Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
Issued: April 13, 2004
Updated: August 10, 2004
Version: 2.1
Summary
Who should read this document: Customers who use Microsoft® Windows®
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Caveats: The security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires, as a prerequisite, the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To download the SRP, visit the following Web site. You must install the SRP before you install the security update that is provided in this security bulletin. If you are not using Windows NT Server 4.0 Terminal Server Edition Service Pack 6 you do not need to install the SRP.
Microsoft Knowledge Base Article 835732 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 835732.
Tested Software and Security Update Download Locations:
Affected Software:
| • | Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update |
| • | Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update |
| • | Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update |
| • | Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update |
| • | Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update |
| • | Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update |
| • | Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update |
| • | Microsoft Windows Server™ 2003 – Download the update |
| • | Microsoft Windows Server 2003 64-Bit Edition – Download the update |
| • | Microsoft NetMeeting |
| • | Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems. |
The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
General Information
Technical Details |
Executive Summary:
Microsoft re-issued this bulletin on June 15, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation update for the Pan Chinese language.
This revised update corrects an installation issue that some customers experienced with the original update. This issue is unrelated to the security vulnerability discussed in this bulletin. However, this issue has caused some customers difficulty installing the update. If you have previously applied this security update, this update does need to be installed to avoid potential issues when installing future security updates. This issue only affects the Pan Chinese language version of the update and only those versions of the update are being re-released. Other language versions of this update are not affected and are not being re-released.
This update resolves several newly-discovered vulnerabilities. Each vulnerability is documented in this bulletin in its own section.
An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
Microsoft recommends that customers apply the update immediately.
Severity Ratings and Vulnerability Identifiers:
| Vulnerability Identifiers | Impact of Vulnerability | Windows 98, 98 SE, ME | Windows NT 4.0 | Windows 2000 | Windows XP | Windows Server 2003 |
LSASS Vulnerability - CAN-2003-0533 | Remote Code Execution | None | None | Critical | Critical | Low |
LDAP Vulnerability – CAN-2003-0663 | Denial Of Service | None | None | Important | None | None |
PCT Vulnerability - CAN-2003-0719 | Remote Code Execution | None | Critical | Critical | Important | Low |
Winlogon Vulnerability - CAN-2003-0806 | Remote Code Execution | None | Moderate | Moderate | Moderate | None |
Metafile Vulnerability - CAN-2003-0906 | Remote Code Execution | None | Critical | Critical | Critical | None |
Help and Support Center Vulnerability - CAN-2003-0907 | Remote Code Execution | None | None | None | Critical | Critical |
Utility Manager Vulnerability - CAN-2003-0908 | Privilege Elevation | None | None | Important | None | None |
Windows Management Vulnerability - CAN-2003-0909 | Privilege Elevation | None | None | None | Important | None |
Local Descriptor Table Vulnerability - CAN-2003-0910 | Privilege Elevation | None | Important | Important | None | None |
H.323 Vulnerability* - CAN-2004-0117 | Remote Code Execution | Not Critical | None | Important | Important | Important |
Virtual DOS Machine Vulnerability - CAN-2004-0118 | Privilege Elevation | None | Important | Important | None | None |
Negotiate SSP Vulnerability - CAN-2004-0119 | Remote Code Execution | None | None | Critical | Critical | Critical |
SSL Vulnerability - CAN-2004-0120 | Denial Of Service | None | None | Important | Important | Important |
ASN.1 “Double Free” Vulnerability - CAN-2004-0123 | Remote Code Execution | Not Critical | Critical | Critical | Critical | Critical |
Aggregate Severity of All Vulnerabilities | Not Critical | Critical | Critical | Critical | Critical |
*Note The severity rating of H.323 Vulnerability - CAN-2004-0117 is Important for the standalone version of NetMeeting. To download an updated version of NetMeeting that addresses this vulnerability, visit the following Web site. This version of NetMeeting can be installed on all systems that are running Windows 98, Windows 98 Second Edition, Windows Millennium Edition, and Windows NT 4.0. The updated version of NetMeeting that addresses this vulnerability is version 3.01 (4.4.3399).
The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Frequently asked questions (FAQ) related to this security update |
Why has Microsoft re-issued this bulletin?
Microsoft re-issued this bulletin on June 15, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation update for the Pan Chinese language.
This revised update corrects an installation issue that some customers experienced with the original update. This issue is unrelated to the security vulnerability discussed in this bulletin. However, this issue has caused some customers difficulty installing the update. If you have previously applied this security update, this update does need to be installed to avoid potential issues when installing future security updates. This issue only affects the Pan Chinese language version of the update and only those versions of the update are being re-released. Other language versions of this update are not affected and are not being re-released.
Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that contain almost identical files, customers can install only this update.
What updates does this release replace?
This security update replaces several prior security bulletins. The security bulletin IDs and operating systems that are affected are listed in the table below.
| Bulletin ID | Windows NT 4.0 | Windows 2000 | Windows XP | Windows Server 2003 |
Replaced | Not Applicable | Not Applicable | Not Applicable | |
Not Replaced | Replaced | Not Applicable | Not Applicable | |
Not Applicable | Replaced | Not Applicable | Not Applicable | |
Not Replaced | Replaced | Not Applicable | Not Applicable | |
Replaced | Not Replaced | Not Replaced | Not Applicable | |
Not Applicable | Replaced | Not Replaced | Not Applicable | |
Replaced | Replaced | Not Replaced | Not Applicable | |
Not Replaced | Replaced | Not Replaced | Not Applicable | |
Replaced | Replaced | Not Replaced | Not Applicable | |
Not Applicable | Replaced | Not Applicable | Not Applicable | |
Replaced | Not Replaced | Not Replaced | Not Replaced | |
Replaced | Replaced | Not Replaced | Not Replaced | |
Replaced | Replaced | Replaced | Replaced |
Is this update a Cumulative Security Update or a Security Update Roll-up?
Neither. A Cumulative Security Update would typically include support for all prior updates. This update does not include support for all prior updates on all operating systems.
A Security Update Roll-up is typically used to combine previous releases into a single update to allow for easier installation and faster download. Security Update Roll-ups typically do not include modifications to address new vulnerabilities; this update does.
How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.
For more information about severity ratings, visit the following Web site.
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.
Does this update contain any other changes to functionality?
Yes. In addition to the changes that are listed in each of the vulnerability details sections of this bulletin, this update includes the following change in functionality: files that end with the file name extension “.folder” are no longer associated with a directory. Files that have this extension are still supported by the affected operating system. However, those files will no longer appear as a directory in Windows Explorer and in other programs.
Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
Yes. MBSA will determine if this update is required. However, MBSA does not currently support the stand-alone version of NetMeeting for detection. MBSA will not offer the required update to the stand-alone version of NetMeeting if it has been installed on Windows NT 4.0 systems. To download the updated stand-alone version of NetMeeting that addresses the H.323 Vulnerability (CAN-2004-0117), visit the following Web site. MBSA does detect if the update for the H.323 Vulnerability (CAN-2004-0117) is required for the version of NetMeeting that shipped as part of Windows 2000, Windows XP, or Windows Server 2003.
For more information about the H.323 Vulnerability (CAN-2004-0117), see that vulnerability details section of this bulletin. For more information about MBSA, visit the MBSA Web site. For more information about MBSA detection limitations, see Microsoft Knowledge Base Article 306460.
How did this change from the initial release of the bulletin?
When the bulletin was released on April 13, 2004, MBSA detection for this security update was disabled for Windows NT 4.0 because of the lack of detection support for the stand-alone version of NetMeeting that is described earlier in this bulletin. This changed on April 21, 2004. MBSA will now detect if this security update is required for Windows NT 4.0 even though this limitation exists.
Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to the stand-alone version of NetMeeting.
Can I use Systems Management Server (SMS) to determine if the stand-alone version of NetMeeting has been installed on Windows NT 4.0 systems?
Yes. SMS can help detect if the updated stand-alone version of NetMeeting is required for Windows NT 4.0 systems. SMS can search for the presence of the file “Conf.exe.” All versions before version 3.01 (4.4.3399) should be updated.
Vulnerability Details |
LSASS Vulnerability - CAN-2003-0533: |
A buffer overrun vulnerability exists in LSASS that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Mitigating Factors for LSASS Vulnerability - CAN-2003-0533: |
| • | Only Windows 2000 and Windows XP can be remotely attacked by an anonymous user. While Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 contain the vulnerability, only a local administrator could exploit it. |
| • | Windows NT 4.0 is not affected by this vulnerability. |
| • | Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. |
Workarounds for LSASS Vulnerability - CAN-2003-0533: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Create a file called %systemroot%\debug\dcpromo.log and make the file read-only. To do this, type the following command: echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log Note This is the most effective mitigation technique as it completely mitigates this vulnerability by causing the vulnerable code to never be executed. This work-around will work for packets sent to any vulnerable port. | ||||||||||||||
| • | Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003. If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet. To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
To configure Internet Connection Firewall manually for a connection, follow these steps:
Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services needed. | ||||||||||||||
| • | Block the following at the firewall:
These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site. | ||||||||||||||
| • | Enable advanced TCP/IP filtering on systems that support this feature. You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798. | ||||||||||||||
| • | Block the affected ports by using IPSec on the affected systems. Use Internet Protocol Security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Articles 313190 and 813878. |
FAQ for LSASS Vulnerability - CAN-2003-0533: |
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
An unchecked buffer in the LSASS service.
What is LSASS?
Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
On Windows 2000 and Windows XP, any anonymous user who could deliver a specially crafted message to the affected system could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system, which could then cause the affected system to execute code.
An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).
What systems are primarily at risk from the vulnerability?
Windows 2000 and Windows XP are primarily at risk from this vulnerability.
Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 provide additional protection that would require an administrator to log on locally to an affected system to exploit this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that LSASS validates the length of a message before it passes the message to the allocated buffer.
This update also removes the vulnerable code from Windows 2000 Professional and from Windows XP because these operating systems do not require the vulnerable interface. This helps protect against possible future vulnerabilities in this service.
LDAP Vulnerability - CAN-2003-0663: |
A denial of service vulnerability exists that could allow an attacker to send a specially crafted LDAP message to a Windows 2000 domain controller. An attacker could cause the service responsible for authenticating users in an Active Directory domain to stop responding.
Mitigating Factors for LDAP Vulnerability - CAN-2003-0663: |
| • | To exploit this vulnerability, an attacker would have to send a specially crafted LDAP message to the domain controller. If the LDAP ports are not blocked by a firewall, an attacker would not require any additional privileges to exploit this vulnerability. |
| • | This vulnerability only affects Windows 2000 Server domain controllers; Windows Server 2003 domain controllers are not affected. |
| • | Windows NT 4.0 and Windows XP are not affected by this vulnerability. |
| • | If an attacker successfully exploited this vulnerability, the affected system might display a warning that it would automatically restart after a 60-second countdown. At the end of this 60-second countdown, the affected system would automatically restart. After restart, the affected system would be restored to normal functionality. However, the affected system could be susceptible to a new denial of service attack unless the update is applied. |
| • | Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. |
Workarounds for LDAP Vulnerability - CAN-2003-0663: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall. These ports are used to initiate an LDAP connection with a Windows 2000 domain controller. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability that originate outside the enterprise perimeter. While other ports could be used to exploit this vulnerability, the ports listed are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. Impact of workaround: Active Directory domain authentication will not be possible over a network connection where these ports are blocked. |
FAQ for LDAP Vulnerability - CAN-2003-0663: |
What’s the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the server to automatically restart and, during that time, stop the server from responding to authentication requests. This vulnerability exists in Windows 2000 Server systems that perform the role of a domain controller. The only effect on other Windows 2000 systems is that clients may not be able to log on to the domain if their domain controller stops responding.
What causes the vulnerability?
The processing of specially crafted LDAP messages by the Local Security Authority Subsystem Service (LSASS).
What is LDAP?
Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol that enables authorized users to query or modify the data in a metadirectory. For example, in Windows 2000, LDAP is one protocol that is used to access data in Active Directory.
What’s wrong with the way the specially crafted LDAP messages are handled?
An attacker could send a specially crafted LDAP message to the LSASS service and cause it to stop responding.
What is LSASS?
Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
What might an attacker use the vulnerability to do?
An attacker who exploited this vulnerability could cause LSASS to stop responding and the affected system to restart. The affected system might display a warning that it would automatically restart after a 60-second countdown. During this 60 second countdown, local authentication at the console of the affected system and user domain authentication with the affected system would not be possible. At the end of this 60-second countdown, the affected system would automatically restart. If users cannot perform domain authentication with the affected system, they might not be able to access domain resources. After restart, the affected system would be restored to normal functionality. However, it could be susceptible to a new denial of service attack unless the update is applied.
Who could exploit the vulnerability?
Any anonymous user who could deliver the specially crafted LDAP message to the affected system could exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by sending a specially crafted LDAP message to the domain controllers in a single forest or multiple forests, potentially causing a denial of service to domain authentication throughout an enterprise. This could cause LSASS to stop responding and cause the affected system to restart. An attacker does not have to have a valid user account in the domain to send this specially crafted LDAP message. This attack can be performed by using anonymous access.
What systems are primarily at risk from the vulnerability?
Only Windows 2000 domain controllers are vulnerable.
I am running Windows 2000. What systems do I have to update?
The update to address this vulnerability must be installed on systems that are used as Windows 2000 domain controllers. However, the update can be safely installed on Windows 2000 Servers in other roles. Microsoft recommends that you install this update on systems that might be promoted to domain controllers in the future.
What does the update do?
The update removes the vulnerability by modifying the way that LSASS processes the specially crafted LDAP message.
PCT Vulnerability - CAN-2003-0719: |
A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for PCT Vulnerability - CAN-2003-0719: |
| • | Only systems that have enabled SSL are affected, typically only server systems. SSL support is not enabled by default on any of the affected systems. However, SSL is generally used on Web servers to support electronic commerce programs, online banking, and other programs that require secure communications. |
| • | Windows Server 2003 is only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled). |
| • | In some situations, the Web Publishing features of ISA Server 2000 or Proxy Server 2.0 can successfully block attempts to exploit this vulnerability. Testing has shown that the Web publishing features of ISA Server 2000, with Packet Filtering enabled and all Packet Filtering options selected can successfully block this attack with no noticeable side effects. Proxy Server 2.0 also successfully blocks this attack. However, until the security update is applied on the Proxy Server 2.0 system, this attack causes Proxy Server 2.0 Web services to stop responding and the system must be restarted. |
| • | Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. |
Workarounds for PCT Vulnerability - CAN-2003-0719: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Disable PCT support through the registry This workaround is fully documented in Microsoft Knowledge Base Article 187498. This article is summarized below. The following steps demonstrate how to disable the PCT 1.0 protocol that prevents the affected system from negotiating its use. Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note It is a good idea to back up the registry before you edit it.
|
FAQ for PCT Vulnerability - CAN-2003-0719: |
What’s the scope of the vulnerability?
A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable.
All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections.
Windows Server 2003 and Internet Information Services 6.0 are only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
The process used by the SSL Library to check message inputs.
What is the SSL library?
The Microsoft Secure Sockets Layer (SSL) library contains support for a number of secure communication protocols. These include Transport Layer Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0), and the older and seldom-used Secure Sockets Layer 2.0 (SSL 2.0), and Private Communication Technology 1.0 (PCT 1.0) protocol.
These protocols provide an encrypted connection between a server and a client system. SSL can help protect information when transmitted across public networks such as the Internet. SSL support requires an SSL certificate, which must be installed on a server. For more information about SSL, see Microsoft Knowledge Base Article 245152.
What is PCT?
Private Communication Technology (PCT) is a protocol developed by Microsoft and Visa International for encrypted communication on the Internet. It was developed as an alternative to SSL 2.0. It is similar to SSL. The message formats are similar enough that a server can interact with clients that support SSL as well as clients that support PCT.
PCT is an earlier protocol that has been replaced by SSL 3.0 and is no longer generally used. The Microsoft Secure Sockets Layer (SSL) library supports PCT only for backward compatibility. Most modern programs and servers use SSL 3.0, and PCT is no longer required. For more detailed information, visit the MSDN Library Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
Who could exploit the vulnerability?
Any anonymous attacker who could deliver a specially crafted TCP message to an SSL enabled service on an affected system could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by communicating with an affected system through an SSL enabled service and sending a specially crafted TCP message. Receipt of such a message could cause the affected service on the vulnerable system to fail in such a way that it could execute code.
An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).
What systems are primarily at risk from the vulnerability?
All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections.
Windows Server 2003 and Internet Information Services 6.0 are only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).
Active Directory domains that have an Enterprise Root certification authority installed are also affected by this vulnerability because Windows 2000 domain controllers will automatically listen for SSL connections.
How is Windows Server 2003 affected?
The way that Windows Server 2003 implements PCT contains the same buffer overrun that is found on other platforms. However, PCT is disabled by default. If the PCT protocol were enabled by using a registry key, Windows Server 2003 could then be vulnerable to this issue. Microsoft is therefore releasing a security update for Windows Server 2003 that corrects the buffer overrun while continuing to leave PCT disabled.
What does the update do?
The update removes the vulnerability by altering the way that the PCT implementation validates the information passed to it and also disables the PCT protocol.
Does this update introduce any behavioral changes?
Yes. While the update does address the vulnerability in PCT, it also disables PCT because this protocol is no longer used and has been replaced by SSL 3.0. This behavior is consistent with the default settings of Windows Server 2003. If administrators require the use of PCT, they can enable it by using the registry key that is described in the Workaround section of this bulletin.
Winlogon Vulnerability - CAN-2003-0806: |
A buffer overrun vulnerability exists in the Windows logon process (Winlogon). It does not check the size of a value used during the logon process before inserting it into the allocated buffer. The resulting overrun could allow an attacker to remotely execute code on an affected system. Systems that are not members of a domain are not affected by this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Winlogon Vulnerability - CAN-2003-0806: |
| • | Only Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain are affected by this vulnerability. Windows Server 2003 is not affected by this vulnerability. |
| • | An attacker would require permission to modify user objects in a domain to attempt to exploit this vulnerability. Typically, only members of the Administrators or Account Operators groups would have this permission. However, this permission may have been delegated to other user accounts in the domain. |
| • | Domains typically support auditing of changes to user objects. These audit records could be reviewed to determine which user account may have maliciously modified other user accounts to attempt to exploit this vulnerability. |
Workarounds for Winlogon Vulnerability - CAN-2003-0806: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Reduce the number of users that have account modification permissions. To exploit this vulnerability an attacker requires the ability to modify user objects in the domain. Some organizations add user accounts to the Administrators or Account Operators groups unnecessarily. For example, if a Helpdesk representative only requires the ability to reset user passwords, the administrator should directly delegate that permission without adding the representative to the Account Operator group. Reducing the number of user accounts in administrative groups helps block known attack vectors. Only trusted employees should be members of administrative groups. For more information about domain best practices, visit the following Web site. |
FAQ for Winlogon Vulnerability - CAN-2003-0806: |
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
Winlogon reads a value from the domain but does not check the size of this value before inserting it into the allocated buffer.
What is winlogon?
The Windows logon process (Winlogon) is the component of the Windows operating system that provides interactive logon support. Winlogon.exe is the process that manages security-related user interactions in Windows. It handles logon and logoff requests, locking or unlocking the system, changing the password, and other requests. It reads data from the domain during the logon process and uses this data to configure a user’s environment. For more information about Winlogon, visit the MSDN Library Web site.
What is a domain?
A domain can be used to store information about virtually any network object such as printers, file share locations, and personal information. For more information about creating domains using Windows 2000 Server or Windows Server 2003, visit the following Web site.
What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
Who could exploit the vulnerability?
An attacker would require permission to modify user objects in a domain to attempt to exploit this vulnerability. Typically, only members of the Administrators or Account Operators groups would have this permission. However, this permission may have been delegated to other user accounts in the domain. User accounts that do not have this permission or anonymous users could not exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could specially modify a value stored in the domain to include malicious data. When this value is passed to an unchecked buffer in Winlogon during the logon process, Winlogon could allow malicious code to be executed.
What systems are primarily at risk from the vulnerability?
Only Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain are affected by this vulnerability.
What does the update do?
This update removes the vulnerability by modifying the way the Winlogon process validates the length of a value before passing it to the allocated buffer.
Metafile Vulnerability - CAN-2003-0906: |
A buffer overrun vulnerability exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Metafile Vulnerability - CAN-2003-0906: |
| • | The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file. |
| • | In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. |
| • | An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
| • | Windows Server 2003 is not affected by this vulnerability. |
Workarounds for Metafile Vulnerability - CAN-2003-0906: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector. Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view all non-digitally signed e-mail messages or non-encrypted e-mail messages in plain text only. Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594. For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387. Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:
|
FAQ for Metafile Vulnerability - CAN-2003-0906: |
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
An unchecked buffer in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.
An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format and contains extended features.
For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web Site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to this attack. Here are some examples:
| • | An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer 6 and then persuade a user to view the Web site. |
| • | An attacker could also create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Outlook 2002 or Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message. |
| • | An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document. |
| • | An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the directory using Windows Explorer in Windows XP. |
What systems are primarily at risk from the vulnerability?
The vulnerability could only be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
What does the update do?
The update removes the vulnerability by modifying the way that Windows validates the affected image types.
Help and Support Center Vulnerability - CAN-2003-0907: |
A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. An attacker could exploit the vulnerability by constructing a malicious HCP URL that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Help and Support Center Vulnerability - CAN-2003-0907: |
| • | In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. | ||||||
| • | By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The Restricted sites zone helps reduce attacks that could attempt to exploit this vulnerability. The risk of attack from the HTML e-mail vector can be significantly reduced if you meet all of the following conditions:
| ||||||
| • | An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. | ||||||
| • | Windows NT 4.0 and Windows 2000 are not affected by this vulnerability. |
Workarounds for Help and Support Center Vulnerability - CAN-2003-0907: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Unregister the HCP Protocol. To help prevent an attack, unregister the HCP Protocol by deleting the following key from the registry: HKEY_CLASSES_ROOT\HCP. To do so, follow these steps:
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work. | ||||||||
| • | Install Outlook E-mail Security Update if you are using Outlook 2000 SP1 or earlier. By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Customers who use any of these products could be at a reduced risk from an e-mail-borne attack that tries to exploit this vulnerability unless the user clicks a malicious link in the e-mail message. | ||||||||
| • | Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector. Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view all non-digitally signed e-mail messages or non-encrypted e-mail messages in plain text only. Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594. For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387. Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:
|
FAQ for Help and Support Center Vulnerability - CAN-2003-0907: |
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts that have full privileges.
What causes the vulnerability?
The process used by the Help and Support Center to validate data inputs.
What is the Help and Support Center?
Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For example, HSC can teach users about Windows features, how to download and install software updates, how to determine whether a particular hardware device is compatible with Windows, and how to receive help from Microsoft. Users and programs can use URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of “http://”.
What is the HCP protocol?
Similar to the way that the HTTP protocol can use execute URL links to open a Web browser, the HCP protocol can execute URL links to open the Help and Support Center feature.
What is wrong with the Help and Support Center?
An error in input validation occurs.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious Web site and then persuade a user to view that Web site. An attacker could also create an HTML e-mail message that has a specially crafted link, and then persuade a user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with an HCP URL of the attacker's choice, which could then allow arbitrary code execution.
What systems are primarily at risk from the vulnerability?
Windows XP and Windows Server 2003 contain the affected version of Help and Support Center. Windows NT 4.0 and Windows 2000 are not affected because they do not contain the Help and Support Center.
I am running Internet Explorer on Windows Server 2003. Does Windows Server 2003 mitigate this vulnerability?
No. By default Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as the Internet Explorer Enhanced Security Configuration. However, the HCP protocol is allowed to access the Help and Support Center by default. Therefore, Windows Server 2003 is vulnerable. For more information about Internet Explorer Enhanced Security Configuration, visit the following Web site.
What does the update do?
This update removes the vulnerability by modifying the validation of data passed to the Help and Support Center.
Utility Manager Vulnerability - CAN-2003-0908: |
A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and take complete control of the system.
Mitigating Factors for Utility Manager Vulnerability - CAN-2003-0908: |
| • | An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited by anonymous users. |
| • | Windows NT 4.0, Windows XP, and Windows Server 2003 are not affected by this vulnerability. Windows NT 4.0 does not implement the Utility Manager. |
| • | The Windows 2000 Hardening Guide recommends disabling the Utility Manger service. Environments that comply with these guidelines could be at a reduced risk from this vulnerability. |
Workarounds for Utility Manager Vulnerability - CAN-2003-0908: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
| • | Use Group Policies to disable the Utility Manager on all affected systems that do not require this feature. Because the Utility Manager is a possible attack vector, disable it using Group Policies. The Utility Manager process name is Utilman.exe. The following guide provides information about how to require users to run only approved applications using Group Policies. Note You may also review the Windows 2000 Hardening Guide. This guide includes information about how to disable the Utility Manager. Impact of Workaround: The Utility Manager provides easy access to many of the accessibility features of the operating system. This access would be unavailable until the restrictions are removed. To find information about how to manually start many of the accessibility features, visit this Web site. |
FAQ for Utility Manager Vulnerability - CAN-2003-0908: |
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
The process used by Utility Manager to launch applications. It is possible that Utility Manager could launch applications with system privileges.
What is Utility Manager?
Utility Manager is an accessibility utility that allows users to check the status of accessibility programs such as Microsoft Magnifier, Narrator, or On-Screen Keyboard, and to start or stop them.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
Who could exploit the vulnerability?
An attacker must be able to log on to the system and then, after starting Utility Manager, run a program that sends a specially crafted message to Utility Manager to attempt to exploit the vulnerability.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to start Utility Manager on Windows 2000 and then run a specially designed application that could exploit the vulnerability. In default configurations of Window 2000, Utility Manager is installed but is not running. This vulnerability could allow an attacker to gain complete control over a Windows 2000 system.
What systems are primarily at risk from the vulnerability?
Only Windows 2000 is affected by this vulnerability. Workstations and terminal servers that are based on Windows 2000 are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
I am using Windows 2000, but I am not using Utility Manager or any of the accessibility features. Am I still vulnerable?
Yes. By default, Utility Manager is installed and enabled. However, Utility Manager is not running by default.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely using this vulnerability.
What does the update do?
This update removes the vulnerability by modifying the way that Utility Manager launches applications.
Windows Management Vulnerability - CAN-2003-0909 |
A privilege elevation vulnerability exists in the way that Windows XP allows tasks to be created. Under special conditions, a non-privileged user could create a task that could execute with system permissions and therefore take complete control of the system.
Mitigating Factors for Windows Management Vulnerability - CAN-2003-0909: |
| • | An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited by an anonymous user. |
| • | Windows NT 4.0, Windows 2000, and Windows Server 2003 are not affected by this vulnerability. |
Workarounds for Windows Management Vulnerability - CAN-2003-0909: |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
Delete the affected Windows Management Interface Provider.
An administrator with local administrative permissions can delete the affected Windows Management Interface (WMI) Provider by inserting the following script into a text file that has a ‘.vbs’ file name extension and then running it.
To delete the affected WMI Provider:
set osvc = getobject("winmgmts:root\cimv2")
set otrigger = osvc.get("__win32provider='cmdtriggerconsumer'")
otrigger.delete_
The installation of the update automatically re-registers the affected WMI Provider that is referenced above. You do not have to take any additional steps to restore the system to typical functionality after the update has been applied.
Impact of Workaround: Tasks that are created as event-based triggers will not function while this provider is not registered. For more information about event-based triggers, visit the following Web site.
Note In rare cases, Windows XP could re-register this WMI Provider. For example, if Windows XP detects that the WMI repository has become corrupted, it could try to re-register the affected WMI Provider.
FAQ for Windows Management Vulnerability - CAN-2003-0909: |
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
Under special conditions, a non-privileged user of Microsoft Windows XP could create a task that could execute with system permissions.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
How could an attacker exploit this vulnerability?
To exploit the vulnerability, an attacker must be able to log on to the system and create a task. Because an attacker must have valid logon credentials to exploit the vulnerability, remote systems are not at risk.
What systems are primarily at risk from the vulnerability?
Only Windows XP is affected by this vulnerability.
What does the update do?
The update removes the vulnerability by preventing users from creating tasks at an elevated level of privilege.
Does this update contain any other behavioral changes?
Yes. This update also includes several changes in functionality, documented below:
| • | Before this update, a user could sometimes create event-based triggers by using the Eventtriggers.exe command-line tool without having to supply a user name and password. After this update has been installed, a user may have to supply a valid user name and password to create event-based-triggers using Eventttrigers.exe. For detailed information about the Eventtriggers.exe command-line options, visit the following Web site. |
| • | Previously, administrators could create event-based triggers with the Task Scheduler service stopped or disabled. Now, the Task Scheduler service must be running. For more information about Task Scheduler, visit the following Web site. |
| • | A new limit of 1,000 triggers has also been established as part of this update. Existing event-based triggers over this limit will continue to function after the update has been installed. However, no additional event-based triggers may be created. |
| • | Permissions have been strengthened on event-based triggers that are created after the update has been installed. |
Local Descriptor Table Vulnerability - CAN-2003-0910 |
A privilege elevation vulnerability exists in a programming interface that is used to create entries in the Local Descriptor Table (LDT). These entries contain information about segments of memory. An attacker who is logged on locally, could create a malicious entry and thereby gain access to protected memory, could take complete control of the system.
Mitigating Factors for Local Descriptor Table Vulnerability - CAN-2003-0910: |
| • | An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. It could not be exploited remotely. |
| • | Windows XP and Windows Server 2003 are not affected by this vulnerability. |
Workarounds for Local Descriptor Table Vulnerability - CAN-2003-0910: |
None.
FAQ for Local Descriptor Table Vulnerability - CAN-2003-0910: |
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
The programming interface that is used to create entries in the LDT. These entries contain information about segments of memory. An attacker could create a malicious entry to gain access to protected kernel memory.
What is the Local Descriptor Table?
The Local Descriptor Table (LDT) contains entries called descriptors. These descriptors contain information that defines a particular segment of memory.
What is wrong with the way that a descriptor entry can be created in the LDT?
The programming interface should not allow programs to create descriptor entries in the LDT that point to areas of protected memory.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could take complete control of the affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts that have full privileges.
Who could exploit the vulnerability?
An attacker must be able to log on locally to the system and run a program to exploit this vulnerability.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially designed program that could exploit the vulnerability and potentially gain complete control over the affected system.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on and to run programs. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely using this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way descriptors entries are created in the LDT.
H.323 Vulnerability - CAN-2004-0117 |