MS01-017 : Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard

MS00-081 : New Variant of VM File Reading Vulnerability

MS00-059 : Java VM Applet Vulnerability

MS00-052 : Relative Shell Path Vulnerability

MS00-047 : NetBIOS Name Server Protocol Spoofing Vulnerability

MS00-040 : Remote Registry Access Authentication Vulnerability

MS00-036 : ResetBrowser Frame and Host Announcement Frame Vulnerabilities

MS00-027 : Malformed Environment Variable Vulnerability

MS00-024 : OffloadModExpo Registry Permissions Vulnerability

MS00-008 : Registry Permissions Vulnerability

MS00-011 : VM File Reading Vulnerability

Microsoft Security Bulletin (MS00-004)

Patch Available for 'RDISK Registry Enumeration File' Vulnerability

Originally Posted: January 21, 2000
Revised: February 4, 2000

Summary

Issue 

The RDISK utility is used to create an Emergency Repair Disk (ERD) in order to record machine state information as a contingency against system failure. During execution, RDISK creates a temporary file containing an enumeration of the registry. The ACLs on the file allow global read permission, and as a result, a malicious user who knew that the administrator was running RDISK could open the file and read the registry enumeration information as it was being created. RDISK erases the file upon successful completion, so under normal conditions there would be no lasting vulnerability. 

By default, the file is not shared and therefore could not be read by other network users. 

Affected Software Versions 

• Microsoft Windows NT 4.0 Workstation 

• Microsoft Windows NT 4.0 Server 

• Microsoft Windows NT 4.0, Enterprise Edition 

• Microsoft Windows NT 4.0, Terminal Server Edition 


Vulnerability Identifier: CVE-2000-0089

Microsoft Security Bulletin (MS00-005)

Patch Available for "Malformed RTF Control Word" Vulnerability

Originally Posted: January 17, 2000

Summary

Issue 

RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. 

Microsoft believes that this is a denial of service vulnerability only, and that there is no capability to use this vulnerability to run arbitrary code. The most serious risk from this vulnerability would result if a user had preview mode enabled on a mail program like Outlook, and received an email that exploited the vulnerability. Because preview mode causes the mail to be parsed without user assent, the mail program would continue to crash until a subsequent mail was received or the mail program was started with preview mode disabled. 

Affected Software Versions 

• Microsoft Windows 95 

• Microsoft Windows 98 

• Microsoft Windows 98 Second Edition 

• Microsoft Windows NT 4.0 Workstation 

• Microsoft Windows NT 4.0 Server 

• Microsoft Windows NT 4.0 Server, Enterprise Edition 

• Microsoft Windows NT 4.0 Server, Terminal Server Edition 

NOTE: Windows 2000 is not affected by this vulnerability. 


Vulnerability Identifier:CVE-2000-0073

Microsoft Security Bulletin (MS99-057)

Patch Available for "Malformed Security Identifier Request" Vulnerability

Originally Posted: December 16, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability in Microsoft® Windows NT® 4.0. The vulnerability could allow a malicious user to cause a Windows NT machine to stop responding to requests for service. The patch for this vulnerability is included in the previously-released patch for the "Syskey Keystream Reuse" vulnerability; customers who have already applied it do not need to take any further action.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-057.mspx.

Issue

The Windows NT Local Security Authority (LSA) provides a number of functions for enumerating and manipulating security information. One of these functions, LsaLookupSids(), is used to determine the Security Identifier (SID) associated with a particular user or group name. A flaw in the implementation of this function causes it to incorrectly handle certain types of invalid arguments. If an affected call were made to this function, it would cause the LSA to crash, thereby preventing the machine from performing useful work.

An affected machine could be put back into service by rebooting, with the loss of any work that was in progress at the time. Remote attacks via this vulnerability would not be possible if NetBios is filtered at the firewall.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0995

Microsoft Security Bulletin (MS99-056)

Patch Available for "Syskey Keystream Reuse" Vulnerability

Originally Posted: December 16, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability in Syskey, a utility that provides additional protection for Microsoft^® Windows NT^® password databases. The vulnerability allows a particular cryptanalytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers. The patch eliminates the vulnerability and restores strong protection to the password database.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-056.mspx.

Issue

Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.

A patch is available that eliminates the key reuse vulnerability and again makes it computationally infeasible to mount a brute-force attack against the SAM database when Syskey has been applied.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0994

Microsoft Security Program: Microsoft Security Bulletin (MS99-046)

Patch Available to Improve TCP Initial Sequence Number Randomness

Originally Posted: October 22, 2002
Updated: December 23, 2002

Summary

Microsoft has released a patch that significantly improves the randomness of the TCP initial sequence numbers (ISNs) generated by the TCP/IP stack in Microsoft® Windows NT® 4.0. Improving the randomness of ISNs eliminates a class of potential attacks against Windows NT 4.0 systems.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-046.mspx.

Issue

The ISNs used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking. This patch improves the randomness of the Windows NT 4.0 TCP/IP ISN generation, providing 15 bits of entropy.

Affected Software Versions

Vulnerability Identifier: CVE-2000-0328

Microsoft Security Program: Microsoft Security Bulletin (MS99-045)

Patch Available "Virtual Machine Verifier" Vulnerability

Patch Availability Information Updated: March 21, 2003
Originally Posted: October 21, 2002

Summary

Microsoft has released a new version of the Microsoft® virtual machine (Microsoft VM) that eliminates a security vulnerability that could allow a Java applet to take unauthorized actions on the computer of a web site visitor. Although no standard Java compiler can generate such an applet, a Java applet constructed by hand with a Java bytecode assembler could bypass the sandbox and take virtually any action on the computer that the user would be capable of taking.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-045.mspx.

Issue

The Microsoft VM is a virtual machine for the Win32^® operating environment. It runs atop Microsoft Windows^® 95, 98 or Windows NT^®. It ships as part of each operating system, and also as part of Microsoft Internet Explorer.

The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive.

Affected Software Versions

Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected:

Vulnerability Identifier: CVE-2000-0327

Microsoft Security Program: Microsoft Security Bulletin (MS99-036)

Windows NT 4.0 Does Not Delete Unattended Installation File

Originally Posted: September 10, 2002

Summary

When an unattended installation of Microsoft® Windows NT® 4.0 completes, a copy of the file that contains installation parameters remains on the hard drive. Depending on the method that was used to perform the installation and the specific installation parameters that were selected, the file could contain sensitive information, potentially including the local Administrator password.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-036.mspx 

Issue

When an unattended installation of Windows NT 4.0 is performed, the installation parameters are included in a file named Unattend.txt. A vulnerability exists because the installation process copies the parameter file to a file in %windir%\system32 ($winnt$.inf for a normal unattended installation, or $nt4pre$.inf if Sysprep was used) but does not delete it when the installation completes. By default, this file can be read by any user who can perform an interactive logon. If sensitive information such as account passwords were provided in the installation parameters file, the information could be compromised.

As discussed in the FAQ, the degree of risk from this vulnerability varies depending on the particular installation. However, in general, workstations and terminal servers deployed using the Sysprep tool would be at greatest risk from it.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0701

Microsoft Security Program: Microsoft Security Bulletin (MS99-034)

Patch Available for "Fragmented IGMP Packet" Vulnerability

Patch Availability Information Updated: March 21, 2003
Revised: September 09, 2002
Originally Posted: September 03, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability in the TCP/IP stack implementations of Microsoft® Windows® 95, Windows 98® and Windows NT® 4.0. Fragmented IGMP packets can cause a variety of problems in Windows 95 and 98, up to and including causing the machine to crash. Windows NT 4.0 contains the same vulnerability, but other system mechanisms make a successful attack much more difficult.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-034.mspx 

Issue

By sending fragmented IGMP packets to a Windows 95, 98 or Windows NT 4.0 machine, it is possible to disrupt the normal operation of the machine. This vulnerability primarily affects Windows 95 and 98 machines. Depending on a variety of factors, sending such packets to a Windows 95 or 98 machine may elicit behavior ranging from slow performance to crashing.

Windows NT contains the same vulnerability, but other system mechanisms compensate and make it much more difficult to mount a successful attack.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0918

Microsoft Security Program: Microsoft Security Bulletin (MS99-031)

Patch Available for "Virtual Machine Sandbox" Vulnerability

Version Availability Updated: March 21, 2003
Revised: September 08, 2002
Originally Posted: August 25, 2002

Summary

Microsoft has released a new version of the Microsoft® virtual machine (Microsoft VM) that eliminates a security vulnerability that could allow a Java applet to take unauthorized actions on the computer of a web site visitor.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-031.mspx 

Issue

The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, 98 or Windows NT®. It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox and take any desired action on the user's computer. If such an applet were hosted on a web site, it could act against the computer of any user who visited the site.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0766

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-026)

Patch Available for "Malformed Dialer Entry" Vulnerability

Patch Availability Information Updated: March 21, 2003
Originally Posted: July 29, 2002

Summary

Microsoft has released a patch that eliminates a security vulnerability in the Phone Dialer accessory in Microsoft® Windows NT®. The vulnerability could be used to run arbitrary code in a user's security context on Windows NT systems.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-026.mspx 

Issue

Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique.

The circumstances of this vulnerability require a fairly complicated attack scenario that limits its scope. Dialer.exe runs in the security context of the user, so it would not benefit an attacker to simply modify a dialer.ini file and run it, as he or she would not gain additional privileges. Instead, the attacker would need to modify the dialer.ini file of another user who had higher privileges, then wait for that user to run Dialer.

Although the unchecked buffer is present in all versions of Windows NT 4.0, the attack scenario would result in workstations that have dial-out capability being chiefly at risk. The FAQ discusses this in greater detail.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0700

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-024)

Patch Available for "Unprotected IOCTLs" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: July 06, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability that could allow denial of service attacks against a Microsoft® Windows NT® workstation, server or terminal server. An unprivileged program can disable the local mouse or keyboard on a server or workstation, and disable the console mouse or keyboard on a terminal server.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-024.mspx 

Issue

The IOCTLs that are used to obtain services from the keyboard and mouse drivers in Windows NT do not require that the calling program have administrative privileges. A user-level program could use legitimate calls to disable the mouse and keyboard, after which the machine would need to be rebooted to restore normal service. On a terminal server, such a program could disable the keyboard and mouse on the console.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0728

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-023)

Patch Available for "Malformed Image Header" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: June 30, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability that could allow denial of service attacks against Microsoft® Windows NT® servers, workstations, and terminal servers. This patch already is available as part of Windows NT Server Service Pack 5, but is being provided as a stand-alone patch for the benefit of users who have entered Y2K lockdown on Service Pack 4.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-023.mspx 

Issue

If an executable file with a specially-malformed image header is executed, it will cause a system failure. The affected machine will need to be rebooted in order to place it back in service. Any work that was in progress when the machine crashed could be lost.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0726

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-021)

Patch Available for "CSRSS Worker Thread Exhaustion" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: June 23, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability in the Microsoft® Windows NT® CSRSS process that could be used to create a denial of service condition against a machine that allows interactive logons.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-021.mspx 

Issue

If all worker threads in CSRSS.EXE are occupied awaiting user input, no other requests can be serviced, effectively causing the server to hang. When user input is provided, processing returns to normal. The patch eliminates the vulnerability by ensuring that the last CSRSS worker thread services only requests that do not require user input.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0723

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-017)

Patch Available for "RAS and RRAS Password" Vulnerability

Patch Availability Information Updated: March 21, 2003
Originally Posted: May 27, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability in the Microsoft® Windows NT® Remote Access Service (RAS) and Routing and Remote Access Service (RRAS) clients, in which a user's password is cached even if the user de-selects the ";Save password"; option.

Issue

When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server. On the same dialogue is a checkbox whose caption reads ";Save password"; and which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected.

Cached security credentials, which include the password, are stored and encrypted in the registry and protected by ACLs whose default values authorize only local administrators and the owner of the credentials to access them. Windows NT 4.0 Service Pack 4 also provides the ability to strongly encrypts the password data stored in the registry using the SYSKEY feature.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing a patch that restores correct functionality to the password caching function. The patch should be applied to all machines that are used as RAS or RRAS clients. It is important to note that RRAS servers also can be used as RAS clients, and any machines used in such a capacity should have the patch applied as well.

Affected Software Versions

Vulnerability Identifier: CVE-2002-0755

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-015)

Patch Available for "Malformed Help File" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: May 17, 2002

Summary

Microsoft has released a patch that eliminates a vulnerability in the Microsoft® Windows NT® help utility. The vulnerability could allow arbitrary code to be run on a Windows NT machine.

A fully supported patch is available to eliminate the vulnerability, and Microsoft recommends that affected customers download and install it, if appropriate.

Issue

The Windows Help utility parses and displays help information for applications. The help information is contained in files of several types that are generated by the Help Compiler (part of the AppWizard utility), and is stored by default in the WINNT\help folder. By default, users can write to this folder. An unchecked buffer exists in the Help utility, and a help file that has been carefully modified could be used to execute arbitrary code on the local machine via a classic buffer overrun technique. Because the Help Compiler's output files do not generate the specific malformation at issue here, this vulnerability could not be accidentally exploited.

The machines primarily at risk from this vulnerability are workstations, terminal servers, and other machines that allow users to log on interactively and add or modify help files. Servers generally do not allow normal users to interactively log on. It is important to note that this vulnerability would affect only the local machine; there is no capability to directly attack a remote machine via this vulnerability.

The patch prevents arbitrary code from being executed on the machine, but does not prevent malformed help files from causing the Help utility to fail. However, failure of the Help utility does not threaten system stability or security, and the Help utility can be restarted without incident.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this patch to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions