March 2001

MS01-017 : Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard

October 2000

MS00-081 : New Variant of VM File Reading Vulnerability

August 2000

MS00-059 : Java VM Applet Vulnerability

July 2000

MS00-052 : Relative Shell Path Vulnerability

MS00-047 : NetBIOS Name Server Protocol Spoofing Vulnerability

June 2000

MS00-040 : Remote Registry Access Authentication Vulnerability

May 2000

MS00-036 : ResetBrowser Frame and Host Announcement Frame Vulnerabilities

April 2000

MS00-027 : Malformed Environment Variable Vulnerability

MS00-024 : OffloadModExpo Registry Permissions Vulnerability

March 2000

MS00-008 : Registry Permissions Vulnerability

February 2000

MS00-011 : VM File Reading Vulnerability

January 2000

Microsoft Security Bulletin (MS00-004)

Patch Available for 'RDISK Registry Enumeration File' Vulnerability

Originally Posted: January 21, 2000
Revised: February 4, 2000

Summary

Issue 

The RDISK utility is used to create an Emergency Repair Disk (ERD) in order to record machine state information as a contingency against system failure. During execution, RDISK creates a temporary file containing an enumeration of the registry. The ACLs on the file allow global read permission, and as a result, a malicious user who knew that the administrator was running RDISK could open the file and read the registry enumeration information as it was being created. RDISK erases the file upon successful completion, so under normal conditions there would be no lasting vulnerability. 

By default, the file is not shared and therefore could not be read by other network users. 

Affected Software Versions 

• Microsoft Windows NT 4.0 Workstation 

• Microsoft Windows NT 4.0 Server 

• Microsoft Windows NT 4.0, Enterprise Edition 

• Microsoft Windows NT 4.0, Terminal Server Edition 


Vulnerability Identifier: CVE-2000-0089

Microsoft Security Bulletin (MS00-005)

Patch Available for "Malformed RTF Control Word" Vulnerability

Originally Posted: January 17, 2000

Summary

Issue 

RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. 

Microsoft believes that this is a denial of service vulnerability only, and that there is no capability to use this vulnerability to run arbitrary code. The most serious risk from this vulnerability would result if a user had preview mode enabled on a mail program like Outlook, and received an email that exploited the vulnerability. Because preview mode causes the mail to be parsed without user assent, the mail program would continue to crash until a subsequent mail was received or the mail program was started with preview mode disabled. 

Affected Software Versions 

• Microsoft Windows 95 

• Microsoft Windows 98 

• Microsoft Windows 98 Second Edition 

• Microsoft Windows NT 4.0 Workstation 

• Microsoft Windows NT 4.0 Server 

• Microsoft Windows NT 4.0 Server, Enterprise Edition 

• Microsoft Windows NT 4.0 Server, Terminal Server Edition 

NOTE: Windows 2000 is not affected by this vulnerability. 


Vulnerability Identifier:CVE-2000-0073

December 1999

Microsoft Security Bulletin (MS99-057)

Patch Available for "Malformed Security Identifier Request" Vulnerability

Originally Posted: December 16, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in Microsoft® Windows NT® 4.0. The vulnerability could allow a malicious user to cause a Windows NT machine to stop responding to requests for service. The patch for this vulnerability is included in the previously-released patch for the "Syskey Keystream Reuse" vulnerability; customers who have already applied it do not need to take any further action.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-057.mspx.

Issue

The Windows NT Local Security Authority (LSA) provides a number of functions for enumerating and manipulating security information. One of these functions, LsaLookupSids(), is used to determine the Security Identifier (SID) associated with a particular user or group name. A flaw in the implementation of this function causes it to incorrectly handle certain types of invalid arguments. If an affected call were made to this function, it would cause the LSA to crash, thereby preventing the machine from performing useful work.

An affected machine could be put back into service by rebooting, with the loss of any work that was in progress at the time. Remote attacks via this vulnerability would not be possible if NetBios is filtered at the firewall.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0995

Microsoft Security Bulletin (MS99-056)

Patch Available for "Syskey Keystream Reuse" Vulnerability

Originally Posted: December 16, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in Syskey, a utility that provides additional protection for Microsoft^® Windows NT^® password databases. The vulnerability allows a particular cryptanalytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers. The patch eliminates the vulnerability and restores strong protection to the password database.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-056.mspx.

Issue

Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.

A patch is available that eliminates the key reuse vulnerability and again makes it computationally infeasible to mount a brute-force attack against the SAM database when Syskey has been applied.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0994

October 1999

Microsoft Security Program: Microsoft Security Bulletin (MS99-046)

Patch Available to Improve TCP Initial Sequence Number Randomness

Originally Posted: October 22, 1999
Updated: December 23, 1999

Summary

Microsoft has released a patch that significantly improves the randomness of the TCP initial sequence numbers (ISNs) generated by the TCP/IP stack in Microsoft® Windows NT® 4.0. Improving the randomness of ISNs eliminates a class of potential attacks against Windows NT 4.0 systems.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-046.mspx.

Issue

The ISNs used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking. This patch improves the randomness of the Windows NT 4.0 TCP/IP ISN generation, providing 15 bits of entropy.

Affected Software Versions

Vulnerability Identifier: CVE-2000-0328

Microsoft Security Program: Microsoft Security Bulletin (MS99-045)

Patch Available "Virtual Machine Verifier" Vulnerability

Patch Availability Information Updated: March 21, 2003
Originally Posted: October 21, 1999

Summary

Microsoft has released a new version of the Microsoft® virtual machine (Microsoft VM) that eliminates a security vulnerability that could allow a Java applet to take unauthorized actions on the computer of a web site visitor. Although no standard Java compiler can generate such an applet, a Java applet constructed by hand with a Java bytecode assembler could bypass the sandbox and take virtually any action on the computer that the user would be capable of taking.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-045.mspx.

Issue

The Microsoft VM is a virtual machine for the Win32^® operating environment. It runs atop Microsoft Windows^® 95, 98 or Windows NT^®. It ships as part of each operating system, and also as part of Microsoft Internet Explorer.

The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive.

Affected Software Versions

Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected:

Vulnerability Identifier: CVE-2000-0327

September 1999

Microsoft Security Program: Microsoft Security Bulletin (MS99-036)

Windows NT 4.0 Does Not Delete Unattended Installation File

Originally Posted: September 10, 1999

Summary

When an unattended installation of Microsoft® Windows NT® 4.0 completes, a copy of the file that contains installation parameters remains on the hard drive. Depending on the method that was used to perform the installation and the specific installation parameters that were selected, the file could contain sensitive information, potentially including the local Administrator password.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-036.mspx 

Issue

When an unattended installation of Windows NT 4.0 is performed, the installation parameters are included in a file named Unattend.txt. A vulnerability exists because the installation process copies the parameter file to a file in %windir%\system32 ($winnt$.inf for a normal unattended installation, or $nt4pre$.inf if Sysprep was used) but does not delete it when the installation completes. By default, this file can be read by any user who can perform an interactive logon. If sensitive information such as account passwords were provided in the installation parameters file, the information could be compromised.

As discussed in the FAQ, the degree of risk from this vulnerability varies depending on the particular installation. However, in general, workstations and terminal servers deployed using the Sysprep tool would be at greatest risk from it.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0701

Microsoft Security Program: Microsoft Security Bulletin (MS99-034)

Patch Available for "Fragmented IGMP Packet" Vulnerability

Patch Availability Information Updated: March 21, 2003
Revised: September 09, 1999
Originally Posted: September 03, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in the TCP/IP stack implementations of Microsoft® Windows® 95, Windows 98® and Windows NT® 4.0. Fragmented IGMP packets can cause a variety of problems in Windows 95 and 98, up to and including causing the machine to crash. Windows NT 4.0 contains the same vulnerability, but other system mechanisms make a successful attack much more difficult.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-034.mspx 

Issue

By sending fragmented IGMP packets to a Windows 95, 98 or Windows NT 4.0 machine, it is possible to disrupt the normal operation of the machine. This vulnerability primarily affects Windows 95 and 98 machines. Depending on a variety of factors, sending such packets to a Windows 95 or 98 machine may elicit behavior ranging from slow performance to crashing.

Windows NT contains the same vulnerability, but other system mechanisms compensate and make it much more difficult to mount a successful attack.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0918

August 1999

Microsoft Security Program: Microsoft Security Bulletin (MS99-031)

Patch Available for "Virtual Machine Sandbox" Vulnerability

Version Availability Updated: March 21, 2003
Revised: September 08, 1999
Originally Posted: August 25, 1999

Summary

Microsoft has released a new version of the Microsoft® virtual machine (Microsoft VM) that eliminates a security vulnerability that could allow a Java applet to take unauthorized actions on the computer of a web site visitor.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-031.mspx 

Issue

The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, 98 or Windows NT®. It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox and take any desired action on the user's computer. If such an applet were hosted on a web site, it could act against the computer of any user who visited the site.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0766

July 1999

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-026)

Patch Available for "Malformed Dialer Entry" Vulnerability

Patch Availability Information Updated: March 21, 2003
Originally Posted: July 29, 1999

Summary

Microsoft has released a patch that eliminates a security vulnerability in the Phone Dialer accessory in Microsoft® Windows NT®. The vulnerability could be used to run arbitrary code in a user's security context on Windows NT systems.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-026.mspx 

Issue

Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique.

The circumstances of this vulnerability require a fairly complicated attack scenario that limits its scope. Dialer.exe runs in the security context of the user, so it would not benefit an attacker to simply modify a dialer.ini file and run it, as he or she would not gain additional privileges. Instead, the attacker would need to modify the dialer.ini file of another user who had higher privileges, then wait for that user to run Dialer.

Although the unchecked buffer is present in all versions of Windows NT 4.0, the attack scenario would result in workstations that have dial-out capability being chiefly at risk. The FAQ discusses this in greater detail.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0700

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-024)

Patch Available for "Unprotected IOCTLs" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: July 06, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability that could allow denial of service attacks against a Microsoft® Windows NT® workstation, server or terminal server. An unprivileged program can disable the local mouse or keyboard on a server or workstation, and disable the console mouse or keyboard on a terminal server.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-024.mspx 

Issue

The IOCTLs that are used to obtain services from the keyboard and mouse drivers in Windows NT do not require that the calling program have administrative privileges. A user-level program could use legitimate calls to disable the mouse and keyboard, after which the machine would need to be rebooted to restore normal service. On a terminal server, such a program could disable the keyboard and mouse on the console.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0728

June 1999

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-023)

Patch Available for "Malformed Image Header" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: June 30, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability that could allow denial of service attacks against Microsoft® Windows NT® servers, workstations, and terminal servers. This patch already is available as part of Windows NT Server Service Pack 5, but is being provided as a stand-alone patch for the benefit of users who have entered Y2K lockdown on Service Pack 4.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-023.mspx 

Issue

If an executable file with a specially-malformed image header is executed, it will cause a system failure. The affected machine will need to be rebooted in order to place it back in service. Any work that was in progress when the machine crashed could be lost.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0726

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-021)

Patch Available for "CSRSS Worker Thread Exhaustion" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: June 23, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in the Microsoft® Windows NT® CSRSS process that could be used to create a denial of service condition against a machine that allows interactive logons.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-021.mspx 

Issue

If all worker threads in CSRSS.EXE are occupied awaiting user input, no other requests can be serviced, effectively causing the server to hang. When user input is provided, processing returns to normal. The patch eliminates the vulnerability by ensuring that the last CSRSS worker thread services only requests that do not require user input.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0723

May 1999

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-017)

Patch Available for "RAS and RRAS Password" Vulnerability

Patch Availability Information Updated: March 21, 2003
Originally Posted: May 27, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in the Microsoft® Windows NT® Remote Access Service (RAS) and Routing and Remote Access Service (RRAS) clients, in which a user's password is cached even if the user de-selects the ";Save password"; option.

Issue

When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server. On the same dialogue is a checkbox whose caption reads ";Save password"; and which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected.

Cached security credentials, which include the password, are stored and encrypted in the registry and protected by ACLs whose default values authorize only local administrators and the owner of the credentials to access them. Windows NT 4.0 Service Pack 4 also provides the ability to strongly encrypts the password data stored in the registry using the SYSKEY feature.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing a patch that restores correct functionality to the password caching function. The patch should be applied to all machines that are used as RAS or RRAS clients. It is important to note that RRAS servers also can be used as RAS clients, and any machines used in such a capacity should have the patch applied as well.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0755

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-015)

Patch Available for "Malformed Help File" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: May 17, 1999

Summary

Microsoft has released a patch that eliminates a vulnerability in the Microsoft® Windows NT® help utility. The vulnerability could allow arbitrary code to be run on a Windows NT machine.

A fully supported patch is available to eliminate the vulnerability, and Microsoft recommends that affected customers download and install it, if appropriate.

Issue

The Windows Help utility parses and displays help information for applications. The help information is contained in files of several types that are generated by the Help Compiler (part of the AppWizard utility), and is stored by default in the WINNT\help folder. By default, users can write to this folder. An unchecked buffer exists in the Help utility, and a help file that has been carefully modified could be used to execute arbitrary code on the local machine via a classic buffer overrun technique. Because the Help Compiler's output files do not generate the specific malformation at issue here, this vulnerability could not be accidentally exploited.

The machines primarily at risk from this vulnerability are workstations, terminal servers, and other machines that allow users to log on interactively and add or modify help files. Servers generally do not allow normal users to interactively log on. It is important to note that this vulnerability would affect only the local machine; there is no capability to directly attack a remote machine via this vulnerability.

The patch prevents arbitrary code from being executed on the machine, but does not prevent malformed help files from causing the Help utility to fail. However, failure of the Help utility does not threaten system stability or security, and the Help utility can be restarted without incident.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this patch to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions

March 1999

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-008)

Patch Available for Windows NT "Screen Saver" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: March 12, 1999

Summary

Microsoft has learned of a vulnerability affecting all versions of Microsoft® Windows NT® operating system, which could allow a user to gain administrative privileges on a computer. In most common usage scenarios, this vulnerability presents itself on workstations, terminal servers, and other systems that allow non-administrative users to interactively log on. Less-common configurations could also be affected, and are discussed below.

A fully supported patch is available to eliminate the vulnerability, and Microsoft recommends that affected customers download and install it, if appropriate.

Issue

Windows NT provides a screen saver feature, in which a user-selected screen saver program is run when the machine has been idle for a specified length of time. Windows NT initially launches a screen saver in the local system context, then immediately changes its security context to match that of the user. However, Windows NT does not check whether this context change was successfully made. This is the underlying problem in this vulnerability. If the context change can be made to fail, the screen saver will remain running in a highly-privileged state. The risk is that a malicious user could develop a screen saver program that, for example, uses the elevated privileges to add the author to the Administrators group.

It is important to understand that the user must be able to run exploitation code on a machine in order to elevate their privileges. There are two types of machines at risk:

It also is important to note that the scope of the privilege elevation is highly dependent on the specific machine on which the exploitation code is run. For example, a user who exploited this vulnerability on a workstation could join the local Administrators group, but could not directly exploit this vulnerability to become a domain administrator. However, a user who exploited this vulnerability on a domain controller would be able to become a domain Administrator, because the domain SAM is shared among all domain controllers.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively providing a patch to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions

Vulnerability Identifier: CVE-1999-0382

February 1999

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-006)

Fix Available for Windows NT "KnownDLLs List" Vulnerability

Patch Availability Information Updated: March 10, 2003
Originally Posted: February 19, 1999
Updated: March 5, 1999

Summary

This is an update to Microsoft Security MS99-006, which was originally issued on February 19, 1999. Microsoft is issuing this updated bulletin to inform customers of the availability of a patch, and to update the list of affected products.

Microsoft has learned of a vulnerability affecting all versions of Microsoft® Windows NT® operating system, which could allow a user to gain administrative privileges on a computer. In most common usage scenarios, this vulnerability presents itself on workstations, terminal servers, and other systems that allow non-administrative users to interactively log on. Less-common configurations could also be affected, and are discussed below.

The privilege elevation can be prevented by applying a hot fix that changes the default access control settings on the relevant operating system object. The hot fix is available for downloading from the Microsoft FTP site. Microsoft recommends that customers who previously made a registry change as a temporary workaround revert to the original registry setting and use the hot fix instead.

Issue

In Windows NT, core operating system DLLs are kept in virtual memory and shared between the programs running on the system. This is done to avoid having redundant copies of the DLLs in memory, and improves memory usage and system performance. When a program calls a function provided by one of these DLLs, the operating system references a data structure called the KnownDLLs list to determine the location of the DLL in virtual memory. The Windows NT security architecture protects in-memory DLLs against modification, but by default it allows all users to read from and write to the KnownDLLs list. This is the root problem underlying the vulnerability.

A user can programmatically load into memory a malicious DLL that has the same name as a system DLL, then change the entry in the KnownDLLs list to point to the malicious copy. From that point forward, programs that request the system DLL will instead be directed to the malicious copy. When called by a program with sufficiently high privileges, it could take any desired action, such as adding the malicious user to the Administrators group.

It is important to understand that the user must able to run exploitation code on a machine in order to elevate their privileges. There are two types of machines at risk:

It also is important to note that the scope of the privilege elevation is highly dependent on the specific machine on which the exploitation code is run. For example, a user who exploited this vulnerability on a workstation could join the local Administrators group, but could not directly exploit this vulnerability to become a domain administrator. However, a user who exploited this vulnerability on a domain controller would be able to become a domain Administrator, because the domain SAM is shared among all domain controllers.

While there are no reports of customers being adversely affected by this privilege elevation vulnerability, Microsoft is proactively providing information to allow customers to prevent it. The hot fix changes the default permissions on the KnownDLLs list to read-only, and is the recommended corrective action for this vulnerability. The initial version of this bulletin provided a workaround in the form of a registry change that restricts users' ability to change system base objects, including the KnownDLLs list. Although the registry change corrects the problem, it encompasses a broader range of system behavior than the hot fix, and may not be appropriate for all systems.

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-004)

Patch Available for Authentication Processing Error in Windows NT 4.0 Service Pack 4

Patch Availability Information Updated: March 10, 2003
Originally Posted: February 8, 1999

Summary

Microsoft has released a patch that eliminates a logic error in Service Pack 4 for Windows NT 4.0 that could, under certain conditions, allow a user to log on interactively and connect to network shares using a blank password. The vulnerability primarily, but not exclusively, affects Windows NT servers that serve as domain controllers in environments with DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh clients. In general, customers who have deployed only Windows NT, Windows 95 and Windows 98 client workstations are not at risk from this vulnerability.

A fully supported patch is available for this vulnerability, and Microsoft recommends that all customers evaluate the risk to their systems and, as appropriate, download and install it on affected computers.

Issue

The Windows NT Security Account Manager (SAM) database stores the hashed password for each user account in two forms: an "NT hash" form that is used to authenticate users on Windows NT clients, and an "LM hash" form that is used to authenticate users on Windows 95, Windows 98, and downlevel clients such as DOS, Windows 3.1, Windows for Workgroups, OS/2 and Macintosh. When a user changes his password via a Windows NT, Windows 95 or Windows 98 client, both the "NT hash" and "LM hash" forms of the password are updated in the SAM. However, when the user changes his password via a downlevel client, only the "LM hash" form of the password is stored; a null value is stored in the "NT hash" field. This is normal operation.

When a user attempts an interactive logon or a network share connection from a Windows NT system, the Windows NT authentication process uses the "NT hash" form of the password. If the "NT hash" is null, the "LM hash" of the password is used for verification. (Windows 95, Windows 98 and downlevel clients always use only the "LM hash" for verification.) The logic error in Service Pack 4 incorrectly allows a null "NT hash" value to be used for authentication from Windows NT systems. The result is that if a user account's password was last changed from a DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can logon into that account from a Windows NT system using a blank password.

By far the most likely machines to be affected by this vulnerability would be domain controllers running Windows NT 4.0 SP 4, in networks that contain any of the downlevel clients listed above. However, any server or workstation running Windows NT 4.0 SP 4 that contains a SAM database with active users who communicate from downlevel clients would be vulnerable to this problem. For example, a workgroup of Windows NT 4.0 SP 4 systems, one of which is accessed by Windows for Workgroups clients, would be affected by this vulnerability.

It is worth reiterating the following points:

November 1998

Microsoft Security Advisor Program: Microsoft Security Bulletin (MS98-017)

Patch Available for 'Named Pipes Over RPC' Issue

Patch Availability Information Updated: March 10, 2003
Originally Posted: November 19, 1998

Summary

Microsoft has released a patch that fixes a vulnerability in the way Windows NT ® 4.0 handles named pipes over the Remote Procedure Call (RPC) services. An attacker could create a denial of service situation on a Windows NT 4.0 system by opening multiple named pipe connections to RPC services and sending random data.

A fully supported fix for this problem is available. As detailed below in What Customers Should Do, Microsoft recommends that customers evaluate the risk that this vulnerability poses to their systems and apply the patch if appropriate.

Issue

The underlying problem is the way that Windows NT 4.0 attempts to shut down invalid named pipe RPC connections. An attacker could exploit this problem to create a denial of service condition by opening multiple named pipe connections and sending random data. When the RPC service attempts to close the invalid connections, the service consumes all CPU resources and memory use grows considerably, which may result in the system hanging. This is a denial of service vulnerability only; there is no risk of compromise or loss of data from the attacked system.

Different attack programs may target different system services. Two of the services typically targeted are the SPOOLSS and LSASS system service processes.