Skip navigation

Important Security Hotfixes

If you haven't read your Microsoft security notices for a couple of months, I recommend you study the potential post-Windows 2000 Service Pack 1 (SP1) security problems listed below and install the hotfixes as soon as possible. This list isn't comprehensive; I have included only vulnerabilities that have the greatest potential for workstation or network damage.

REGISTRY PROGRAM ACTIVATION VULNERABILITY
Unlike many vulnerabilities that only a technically sophisticated user can exploit, this one opens a system so wide that we all need to correct it immediately. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q269/ 0/49.asp indicates that a malicious user with access to a system drive can place a program called explorer.exe in the C:\ root so that it runs in place of the standard Windows shell program. By default, the share permissions on the C:\ folder are set to Everyone Full Access. Anyone with access to this share, either locally or through a network connection, can take advantage of this vulnerability.

When Win2K and Windows NT 4.0 start a program named in the Registry, they use a standard path search order to locate the program (when the Registry entry doesn't specify an absolute path). For example, the Shell value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon subkey has the default value explorer.exe without any path information. When Windows reads such a value during startup, it attempts to locate the program through a standard folder search. Contrary to the Win2K documentation, the C:\ folder is the first location the OS checks, and the OS runs any program it finds there named explorer.exe in place of the correct shell program. To close this security hole, download the security hotfix from http://www.microsoft.com/downloads/release .asp?releaseid=23359.

NETBIOS VULNERABILITY
Microsoft has released a patch that improves protection against Denial of Service (DoS) attacks on Win2K and NT 4.0 computers. NetBIOS over TCP/IP (NetBT) is, by design, unauthenticated and therefore vulnerable to spoofing. A malicious user could misuse the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer. The computer will stop responding to the NetBIOS name that is in conflict and might display an error message stating that a duplicate name exists on the network. This vulnerability can cause intermittent connection problems, problems with the Net Send command, problems with domain authentication, and problems accessing shared resources.

To eliminate this vulnerability, call Microsoft Product Support Services (PSS) and ask for the new version of netbt.sys released on July 20. See the Microsoft article at http://support.microsoft.com/support/ kb/articles/q269/2/39.asp for the procedure you use to update Win2K, NT 4.0, and Windows 9x.

NAMED-PIPES IMPERSONATION VULNERABILITY
A nonprivileged user might be able to elevate his or her security context to that of a service that Service Control Manager (SCM) started. The user could use a named-pipes connection to instruct a Win2K computer to start a predefined process that has a security permission higher than the security permission assigned to the user.

You can download a hotfix for this problem from http://www.microsoft.com/ windows2000/downloads/critical/q269523. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q269/5/23.asp documents this vulnerability.

BROWSER SHUTDOWN VULNERABILITY
A vulnerability in the computer browser protocol ResetBrowser frame permits a malicious user to shut down a computer browser on the same subnet or shut down all the computer browsers on the same subnet. If all the computers on a subnet are shut down, the malicious user can then declare his or her own computer the new master browser. The hotfix extends the functionality of the ResetBrowser frame so that you can manually configure computers to refuse ResetBrowser packets, which eliminates the vulnerability. A firewall that blocks UDP port 138 prevents external users from exploiting this vulnerability. You can download the hotfix, which contains an update of mrxsmb.sys, from http://www.microsoft.com/windows2000/downloads/critical/q262694/default.asp.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish