Microsoft Security Bulletin (MS00-012): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-012 announces the availability of a patch that eliminates a vulnerability in Microsoft® Systems Management Server (SMS). If the Remote Control feature of SMS has been installed and enabled, the vulnerability could allow a workstation user to take virtually any desired action on the machine. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. A malicious user who exploited this vulnerability would be able to take virtually any desired action on a machine that he or she could interactively log onto. For instance, he or she could add, delete or modify files, create or delete local users, or install additional software on the machine.
The only SMS feature affected by this vulnerability is the Remote Control feature. Sites that have not enabled the Remote Control Feature of SMS are not affected by this vulnerability.
What causes the vulnerability?
The client code for the SMS Remote Control feature, known as the Remote Agent, runs in the highly-privileged System security context. However, it is installed in a folder that, by default, allows any user who can interactively log onto the machine to have complete access to it. By substituting code of his or her choice for the Remote Agent, a malicious user could make the code run as System. The code would then be able to take any action it was programmed to take.
What is the Remote Control feature used for?
The SMS Remote Control feature allows administrative personnel to remotely operate a user's machine in order to assist in troubleshooting. Only users designated by the administrator can operate another user's machine by remote control, and all of their actions are audited.
Is this a vulnerability in the Remote Agent?
No. There is no vulnerability in the Remote Agent, or in the Remote Control feature. The vulnerability lies in the default permissions that are placed on the folder that contains the software. Once the permissions are set to the appropriate values, the vulnerability is eliminated.
Could this vulnerability be exploited accidentally?
No. A user would need to deliberately replace the Remote Agent with other code.
Could this vulnerability be exploited remotely?
No. The malicious user would need the ability to interactively log onto the machine in order to exploit this vulnerability.
What machines are primarily at risk from this vulnerability?
Because a malicious user must be able to interactively log onto a machine in order to exploit this vulnerability, the machines primarily affected would be workstations. If recommended security practices are followed, security-sensitive servers like domain controllers, print/file servers, ERP servers, SQL servers, and so forth will be configured to allow only administrators to interactively log onto them.
Could a malicious user gain privileges on a domain via this vulnerability?
It would depend on what kind of a machine the user exploited the vulnerability on. The vulnerability allows the malicious user to gain complete control over a machine that he or she can interactively log onto. In the vast majority of cases - for example, if a workstation or member server were compromised - even gaining complete control over the local machine would not allow the malicious user to extend his or her to the domain.
However, if the malicious user were able to compromise a domain controller, he or she could gain control over the machine. However, the centrality of domain servers to the security of the domain is one reason why normal users typically are not allowed to interactively log onto such servers.
Who should use the patch?
You should use the patch if you are a network administrator and have enabled the SMS 2.0 Remote Control feature on your site.
What does the patch do?
The patch does two things. It resets the permissions on existing deployments to the appropriate values, and it ensures that permissions are set appropriately on all future deployments.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I run the patch correctly?
You can verify that the patch has run correctly by checking the permissions on the folder in which Remote Agent is installed on remote machines. After applying the patch, the permissions on the folder %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\ should be:
- Administrators: Full Access
- Everyone: Read, Execute
What is Microsoft doing about this issue?
Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.