Microsoft Security Bulletin (MS00-005): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-005 announces the availability of a patch that eliminates a vulnerability in a component that ships as part of Microsoft® Windows® 95 and 98, and Windows NT® 4.0. The vulnerability could be used to crash applications that use Rich Text Format (RTF) data. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability that results from a buffer overrun condition in the RTF reader that ships as part of Microsoft platforms.
If a user opened an RTF file that had been specially modified to exploit this vulnerability, it could cause the application to crash. In most cases, the application could be restarted without incident; however, in the special case of an email program with preview mode turned on, the application could continue crashing until another email arrived or the program was started with preview mode disabled. Unlike many buffer overrun vulnerabilities, Microsoft believes that there is no capability to run arbitrary code in this case.
What is RTF?
RTF is a format for encoding formatted text and graphics. It's supported by a wide variety of word processors, mail programs, and other applications that use text and graphics.
An RTF file consists of control information and unformatted text. The control information indicates how to format the text-what font to use, what color to render the text in, whether to justify or center the text, and so forth. Each of these settings is specified by a control word. For instance, the control word \caps causes text to be rendered as capital letters.
What is an RTF reader?
An RTF reader is a program that reads and interprets RTF data. Every Microsoft platform provides a native RTF reader. This eliminates the need for every application to implement its own reader; instead, every application that uses RTF can use the standard RTF reader that the platform provides.
What causes the vulnerability?
The vulnerability results because the RTF reader that ships with many Microsoft products contains an unchecked buffer. A specially-malformed control word could overflow the buffer and cause the application to crash.
How could a malformed control word get into an RTF file?
Most likely, the malformed control word would have to be inserted deliberately by a malicious user. Microsoft is not aware of any RTF application the generates such control words, either as part of normal operation or as the result of an error.
What's the risk from this vulnerability?
Microsoft has identified two scenarios in which this vulnerability could pose a threat to customers. If a malicious user created an RTF file containing a malformed control word, gave it to another user, and the recipient opened it using an application that uses the default RTF reader, the vulnerability would cause the application to crash. For instance, if the recipient opened such a file using WordPad, it would cause WordPad to crash. The user would lose any work that was in progress, but could restart WordPad and resume working.
A more serious scenario involves the preview function of many email programs. If a malicious user created an RTF email containing a malformed control word and sent it to a user who had the preview function turned on, the vulnerability would cause the email program to crash as soon as the mail was displayed. Although the recipient could restart their email program, it would immediately crash again and continue doing so as long as the mail was in the preview pane. It's important to note that if the preview function were not turned on, the recipient would be able to delete the mail and resume working normally - the increased risk from this scenario only applies if the preview function is enabled.
Are both autopreview and preview mode affected in Outlook?
No. Autopreview and preview mode are two different things. This vulnerability only poses a risk to customers using preview mode-it has no effect on autopreview.
Autopreview is a viewing option in which the first three lines of the emails in your inbox are displayed. You turn autopreview on or off by going to your inbox, selecting the View menu entry, then Autopreview. In contrast, preview mode creates a preview pane, in which the contents of each mail is displayed automatically.
Because autopreview doesn't process formatting information, an RTF mail containing a malformed control word wouldn't have any effect until you actually opened the mail. Preview mode, however, does process formatting information, so such a mail would cause Outlook to crash as soon as it previewed the mail.
I have preview mode enabled in Outlook. If I received such a mail, what should I do?
There are two ways to retrieve the situation.
- Have someone else send you an email. Preview mode in Outlook only previews the most-recently received email, so once another mail arrives, the malicious email will not be displayed in the preview pane and hence won't cause Outlook to crash.
- Start Outlook from a command prompt, and use the /safe and /nopreview options to turn off preview mode. Microsoft Knowledge Base articles 197180 and 182112 provide information on how to do this.
Once you're able to get into Outlook, you can simply delete the offending mail. Obviously, you should do this without opening the mail.
Buffer overruns often allow malicious users to make code of their choice run. Does this vulnerability allow that to happen?
To the best of our knowledge, it does not. As part of the processing of RTF data, the RTF reader removes all non-alphanumeric data and converts it to lower case. This means that an attacker who wanted to run arbitrary code would need to write a program whose machine language consisted entirely of lower-case alphanumeric data. Microsoft engineers have thoroughly studied this aspect of the vulnerability, and we believe that this is not feasible.
Could this occur accidentally?
No. In order to exploit this vulnerability, a malicious user would need to use a hexadecimal editor to change the underlying data in an RTF file.
Could this vulnerability be exploited remotely?
A malicious user could send an affected file via email or provide it via a floppy disk or other medium, as discussed above. However, there is no capability via this vulnerability for a malicious user to use this vulnerability as part of a network-based attack.
Who should apply the patch?
Microsoft encourages all customers using Windows 95, 98 or Windows NT 4.0 to apply the patch.
Does the vulnerability affect Windows 2000?
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 249973 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
NOTE: A small number of customers have configurations that contain no affected RTF reader. In these cases, the patch does not install a new version of RICHED32.DLL. If RICHED32.DLL does not exist on your machine after applying the patch, verify that RICHED20.DLL also does not exist on your machine. If this is the case, you had no affected RTF readers, and patch correctly took no action.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued Knowledge Base articles 197180 and 182112 explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.