Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP) Now Available
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Microsoft has released a Security Rollup Package (SRP) for Windows NT 4.0 that includes the functionality from all security patches released for Windows NT 4.0 since the release of Windows NT 4.0 Service Pack 6a (SP6a). This small, comprehensive rollup of post-SP6a fixes provides an easier mechanism for managing the rollout of security fixes. Please refer to Microsoft Knowledge Base article 299444 for more information about this rollup package.
The following Microsoft Security Bulletins are included in the SRP.
Core OS
MS99-046 (243835) - Improve TCP Initial Sequence Number Randomness
MS99-055 (246045) - Malformed Resource Enumeration Argument Vulnerability
MS99-057 (248185) - Malformed Security Identifier Request Vulnerability
MS00-004 (249108) - RDISK Registry Enumeration File Vulnerability
MS00-005 (249973) - Malformed RTF Control Word Vulnerability
MS00-021 (257870) - Malformed TCP/IP Print Request Vulnerability
MS00-024 (259496) - OffloadModExpo Registry Permissions Vulnerability
MS00-027 (259622) - Malformed Environment Variable Vulnerability
MS00-036 (262694) - ResetBrowser Frame and Host Announcement Frame Vulnerabilities
MS00-040 (264684) - Remote Registry Access Authentication Vulnerability
MS00-047 (269239) - NetBIOS Name Server Protocol Spoofing Vulnerability
MS00-070 (266433) - Multiple LPC and LPC Ports Vulnerabilities
MS00-094 (276575) - Phone Book Service Buffer Overflow Vulnerability
MS01-003 (279336) - Weak Permissions on Winsock Mutex Can Allow Service Failure
MS01-008 (280119) - Malformed NTLMSSP Request Can Enable Code to Run with System Privileges
MS01-009 (283001) - Malformed PPTP Packet Stream Can Cause Kernel Exhaustion
MS01-017 (293818) - Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
MS01-041 (298012) - Malformed RPC Request Can Cause Service Failure
Internet Information Server 4.0
MS99-003 (188348) - IIS Malformed FTP List Request Vulnerability
MS99-029 (238349) - Unauthorized Access to IIS Servers through ODBC Data Access with RDS
MS99-039 (241805) - Domain Resolution and FTP Download Vulnerabilities
MS99-053 (244613) - Windows Multithreaded SSL ISAPI Filter Vulnerability
MS00-030 (260205) - Malformed Extension Data in URL Vulnerability
MS00-031 (260838) - Undelimited .HTR Request and File Fragment Reading via .HTR Vulnerabilities
MS00-044 (267559) - Absent Directory Browser Argument Vulnerability
MS00-057 (269862) - File Permission Canonicalization Vulnerability
MS00-060 (260347) - IIS Cross-Site Scripting Vulnerabilities
MS00-078 (269862) - Web Server Folder Traversal Vulnerability
MS00-086 (277873) - Web Server File Request Parsing Vulnerability
MS01-004 (285985) - Malformed .HTR Request Allows Reading of File Fragments
MS01-026 (295534) - Superfluous Decoding Operation Could Allow Command Execution via IIS
Index Server
MS00-006 (252463) - Malformed Hit-Highlighting Argument Vulnerability
MS01-025 (294472) and (296185) - Index Server Search Function Contains Unchecked Buffer
MS01-033 (300972) - Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
Front Page Server Extensions
Additional Information
The fixes for the following vulnerabilities affecting Windows NT 4.0 systems are not included in the SRP. Administrators should read the associated security bulletin to determine if these patches should be applied:
Core OS
MS01-022 (296441) - WebDAV Service Provider Can Allow Scripts to Levy Requests as User
MS00-079 - Hyperterminal issue (this patch was re-released after the NT4 SRP)
Front Page Server Extensions
Java Virtual Machine
The following fixes are not included in the SRP because they require administrative action rather than a software change. Administrators should ensure that in addition to applying this patch, they also have taken the administrative action discussed in the following bulletins:
Core OS
MS98-001 (169556) - Disabling Creation of Local Groups on a Domain by Non-Administrative Users
MS99-036 (155197) - Windows NT 4.0 Does Not Delete Unattended Installation File
MS99-041 (242294) - RASMAN Security Descriptor Vulnerability
Internet Information Server
MS98-004 (184375) - Unauthorized ODBC Data Access with RDS and IIS
MS99-025 (184375) - Unauthorized Access to IIS Servers through ODBC Data Access with RDS
Front Page Server Extensions
MS00-025 (259799) - Link View Server-Side Component Vulnerability
MS00-028 (260267) - Server-Side Image Map Components Vulnerability
To get more information about the security rollup and to download the package, click here.