 Psbase.dll
24-Mar-2004 02:17 5.0.2195.6892 90,264 Rdpwd.sys
24-Mar-2004 02:17 5.0.2195.6897 49,936 Samlib.dll
24-Mar-2004 02:17 5.0.2195.6897 388,368 Samsrv.dll
24-Mar-2004 02:17 5.0.2195.6893 111,376 Scecli.dll
24-Mar-2004 02:17 5.0.2195.6903 253,200 Scesrv.dll
11-Mar-2004 02:37 5.1.2195.6899 143,120 Schannel.dll
19-Jun-2003 20:05 5.0.2195.6707 17,168 Seclogon.dll
24-Mar-2004 02:17 5.0.2195.6894 971,536 Sfcfiles.dll
05-Feb-2004 20:18 5.0.2195.6896 5,869,056 Sp3res.dll
24-Mar-2004 02:17 1.0.0.4 27,920 Umandlg.dll
24-Mar-2004 02:17 5.0.2195.6897 403,216 User32.dll
05-Aug-2003 22:14 5.0.2195.6794 385,808 Userenv.dll
24-Mar-2004 02:17 5.0.2195.6824 50,960 W32time.dll
21-Sep-2003 00:32 5.0.2195.6824 57,104 W32tm.exe
11-Mar-2004 02:37 5.0.2195.6897 1,720,368 Win32k.sys
12-Dec-2003 21:38 5.1.2600.1327 311,296 Winhttp.dll
11-Mar-2004 02:37 5.0.2195.6898 181,520 Winlogon.exe
25-Sep-2003 18:08 5.0.2195.6826 243,984 Winsrv.dll
24-Mar-2004 02:17 5.131.2195.6824 167,184 Wintrust.dll
24-Mar-2004 02:17 5.0.2195.6897 742,160 Kernel32.dll Uniproc
24-Mar-2004 02:17 5.0.2195.6899 497,936 Ntdll.dll Uniproc
11-Mar-2004 02:37 5.0.2195.6897 1,720,368 Win32k.sys Uniproc
25-Sep-2003 18:08 5.0.2195.6826 243,984 Winsrv.dll Uniproc

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB835732\Filelist

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.

Windows NT 4.0 (all versions)

Prerequisites This security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6).

Note The security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires, as a prerequisite, the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To download the SRP, visit the following Web site. You must install the SRP before you install the security update that is provided in this security bulletin. If you are not using Windows NT Server 4.0 Terminal Server Edition Service Pack 6 you do not need to install the SRP.

The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

For more information on obtaining the latest service pack, see Microsoft Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

/y: Perform removal (only with /m or /q )

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the update completes

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m )

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

/x: Extract the files without running Setup

Note You can combine these switches into one command. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows NT 4.0:

Windowsnt4server-kb835732-x86-enu /q

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb835732-x86-enu /q

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb835732-x86-enu /q

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb835732-x86-enu /z

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb835732-x86-enu /z

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb835732-x86-enu /z

For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this security update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security update. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB835732$ folder. The Hotfix.exe utility supports the following setup switches:

/y: Perform removal (only with the /m or /q switch)

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the installation is complete

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch)

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.

Windows NT Workstation 4.0

Date Time Version Size File name Folder
--------------------------------------------------------------------
24-Jan-2004 00:12 5.131.1880.14 465,680 Crypt32.dll
25-Sep-2002 21:36 5.0.1558.6072 90,384 Cryptdlg.dll
12-Dec-2003 00:10 5.131.1878.14 440,080 Cryptui.dll
27-Feb-2004 16:43 4.0.1381.7263 205,584 Gdi32.dll
23-Feb-2004 15:13 4.0.1381.7263 40,720 Mf3216.dll
05-Mar-2004 23:59 5.0.2195.6905 53,520 Msasn1.dll
28-Feb-2004 01:31 5.131.1880.14 37,136 Mscat32.dll
09-Jan-2004 15:40 4.0.1381.7255 125,200 Msgina.dll
07-Jan-2003 02:22 5.131.1878.13 28,432 Mssip32.dll
18-Mar-2004 10:20 4.0.1381.7265 958,336 Ntkrnlmp.exe
18-Mar-2004 10:20 4.0.1381.7265 937,984 Ntoskrnl.exe
25-Oct-2003 01:13 4.86.1964.1880 143,632 Schannel.dll
12-Dec-2003 22:24 5.131.1880.14 6,928 Softpub.dll
27-Feb-2004 16:43 4.0.1381.7255 326,928 User32.dll
07-Jan-2004 10:47 4.0.1381.7255 1,255,152 Win32k.sys
27-Feb-2004 16:43 4.0.1381.7260 174,864 Winsrv.dll
19-Feb-2004 17:50 5.131.1880.14 165,648 Wintrust.dll
25-Oct-2003 01:13 4.87.1964.1880 112,912 Schannel.dll 128bit

Windows NT Server 4.0:

Date Time Version Size File name Folder
-----------------------------------------------------------------------
24-Jan-2004 00:12 5.131.1880.14 465,680 Crypt32.dll
25-Sep-2002 21:36 5.0.1558.6072 90,384 Cryptdlg.dll
12-Dec-2003 00:10 5.131.1878.14 440,080 Cryptui.dll
27-Feb-2004 16:43 4.0.1381.7263 205,584 Gdi32.dll
23-Feb-2004 15:13 4.0.1381.7263 40,720 Mf3216.dll
05-Mar-2004 23:59 5.0.2195.6905 53,520 Msasn1.dll
28-Feb-2004 01:31 5.131.1880.14 37,136 Mscat32.dll
09-Jan-2004 15:40 4.0.1381.7255 125,200 Msgina.dll
07-Jan-2003 02:22 5.131.1878.13 28,432 Mssip32.dll
18-Mar-2004 10:20 4.0.1381.7265 958,336 Ntkrnlmp.exe
18-Mar-2004 10:20 4.0.1381.7265 937,984 Ntoskrnl.exe
25-Oct-2003 01:13 4.86.1964.1880 143,632 Schannel.dll
12-Dec-2003 22:24 5.131.1880.14 6,928 Softpub.dll
27-Feb-2004 16:43 4.0.1381.7255 326,928 User32.dll
07-Jan-2004 10:47 4.0.1381.7255 1,255,152 Win32k.sys
27-Feb-2004 16:43 4.0.1381.7260 174,864 Winsrv.dll
19-Feb-2004 17:50 5.131.1880.14 165,648 Wintrust.dll
25-Oct-2003 01:13 4.87.1964.1880 112,912 Schannel.dll 128 Bit

Windows NT Server 4.0 Terminal Server Edition:

Date Time Version Size File name Folder
-----------------------------------------------------------------------
24-Jan-2004 00:12 5.131.1880.14 465,680 Crypt32.dll
25-Sep-2002 21:36 5.0.1558.6072 90,384 Cryptdlg.dll
12-Dec-2003 00:10 5.131.1878.14 440,080 Cryptui.dll
24-Feb-2004 18:25 4.0.1381.33562 206,096 Gdi32.dll
24-Feb-2004 18:25 4.0.1381.33562 40,208 Mf3216.dll
05-Mar-2004 23:59 5.0.2195.6905 53,520 Msasn1.dll
28-Feb-2004 01:31 5.131.1880.14 37,136 Mscat32.dll
09-Jan-2004 15:41 4.0.1381.33559 208,656 Msgina.dll
07-Jan-2003 02:22 5.131.1878.13 28,432 Mssip32.dll
18-Mar-2004 11:44 4.0.1381.33563 1,004,160 Ntkrnlmp.exe
18-Mar-2004 11:44 4.0.1381.33563 983,104 Ntoskrnl.exe
25-Oct-2003 01:13 4.86.1964.1880 143,632 Schannel.dll
12-Dec-2003 22:24 5.131.1880.14 6,928 Softpub.dll
19-Aug-2003 13:58 4.0.1381.33552 332,048 User32.dll
26-Jan-2004 16:59 4.0.1381.33559 1,280,816 Win32k.sys
16-Dec-2003 17:56 4.0.1381.33559 196,368 Winsrv.dll
19-Feb-2004 17:50 5.131.1880.14 165,648 Wintrust.dll
25-Oct-2003 01:13 4.87.1964.1880 112,912 Schannel.dll 128bit

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB835732\File 1

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Obtaining other security updates:

Updates for other security issues are available from the following locations:

  • Security updates are available from the Microsoft Download Center: you can find them most easily by doing a keyword search for “security_patch”.
  • Updates for consumer platforms are available from the Windows Update Web site.

Support:

  • Customers in the U.S. and Canada can get technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. For more information on how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop systems running Windows 2000 Professional or Windows XP Professional.

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site.  For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site.  For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack.  The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer

Note The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 April 13, 2004: Bulletin published
  • V1.1 April 21, 2004: Bulletin updated to reflect updated information in the Update Replacement Section. Bulletin has also been updated to reflect the change in the MBSA detection behavior as described in the updated FAQ section. The bulletin also contains revisions to the workaround section for the Utility Manager Vulnerability (CAN-2003-0908).
  • V1.2 April 28, 2004: Updated Caveats section to reflect the availability of a revised Microsoft Knowledge Base Article 835732. It documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
  • V1.3 May 4, 2004: Added new information in the Workarounds section for the LSASS Vulnerability.
  • V2.0 June 15, 2004: Updated bulletin to advise on the availability of an updated Windows NT 4.0 Workstation update for the Pan Chinese language. This update should be installed by customers even if the original update was installed.
  • V2.1 August 10, 2004: Updated bulletin to modify the workaround section for the PCT Vulnerability when using Windows XP RTM.

Built at 2014-04-18T13:49:36Z-07:00