Security Bulletin

Microsoft Security Bulletin MS04-012 - Critical

Cumulative Update for Microsoft RPC/DCOM (828741)

Published: April 13, 2004 | Updated: April 21, 2004

Version: 1.1

Issued: April 13, 2004
Updated: April 21, 2004
Version: 1.1

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

  • Microsoft Windows NT Workstation 4.0 Service Pack 6a — Download the update
  • Microsoft Windows NT Server 4.0 Service Pack 6a — Download the update
  • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 — Download the update
  • Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 — Download the update
  • Microsoft Windows XP and Microsoft Windows XP Service Pack 1 — Download the update
  • Microsoft Windows XP 64-Bit Edition Service Pack 1 — Download the update
  • Microsoft Windows XP 64-Bit Edition Version 2003 — Download the update
  • Microsoft Windows Server 2003 — Download the update
  • Microsoft Windows Server 2003 64-Bit Edition — Download the update
  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft Windows Millennium Edition (ME) — Review the FAQ section of this bulletin for details about these operating systems

The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

General Information

Technical Details

Executive Summary:

This update resolves several newly-discovered vulnerabilities in RPC/DCOM. Each vulnerability is documented in this bulletin in its own section.

An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of the affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Microsoft recommends customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact Of Vulnerability Windows 98, 98 SE, ME Windows NT Workstation 4.0 Windows NT Server 4.0 Windows NT Server 4.0, Terminal Server Edition Windows 2000 Windows XP Windows Server 2003
RPC Runtime Library Vulnerability - CAN-2003-0813 Remote Code Execution None None None None Critical Critical Critical
RPCSS Service Vulnerability - CAN-2004-0116 Denial Of Service None None None None Important Important Important
COM Internet Services (CIS) — RPC over HTTP Vulnerability - CAN-2003-0807 Denial Of Service None None Low Low Low None Low
Object Identity Vulnerability - CAN-2004-0124 Information Disclosure Not Critical Low Low Low Low Low Low
Aggregate Severity of all Vulnerabilities Not Critical Low Low Low Critical Critical Critical

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

What updates does this release replace?
This security update replaces several prior security bulletins. The security bulletin IDs and operating systems that are affected are listed in the table below.

Bulletin ID Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003
MS98-014 Replaced Not Applicable Not Applicable Not Applicable
MS00-066 Not Applicable Replaced Not Applicable Not Applicable
MS01-048 Replaced Not Applicable Not Applicable Not Applicable
MS03-010 Not Applicable Replaced Replaced Not Applicable
MS03-026 Replaced Replaced Replaced Replaced
MS03-039 Replaced Replaced Replaced Replaced

Is this update a Cumulative Security Update?
Yes. This Cumulative Security Update includes support for all prior RPC/DCOM updates as listed in the above table.

How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only be releasing security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
Yes. MBSA will determine if this update is required. For more information about MBSA, visit the MBSA Web site.

Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.

What is Remote Procedure Call (RPC)?
Remote Procedure Call (RPC) is a protocol that the Windows operating system uses. RPC provides an interprocess communication mechanism that allows a program that is running on one system to access services seamlessly on another system. The protocol is derived from the Open Software Foundation (OSF) RPC protocol, with the addition of some Microsoft-specific extensions.

Vulnerability Details

RPC Runtime Library Vulnerability - CAN-2003-0813:

A remote code execution vulnerability exists that results from a race condition when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, in the most likely attack scenario, this issue is a denial of service vulnerability.

Mitigating factors for RPC Runtime Library Vulnerability - CAN-2003-0813:

  • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
  • Windows NT 4.0 is not affected by this vulnerability.

Workarounds for RPC Runtime Library Vulnerability - CAN-2003-0813:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

  • Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.

    If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.

    To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.

    To configure Internet Connection Firewall manually for a connection, follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
    3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
    4. Click the Advanced tab.
    5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.

    Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services needed.

  • Block the following at the firewall:

    • UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
    • All unsolicited inbound traffic on ports greater than 1024
    • Any other specifically configured RPC port
    • If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443

    These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site. For more information about how to disable CIS, see Microsoft Knowledge Base Article 825819.

  • Enable advanced TCP/IP filtering on systems that support this feature.

    You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For additional information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.

  • Block the affected ports by using IPSec on the affected systems.

    Use Internet Protocol Security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Articles 313190 and 813878.

FAQ for RPC Runtime Library Vulnerability - CAN-2003-0813:

What is the scope of the vulnerability?
This is a race condition vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, race conditions are not predictable. Therefore, in the most likely attack scenario, this issue is a denial of service vulnerability.

What causes the vulnerability?
A race condition could exist when the RPC Runtime Library processes specially crafted messages.

What is the RPC Runtime Library?
By default, the RPC Runtime Library is installed on all affected systems. The RPC Runtime Library provides services such as communication services, directory services, and security services to application developers. For more information about the RPC Runtime Library, visit the following MSDN Library Web site.

What is wrong with the RPC Runtime Library?
The vulnerability in the RPC Runtime Library could occur if two separate operating system threads try to process certain specially crafted messages within a specified time. This event is considered to be a race condition because this event depends on the relative timing of the two threads. This race condition could cause the RPC Runtime Library to modify internal data structures incorrectly. Therefore, the affected system could experience unpredictable behavior.

What is a race condition?
Race conditions depend on the relative timing of events in multithreaded operating systems and software. They are frequently difficult to exploit as a way of repeatedly executing arbitrary code. For more information about race conditions, visit the following MSDN Library Web site. For a more general definition of race conditions, visit this .

Why does this race condition cause a vulnerability?
This race condition could create an environment where a series of specially timed requests could cause the RPC Runtime Library to perform an unpredictable action. However, because the circumstances that lead to this condition would change every time that the vulnerability was exploited, it may be difficult for an attacker to exploit this vulnerability.

What might an attacker use the vulnerability to do?
This vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, race conditions are not predictable. Therefore, in the most likely attack scenario, this issue is a denial of service vulnerability.

Who could exploit the vulnerability?
Any anonymous user who can deliver a series of specially crafted messages to the affected system could attempt to exploit this vulnerability. By default, this ability is enabled on the affected systems. Therefore, any user who can establish a connection to an affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by creating a series of specially crafted network messages and sending the messages to an affected system. These messages could then cause the affected system to execute code.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What does the update do?
The update removes the vulnerability by modifying the way the RPC Runtime Library synchronizes the threads that are being used to process the specially crafted messages.

RPCSS Service Vulnerability - CAN-2004-0116:

A denial of service vulnerability exists in the RPCSS service. If a specially crafted message is sent to the RPCSS service, the service may not reclaim discarded memory. This behavior could result in a denial of service.

Mitigating factors for the RPCSS Service Vulnerability - CAN-2004-0116:

  • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
  • Windows NT 4.0 is not affected by this vulnerability.

Workaround for the RPCSS Service Vulnerability - CAN-2004-0116:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

The workarounds that are listed for the RPC Runtime Library Vulnerability- CAN-2003-0813 could also apply to this vulnerability. Additionally, the following workarounds apply:

  • Disable DCOM on all affected systems.

    When a system is part of a network, the DCOM wire protocol enables COM objects on that system to communicate with COM objects on other systems. You can disable DCOM for a specific system to help protect against this vulnerability. However, by doing so, you will also disable all communication between objects on that system and objects on other systems.

    For more information about how to disable DCOM, see Microsoft Knowledge Base Article 825750.

    If COM Internet Services (CIS) or RPC over HTTP is installed, Microsoft also recommends that you disable forwarding to DCOM. For more information, see Microsoft Knowledge Base Article 826382.

    Note On Windows 2000, this method works only on systems that are running Service Pack 3 or later. Customers who are using Service Pack 2 or earlier should upgrade to a later Service Pack or use one of the other workarounds.

    Impact of Workaround: If you disable DCOM on a remote system, you cannot access that system remotely later to re-enable DCOM. To re-enable DCOM, you must have physical access to that system.

FAQ for the RPCSS Service Vulnerability - CAN-2004-0116:

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the RPCSS Service to stop responding. The affected system would need to be manually restarted in order to restore normal operation.

Note that the denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected system to stop accepting requests.

What causes the vulnerability?
The process used by the RPCSS service to check message inputs under certain circumstances.

What is DCOM?
The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Previously known as "Network OLE," DCOM is designed for use across multiple network transports, including Internet protocols such as HTTP.

What is wrong with the RPCSS Service?
A vulnerability in the RPCSS Service that is involved with DCOM activation could cause an affected system to fail because a specially crafted message is handled incorrectly. This particular failure affects the underlying RPCSS Service that is used for DCOM activation. The RPCSS Service listens on UDP ports 135, 137, 138, and 445, and on TCP ports 135, 139, 445, and 593. Additionally, DCOM can listen on ports 80 and 443 if CIS or RPC over HTTP is enabled.

By sending a specially crafted RPC message, an attacker could cause the RPCSS Service on a remote system to fail in such a way that a denial of service could result.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could cause the RPCSS Service to stop responding. However, this behavior would not cause the affected system to restart automatically. You would have to manually restart the affected system.

Who could exploit the vulnerability?
Any anonymous user who can deliver the specially crafted RPC message to an affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker must send a specially crafted RPC message to an affected system over an affected TCP/UDP port. If an affected system receives such a message, the RPCSS service could stop responding.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What does the update do?
The update removes the vulnerability by modifying the way that the RPCSS Service validates the information that is passed to it.

COM Internet Services (CIS) — RPC over HTTP Vulnerability - CAN-2003-0807:

A denial of service vulnerability exists in the CIS and in the RPC over HTTP Proxy components. When a forwarded request to a backend system passes through them, an attacker could reply to the request by using a specially crafted message that could cause the affected components to stop accepting later requests.

Mitigating factors for the COM Internet Services (CIS) and RPC over HTTP Vulnerability - CAN-2003-0807:

By default, none of the affected operating systems are vulnerable. All the affected operating systems would require that an administrator either enable the affected components or enable a vulnerable configuration. For more information about how a vulnerable configuration could occur, see the FAQ.

Workarounds for the COM Internet Services (CIS) and RPC over HTTP Vulnerability - CAN-2003-0807:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

The workarounds that are listed for the RPC Runtime Library Vulnerability- CAN-2003-0813 could also apply to this vulnerability. Additionally, the following workarounds apply:

  • Disable forwarding to untrusted sources for CIS and for RPC over HTTP if they have been enabled manually on the affected systems.

    • If an administrator has installed and has enabled forwarding to untrusted servers through CIS for Windows NT 4.0 or for Windows 2000, verify that CIS and RPC over HTTP are configured to permit forwarding only to trusted servers.

    • If an administrator has configured RPC over HTTP on Windows Server 2003, verify that RPC over HTTP is not running in IIS 5 compatibility mode. The default mode, IIS 6.0, does not contain the vulnerability. Therefore, the default mode is the preferred configuration. For more information about deployment recommendations and configuration settings, visit the following MSDN Library Web site.

      Note Microsoft also recommends that administrators disable forwarding to DCOM. For more information, see Microsoft Knowledge Base Article 826382.

  • If you do not need CIS or RPC over HTTP, disable this functionality on the affected systems.

    • For information about how to disable CIS, see Microsoft Knowledge Base Article 825819.
    • For information about RPC over HTTP, visit the following MSDN Library Web site.

FAQ for the COM Internet Services (CIS) and RPC Over HTTP Vulnerability - CAN-2003-0807:

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the COM Internet Services or the RPC over HTTP component to stop accepting connections and could cause the affected system to stop responding. An administrator would need to restart Internet Information Services (IIS) manually to restore normal operation.

What causes the vulnerability?
The process used by the affected components to validate message inputs under certain circumstances.

What are COM Internet Services (CIS) and RPC over HTTP?
RPC over HTTP version 1 (v1) (Windows NT 4.0, Windows 2000) and v2 (Windows Server 2003) allow RPC to operate over TCP ports 80 and 443 (v2 only) so that a client and a server can communicate through most proxy servers and firewalls. COM Internet Services (CIS) allows DCOM to use RPC over HTTP to communicate between DCOM clients and DCOM servers. Windows Server 2003 can be configured to support RPC over HTTP v1 if Windows Server 2003 is set to IIS 5 compatibility mode. IIS 6.0 mode uses RPC over HTTP v2. IIS 6.0 mode does not contain the vulnerability. Therefore, IIS 6.0 mode is the preferred configuration. For more information about deployment recommendations and configuration settings, visit the following MSDN Library Web site.

For more information about RPC over HTTP for Windows Server 2003, visit the following MSDN Library Web site. For more information about CIS, visit the following MSDN Library Web site.

How do I know if I have CIS or RPC over HTTP installed?
To determine whether a server has CIS or RPC over HTTP installed, use one of the following methods, depending on your operating system:

  • On systems that are running Windows NT 4.0 that have the Windows NT Option Pack installed:

    Search on all partitions for "rpcproxy.dll." If the Rpcproxy.dll file is located on the server, CIS is probably installed.

  • On systems that are running Windows 2000 or Windows Server 2003:

    In Control Panel, double-click Add/Remove Programs, and then double-click Add/Remove Windows Components.

    The Windows Components Wizard starts.

    Click Networking Services, and then click Details.

    If the COM Internet Services Proxy (for Windows 2000 Server) or the RPC over HTTP Proxy (for Windows Server 2003) check box is selected, CIS or RPC over HTTP support is enabled on the server.

    To search for a specific file on your system, click Start, click Search, click For Files or Folders, and then type the name of the file you want to search for. The search may take several minutes, depending on the size of your hard disk.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the denial of service vulnerability could cause the affected components to stop responding.

Who could exploit the vulnerability?
On Windows NT 4.0 and on Windows 2000, when a forwarded request to a backend system passes through the affected components, an anonymous attacker could reply to the request by using a specially crafted message that could cause the affected components to stop accepting later requests.

On Windows Server 2003, an attacker must also provide valid logon credentials.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability in several ways:

  • If an attacker controls a system that is configured to receive traffic through CIS or RPC over HTTP, the attacker could create a malicious response to a request from CIS or RPC over HTTP that could exploit this vulnerability.
  • An attacker could also try to exploit this vulnerability by listening locally on the network for traffic from a system that has CIS or RPC over HTTP Proxy enabled. The attacker could then try to send a specially crafted malicious response to a forwarded request on behalf of the system that CIS or RPC over HTTP is trying to communicate with.

If a system receives either type of these specially crafted messages, the message could cause the affected components to stop responding.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

What systems are primarily at risk from the vulnerability?
By default, the affected components are not enabled on any affected operating system.

However, if the Windows NT 4.0 Option Pack has been installed, the affected components are installed on Windows NT 4.0 Server and Windows NT 4.0 Terminal Server Edition. This is the default behavior. The affected components are not enabled until an administrator performs the steps that are described in Microsoft Knowledge Base article 282261.

By default, the affected components are not installed on Windows 2000 or on Windows Server 2003. An administrator must install the affected components manually for a system to be at risk from this vulnerability.

In both cases, an administrator must manually configure the affected components to forward requests to another system for the affected components to become vulnerable.

On Windows Server 2003, the impact is reduced more because the default configuration of Internet Information Service is not vulnerable, even with an affected component installed. Windows Server 2003 would only become vulnerable if you enabled IIS 5.0 compatibility mode. Microsoft does not recommend enabling IIS 5.0 compatibility mode for use with RPC over HTTP. For more information about deployment recommendations, visit the following MSDN Library Web site.

Windows NT 4.0 Workstation and Windows XP do not support the installation of the affected components. Therefore, these operating systems are not affected by this vulnerability.

Does this update require any manual steps?
Yes, if you are using CIS on Windows NT 4.0. Windows NT 4.0 requires administrators to manually perform the steps that are described in Microsoft Knowledge Base Article 282261 to enable CIS, including specifying the physical location of Rpcproxy.dll file. To help protect against this vulnerability, administrators must manually copy the updated version of the Rpcproxy.dll file to the location that they first used to enable CIS because the update cannot determine this location programmatically.

What does the update do?
The update addresses the vulnerability by modifying the way that the affected components validate the information that they receive.

Object Identity Vulnerability - CAN-2004-0124:

A information disclosure vulnerability exists in the way that object identities are created. This vulnerability could allow an attacker to enable applications to open network communication ports. Although this vulnerability does not directly enable an attacker to compromise a system, it could be used to enable network communication through unexpected communication ports.

Mitigating factors for the Object Identity Vulnerability - CAN-2004-0124:

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Workarounds for the Object Identity Vulnerability - CAN-2004-0124:

The workarounds that are listed for the RPC Runtime Library Vulnerability- CAN-2003-0813 could also apply to this vulnerability.

FAQ for the Object Identity Vulnerability - CAN-2004-0124:

What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could enable applications to open network communication ports, including applications that are not designed for network communication. This vulnerability does not directly enable an attacker to compromise a system. However, it could be used to enable network communication through unexpected communications ports.

What causes the vulnerability?
The way that COM object identifiers are created.

What is a COM object identifier?
Each COM object has an object identifier. An object identifier is a unique number that identifies the COM object in an application to the operating system. For more information about the use of object identities, visit the following Web site. For more information about COM objects, visit the following Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could force an application to accept inbound communication requests. This vulnerability does not directly enable an attacker to compromise a system. However, this vulnerability could be used to enable network communication through unexpected communications ports.

Who could exploit the vulnerability?
Any anonymous user who could deliver the specially crafted RPC message to an affected system could exploit this vulnerability.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would need to send a specially crafted RPC message to an affected system over an affected TCP/UDP port. For more information about the ports that RPC uses, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?
No. Although these operating systems may contain the affected component, the vulnerability is not critical. For more information about severity ratings, visit the following Web site.

What does the update do?
This update modifies the way that object identities are created. The new behavior makes it more difficult for a potential attacker to learn an object's identifier.

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link:

Windows Server 2003 (all versions)

Prerequisites This security update requires a released version of Windows Server 2003.

Inclusion in Future Service Packs: The update for this issue will be included in Windows Server 2003 Service Pack 1.

Installation Information

/help Displays the command line options

Setup Modes

/quiet            Use Quiet mode (no user interaction or display)

/passive            Unattended mode (progress bar only)

/uninstall          Uninstalls the package

Restart Options

/norestart          Do not restart when installation is complete

/forcerestart     Restart after installation

Special Options

/l           Lists installed Windows hotfixes or update packages

/o          Overwrite OEM files without prompting

/n          Do not backup files needed for uninstall

/f           Force other programs to close when the computer shuts down

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb828741-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb828741-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the %Windir%\$NTUninstallKB828741$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, and Windows Server 2003 Datacenter Edition:

Date Time Version Size File name Folder
------------------------------------------------------------------------
16-Mar-2004 03:09 2001.12.4720.130 263,680 Catsrv.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 587,264 Catsrvut.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 98,304 Clbcatex.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 493,056 Clbcatq.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 58,368 Colbact.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.139 189,440 Comadmin.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 1,202,176 Comsvcs.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 566,272 Comuid.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 226,816 Es.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 443,904 Msdtcprx.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 972,288 Msdtctm.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 160,768 Msdtcuiu.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 76,288 Mtxclu.dll RTMGDR
16-Mar-2004 03:09 2001.12.4720.130 108,032 Mtxoci.dll RTMGDR
16-Mar-2004 03:09 5.2.3790.138 1,189,376 Ole32.dll RTMGDR
16-Mar-2004 03:09 5.2.3790.137 26,112 Rpcproxy.dll RTMGDR
16-Mar-2004 03:09 5.2.3790.137 660,992 Rpcrt4.dll RTMGDR
16-Mar-2004 03:09 5.2.3790.132 294,400 Rpcss.dll RTMGDR
16-Mar-2004 03:17 2001.12.4720.130 263,680 Catsrv.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 587,264 Catsrvut.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 98,304 Clbcatex.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 493,056 Clbcatq.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 58,368 Colbact.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.139 189,440 Comadmin.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 1,202,176 Comsvcs.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 566,272 Comuid.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 226,816 Es.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 443,904 Msdtcprx.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 972,288 Msdtctm.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 160,768 Msdtcuiu.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 76,288 Mtxclu.dll RTMQFE
16-Mar-2004 03:17 2001.12.4720.130 108,032 Mtxoci.dll RTMQFE
16-Mar-2004 03:17 5.2.3790.139 1,188,352 Ole32.dll RTMQFE
16-Mar-2004 03:17 5.2.3790.141 26,112 Rpcproxy.dll RTMQFE
16-Mar-2004 03:17 5.2.3790.141 659,968 Rpcrt4.dll RTMQFE
16-Mar-2004 03:17 5.2.3790.142 293,888 Rpcss.dll RTMQFE

Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 64-Bit Datacenter Edition:

Date Time Version Size File name Platform Folder
-------------------------------------------------------------------------------
31-Mar-2004 03:29 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 179,712 Colbact.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 653,312 Es.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.146 3,567,616 Ole32.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.137 73,216 Rpcproxy.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.137 2,140,160 Rpcrt4.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.146 687,104 Rpcss.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 226,816 Wes.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 5.2.3790.146 1,189,376 Wole32.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 5.2.3790.137 26,112 Wrpcproxy.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 5.2.3790.137 542,208 Wrpcrt4.dll X86 RTMGDR\WOW
31-Mar-2004 03:25 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 179,712 Colbact.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 653,312 Es.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.146 3,565,056 Ole32.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.141 73,216 Rpcproxy.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.141 2,150,400 Rpcrt4.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.146 685,568 Rpcss.dll IA64 RTMQFE
31-Mar-2004 03:26 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 226,816 Wes.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 5.2.3790.146 1,188,352 Wole32.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 5.2.3790.141 26,112 Wrpcproxy.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 5.2.3790.141 544,256 Wrpcrt4.dll X86 RTMQFE\WOW

Note When you install this security update on Windows Server 2003 or on Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828741\Filelist

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.

Windows XP (all versions)

Note For Windows XP 64-Bit Edition Version 2003, this security update is the same as the Windows Server 2003 64-Bit Edition security update.

Prerequisites This security update requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge Base Article 322389.

Inclusion in Future Service Packs: The update for these issues will be included in Windows XP Service Pack 2.

Installation Information

/help                 Displays the command line options

Setup Modes

/quiet            Use Quiet mode (no user interaction or display)

/passive            Unattended mode (progress bar only)

/uninstall          Uninstalls the package

Restart Options

/norestart          Do not restart when installation is complete

/forcerestart     Restart after installation

Special Options

/l           Lists installed Windows hotfixes or update packages

/o          Overwrite OEM files without prompting

/n          Do not backup files needed for uninstall

/f           Force other programs to close when the computer shuts down

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows XP:

Windowsxp-kb828741-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:

Windowsxp-kb828741-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828741$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:

Date Time Version Size File name Folder
-----------------------------------------------------------------------
06-Mar-2004 02:04 2001.12.4414.53 225,280 Catsrv.dll (pre-sp1)
06-Mar-2004 02:04 2001.12.4414.53 596,480 Catsrvut.dll (pre-sp1)
06-Mar-2004 02:04 2001.12.4414.53 110,080 Clbcatex.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 499,712 Clbcatq.dll (pre-sp1)
06-Mar-2004 02:04 2001.12.4414.53 64,512 Colbact.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 187,904 Comadmin.dll (pre-sp1)
17-Feb-2004 18:49 2001.12.4414.53 8,192 Comrepl.exe (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 1,177,088 Comsvcs.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 499,200 Comuid.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 226,816 Es.dll (pre-sp1)
17-Feb-2004 18:50 2001.12.4414.53 6,656 Migregdb.exe (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 365,568 Msdtcprx.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 977,920 Msdtctm.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 150,528 Msdtcuiu.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 64,512 Mtxclu.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 82,432 Mtxoci.dll (pre-sp1)
06-Mar-2004 02:05 5.1.2600.136 1,105,408 Ole32.dll (pre-sp1)
06-Mar-2004 02:05 5.1.2600.135 442,880 Rpcrt4.dll (pre-sp1)
06-Mar-2004 02:05 5.1.2600.135 214,528 Rpcss.dll (pre-sp1)
06-Mar-2004 02:05 2001.12.4414.53 97,280 Txflog.dll (pre-sp1)
06-Mar-2004 02:16 2001.12.4414.53 225,280 Catsrv.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 594,944 Catsrvut.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 110,080 Clbcatex.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 499,712 Clbcatq.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 64,512 Colbact.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 187,904 Comadmin.dll (with sp1)
17-Feb-2004 18:49 2001.12.4414.53 8,192 Comrepl.exe (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 1,194,496 Comsvcs.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 499,200 Comuid.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 226,816 Es.dll (with sp1)
17-Feb-2004 18:50 2001.12.4414.53 6,656 Migregdb.exe (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 367,616 Msdtcprx.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 977,920 Msdtctm.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 150,528 Msdtcuiu.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 64,512 Mtxclu.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 82,432 Mtxoci.dll (with sp1)
06-Mar-2004 02:16 5.1.2600.1362 1,183,744 Ole32.dll (with sp1)
06-Mar-2004 02:16 5.1.2600.1361 535,552 Rpcrt4.dll (with sp1)
06-Mar-2004 02:16 5.1.2600.1361 263,680 Rpcss.dll (with sp1)
06-Mar-2004 02:16 2001.12.4414.53 97,280 Txflog.dll (with sp1)

Windows XP 64-Bit Edition Service Pack 1:

Date Time Version Size File name Platform
---------------------------------------------------------------------
06-Mar-2004 02:07 2001.12.4414.53 695,808 Catsrv.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 2,127,360 Catsrvut.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 360,960 Clbcatex.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 1,554,432 Clbcatq.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 204,288 Colbact.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 478,720 Comadmin.dll IA64
09-Jan-2004 22:50 2001.12.4414.53 20,992 Comrepl.exe IA64
06-Mar-2004 02:07 2001.12.4414.53 3,591,168 Comsvcs.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 1,817,600 Comuid.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 740,864 Es.dll IA64
09-Jan-2004 22:51 2001.12.4414.53 12,800 Migregdb.exe IA64
06-Mar-2004 02:07 2001.12.4414.53 1,509,888 Msdtcprx.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 3,484,160 Msdtctm.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 513,024 Msdtcuiu.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 194,048 Mtxclu.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 286,720 Mtxoci.dll IA64
06-Mar-2004 02:07 5.1.2600.1362 4,339,200 Ole32.dll IA64
06-Mar-2004 02:07 5.1.2600.1361 2,317,824 Rpcrt4.dll IA64
06-Mar-2004 02:07 5.1.2600.1361 780,288 Rpcss.dll IA64
06-Mar-2004 02:07 2001.12.4414.53 345,088 Txflog.dll IA64
06-Mar-2004 02:16 2001.12.4414.53 225,280 Wcatsrv.dll X86
06-Mar-2004 02:16 2001.12.4414.53 594,944 Wcatsrvut.dll X86
06-Mar-2004 02:16 2001.12.4414.53 110,080 Wclbcatex.dll X86
06-Mar-2004 02:16 2001.12.4414.53 499,712 Wclbcatq.dll X86
06-Mar-2004 02:16 2001.12.4414.53 64,512 Wcolbact.dll X86
06-Mar-2004 02:16 2001.12.4414.53 187,904 Wcomadmin.dll X86
06-Mar-2004 02:16 2001.12.4414.53 1,194,496 Wcomsvcs.dll X86
06-Mar-2004 02:16 2001.12.4414.53 226,816 Wes.dll X86
06-Mar-2004 02:16 2001.12.4414.53 367,616 Wmsdtcprx.dll X86
06-Mar-2004 02:16 2001.12.4414.53 150,528 Wmsdtcuiu.dll X86
06-Mar-2004 02:16 2001.12.4414.53 64,512 Wmtxclu.dll X86
06-Mar-2004 02:16 2001.12.4414.53 82,432 Wmtxoci.dll X86
06-Mar-2004 02:16 5.1.2600.1362 1,183,744 Wole32.dll X86
06-Mar-2004 02:16 5.1.2600.1361 509,440 Wrpcrt4.dll X86
06-Mar-2004 02:16 2001.12.4414.53 97,280 Wtxflog.dll X86

Windows XP 64-Bit Edition Version 2003:

Date Time Version Size File name Platform Folder
------------------------------------------------------------------------------
31-Mar-2004 03:29 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 179,712 Colbact.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 653,312 Es.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.146 3,567,616 Ole32.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.137 73,216 Rpcproxy.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.137 2,140,160 Rpcrt4.dll IA64 RTMGDR
31-Mar-2004 03:29 5.2.3790.146 687,104 Rpcss.dll IA64 RTMGDR
31-Mar-2004 03:29 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 226,816 Wes.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 5.2.3790.146 1,189,376 Wole32.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 5.2.3790.137 26,112 Wrpcproxy.dll X86 RTMGDR\WOW
31-Mar-2004 03:29 5.2.3790.137 542,208 Wrpcrt4.dll X86 RTMGDR\WOW
31-Mar-2004 03:25 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 179,712 Colbact.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 653,312 Es.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMQFE
31-Mar-2004 03:25 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.146 3,565,056 Ole32.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.141 73,216 Rpcproxy.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.141 2,150,400 Rpcrt4.dll IA64 RTMQFE
31-Mar-2004 03:25 5.2.3790.146 685,568 Rpcss.dll IA64 RTMQFE
31-Mar-2004 03:26 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 226,816 Wes.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 5.2.3790.146 1,188,352 Wole32.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 5.2.3790.141 26,112 Wrpcproxy.dll X86 RTMQFE\WOW
31-Mar-2004 03:26 5.2.3790.141 544,256 Wrpcrt4.dll X86 RTMQFE\WOW

Note The Windows XP and Windows XP 64-Bit Edition Version 2003 versions of this security update are packaged as dual-mode packages, which contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, see Microsoft Knowledge Base Article 328848.

When you install the Windows XP 64-Bit Edition Version 2003 security update, the installer checks to see if any of the files that are being updated on your system previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry keys:

For Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828741\Filelist

For Windows XP 64-Bit Edition Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828741\Filelist

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.

Windows 2000 (all versions)

Prerequisites For Windows 2000, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs: The update for these issues will be included in Windows 2000 Service Pack 5.

Installation Information

/help                Displays the command line options

Setup Modes

/quiet            Use Quiet mode (no user interaction or display)

/passive            Unattended mode (progress bar only)

/uninstall          Uninstalls the package

Restart Options

/norestart          Do not restart when installation is complete

/forcerestart     Restart after installation

Special Options

/l           Lists installed Windows hotfixes or update packages

/o          Overwrite OEM files without prompting

/n          Do not backup files needed for uninstall

/f           Force other programs to close when the computer shuts down

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb828741-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb828741-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828741$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Date Time Version Size File name
------------------------------------------------------------
11-Mar-2004 21:29 2000.2.3511.0 169,232 Catsrv.dll
11-Mar-2004 21:29 2000.2.3511.0 595,728 Catsrvut.dll
11-Mar-2004 21:29 2000.2.3511.0 97,040 Clbcatex.dll
11-Mar-2004 21:29 2000.2.3511.0 552,720 Clbcatq.dll
11-Mar-2004 21:29 2000.2.3511.0 41,744 Colbact.dll
11-Mar-2004 21:29 2000.2.3511.0 198,416 Comadmin.dll
11-Mar-2004 21:29 2000.2.3511.0 97,552 Comrepl.dll
11-Mar-2004 21:29 2000.2.3421.3511 342,288 Comsetup.dll
11-Mar-2004 21:29 2000.2.3511.0 1,467,664 Comsvcs.dll
11-Mar-2004 21:29 2000.2.3511.0 625,936 Comuid.dll
19-Feb-2004 22:03 2000.2.3511.0 1,816,552 Dtcsetup.exe
11-Mar-2004 21:29 2000.2.3511.0 239,888 Es.dll
11-Mar-2004 21:29 2000.2.3511.0 96,016 Msdtclog.dll
11-Mar-2004 21:29 2000.2.3513.0 717,584 Msdtcprx.dll
11-Mar-2004 21:29 2000.2.3511.0 1,139,984 Msdtctm.dll
11-Mar-2004 21:29 2000.2.3511.0 153,872 Msdtcui.dll
19-Feb-2004 22:44 2000.2.3511.0 155,408 Mtstocom.exe
11-Mar-2004 21:29 2000.2.3511.0 52,496 Mtxclu.dll
11-Mar-2004 21:29 2000.2.3511.0 26,896 Mtxdm.dll
11-Mar-2004 21:29 2000.2.3511.0 35,600 Mtxlegih.dll
11-Mar-2004 21:29 2000.2.3513.0 120,592 Mtxoci.dll
11-Mar-2004 21:29 5.0.2195.6906 954,640 Ole32.dll
11-Mar-2004 21:29 5.0.2195.6904 16,656 Rpcproxy.dll
11-Mar-2004 21:29 5.0.2195.6904 449,808 Rpcrt4.dll
11-Mar-2004 21:29 5.0.2195.6906 211,728 Rpcss.dll
11-Mar-2004 21:29 2000.2.3511.0 398,608 Txfaux.dll
11-Mar-2004 21:29 2000.2.3511.0 18,704 Xolehlp.dll

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828741\Filelist

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.

Windows NT 4.0 (all versions)

Prerequisites This security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6).

The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

For more information on obtaining the latest service pack, see Microsoft Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

/y: Perform removal (only with /m or /q )

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the update completes

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m )

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

/x: Extract the files without running Setup

Note You can combine these switches into one command. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb828741-x86-enu /q

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb828741-x86-enu /q

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb828741-x86-enu /q

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb828741-x86-enu /z

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb828741-x86-enu /z

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb828741-x86-enu /z

For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

To remove this security update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security update. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB828741$ folder. The Hotfix.exe utility supports the following setup switches:

/y: Perform removal (only with the /m or /q switch)

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the installation is complete

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch)

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.

Windows NT Workstation 4.0 and Windows NT Server 4.0:

Date Time Version Size File name
----------------------------------------------------------
25-Feb-2004 15:53 4.0.1381.7263 701,200 Ole32.dll
08-Jan-2004 11:37 4.0.1381.7255 21,264 Rpcproxy.dll
11-Aug-2003 14:29 4.0.1381.7230 345,872 Rpcrt4.dll
25-Feb-2004 15:53 4.0.1381.7263 122,128 Rpcss.exe

Windows NT Server 4.0 Terminal Server Edition:

Date Time Version Size File name
----------------------------------------------------------
25-Feb-2004 15:52 4.0.1381.33562 701,200 Ole32.dll
05-Dec-2003 17:51 4.0.1381.33559 21,264 Rpcproxy.dll
11-Aug-2003 15:14 4.0.1381.33551 345,360 Rpcrt4.dll
25-Feb-2004 15:52 4.0.1381.33562 124,176 Rpcss.exe

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update has installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828741\File 1

Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • eEye Digital Security for reporting the RPC Runtime Library Vulnerability (CAN-2003-0813) and the RPCSS Service Vulnerability (CAN-2004-0116).
  • Qualys for reporting the CIS — RPC over HTTP Vulnerability (CAN-2003-0807).
  • Todd Sabin of BindView for reporting the Object Identity Vulnerability (CAN-2004-0124).

Obtaining other security updates:

Updates for other security issues are available from the following locations:

Support:

  • Customers in the U.S. and Canada can get technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. For more information on how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, as well as to desktop systems running Windows 2000 Professional or Windows XP Professional.

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site.  For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site.  For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack.  The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer

Note The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 April 13, 2004: Bulletin published
  • V1.1 April 21, 2004: Bulletin updated to reflect updated file versions for Windows 2000 update.

Built at 2014-04-18T13:49:36Z-07:00