Microsoft Security Bulletin (MS00-001): Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Commercial Internet System (MCIS). The vulnerability could allow a malicious user to remotely crash an MCIS server that is providing mail service, or to run code of his or her choosing on it. Microsoft is committed to keeping customers' information safe, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. Like most buffer overruns, it could be exploited in two ways. In the simplest case, a malicious user could cause virtually all of the Internet services on the machine to fail, as a denial of service attack. In more advanced attacks, a malicious user could cause arbitrary code to run on the server.
The vulnerability is only present if the MCIS Mail service is installed and running, and the Internet Mail Access Protocol (IMAP) service is running.
What is MCIS?
MCIS provides a comprehensive communications capability for Commercial Service Providers (CSPs), such as Internet and online service providers. It provides the ability to perform web hosting, internet access, e-commerce, mail hosting, and other services.
The vulnerability only affects installations that are using MCIS Mail, the mail hosting service that is provided as part of MCIS. Even then, it only affects MCIS Mail if the IMAP service is running.
What is IMAP?
IMAP is a commonly-used e-mail protocol. It enables users to access and manipulate electronic mail messages on a server. Specifically, it enables them to create, delete, and rename mailboxes, check for, delete or search for messages, and perform other mail tasks.
What causes the vulnerability?
The IMAP service allows users to levy a variety of requests to it. The software that processes one of these requests has an unchecked buffer. If a specially-malformed argument were provided to the affected request, it would overflow the buffer. If the argument contained random data, it would result in the failure of most of the internet-related services on the machine. However, if the argument contained specific values, it could be used to change the code running on the machine, and thus take any action that the malicious user chose.
Could this vulnerability be used remotely?
Yes. The affected IMAP requests can be made remotely.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Use the following table to verify that you installed the patch correctly:
|If you are running on this platform...||You've installed the patch correctly if IMAPSVC.DLL has these properties...|
|Intel||Date: November 09, 1999|
Size: 302,864 bytes
|Alpha||Date: November 09, 1999|
Size: 442,128 bytes
Did Microsoft handle this vulnerability differently from others?
Yes. Because MCIS is used primarily by large CSPs, Microsoft alerted the customers who would be most likely to be affected by this vulnerability, and provided an advance copy of the patch. Normally, when Microsoft develops a security patch, we release to all customers at once. However, in this case, the vulnerability had a disparate impact on one group of customers. We therefore worked privately with them to ensure that they had the protection of the patch in place before we made it available for general release.
How common are buffer overrun vulnerabilities?
It's been estimated that anywhere from two-thirds to three-quarters of all computer security vulnerabilities involve a buffer overrun. They occur in all vendors' products, and are an industry problem. Microsoft is working hard to develop coding and testing methods that will reduce or eliminate buffer overrun vulnerabilities in its software.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.