NT 4.0 SP7; Win2K Post-SP1 Updates

NT 4.0 SP7 Scheduled for Q3
Several readers have sent me information about the release of Windows NT 4.0 Service Pack 7 (SP7). According to a memo that Bob Free from Pacific Gas & Electric forwarded, Microsoft plans to release SP7 during the third quarter of this year. The official Microsoft document clearly states that SP7 will be the last official update for NT 4.0, so let's hope this service pack is thoroughly tested, wonderfully stable, and bug free.

The memo indicates that Microsoft delayed the release of SP7 because customer demand for Windows 2000 updates is far greater than the demand for NT 4.0 updates. Until SP7 is available, Microsoft recommends that customers running NT 4.0 upgrade to SP6a and install bug fixes and hotfixes as necessary. Considering this recommendation, I think that Microsoft should help us to help ourselves by making most, if not all, of the post-SP6a bug fixes available for public download as soon as they're available.

If your NT 4.0 shop runs non-English platforms and you require the enhanced security of high-encryption software, the Microsoft memo recommends that you evaluate and upgrade to one of the 128-bit versions of Internet Explorer (IE). (Hint: IE 5.5 is available only in the 128-bit version.)

Win2K Post-SP1 Updates
Microsoft Support is shipping post-SP1 updates fast and furiously, perhaps as a method of beta testing the updates the company plans to include in SP2. This week, I discuss a gaping security hole in Internet Authentication Service (IAS); two problems with the Local Security Authority (LSA), one of which can crash a domain controller (DC) and prevent it from restarting; and a bug fix that corrects a Windows socket problem that can hang a system.

  • IAS Authenticates Invalid Accounts. Did you know that anyone who can send an improperly formatted connection request to IAS can log on to your network with invalid credentials? When IAS receives an "unrecognized state attribute" from a network access server (NAS), IAS automatically accepts the access request and gives the specified user network access, even when the request contains a nonexistent user account or a valid user account but an incorrect password. This vulnerability results from a bug in the way the Extensible Authentication Protocol (EAP) handler caches connection data. When the connection endpoints negotiate Microsoft Challenge Handshake Authentication Protocol (MSCHAP), IAS incorrectly assumes that the remote user’s credentials are already cached and skips the authentication of incoming credentials.
  • I recommend that you call Microsoft Support immediately for the update to close this IAS vulnerability. The update contains one file, lasuserr.dll, with a file release date of February 12. Because Microsoft identified and corrected this problem only weeks before SP2 is scheduled to go public, the update probably won’t be included in SP2. See Microsoft article Q283859 for details.

  • LSA Memory Leak. LSA leaks memory during a Kerberos change-password request and when the module loads a security package. You might need to restart the computer to restore performance and to reduce the amount of memory lsass.exe consumes. The bug fix contains 16 files with mid-February release dates—although the update for an LSA access violation, which I discuss below, contains some of the same files, but with release dates in November 2000. Microsoft article Q288861 says absolutely nothing about whether the common modules in the memory leak update also include the corrections for the access violation.
  • Before you download and install either of these patches, I recommend that you call Microsoft Support to clarify the order in which you should install them and to make sure that one doesn't overwrite the other. If we’re lucky, Win2K SP2 will contain a proper combination that eliminates both problems with one set of files. You can download the English version of this update, q288861_w2k_sp2_x86_en.exe, from the Microsoft Web site.

    Microsoft has also posted updates for French, German, Italian, Japanese, and Spanish systems on its download page. See Microsoft article Q288861 for other language-specific download locations.

  • LSA Cripples Post-SP1 Win2K DCs. In an LSA access violation problem, the LSA service might crash a Win2K domain controller (DC) and, in the worst case, prevent it from restarting. This problem can occur when you create many AddressBookContainer objects and the ntdsa.dll file has heap damage. If your system has this problem, you’ll probably see a warning with event ID 1173 in the system log with a source of NTDS General and the description "Internal event: Exception c0000005 has occurred with parameters 757ddeef and 0 (Internal ID 3040442)."
  • The patch that eliminates this problem, q279093_w2k_sp2_x86_en.exe, contains four files, lsasrv.dll, lsass.exe, ntdsa.dll, and samsrv.dll, with release dates in November 2000. You can download the English update from the Microsoft Web site . See Microsoft article Q279093 for information about downloading updates for other languages. Based on the date of the original correction, I expect that Microsoft will include this fix in SP2.

  • Win2K SP1 Socket Deadlock. Some Win2K SP1 systems experience a Windows socket problem that places the affected server into a loop that consumes 100 percent of CPU resources. A bug in the socket function call can prevent the socket function from responding to the creation request. When this happens, socket programs become unresponsive and the system hangs. This occurrence must be fairly common because the bug fix for English language systems is available for public download. The sockets fix updates eight modules, including tcpip.sys and wshtcpip.dll. You can get your copy from the Microsoft Web site.

For more information, see Microsoft article Q278522.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.