Microsoft Security Bulletin (MS00-020): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-020 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000. The vulnerability could allow a user to gain unauthorized privileges on a machine that he could log onto via the keyboard. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. A user who could log on interactively to a Windows 2000 machine could exploit this vulnerability to take unauthorized actions on that machine.
The machines primarily affected by this vulnerability would be Windows 2000 workstations. If normal security precautions are followed, security-critical servers such as print and file server, domain controllers, ERP servers, and others will not allow normal users to interactively log onto them. Windows 2000 Terminal Servers are not affected by this vulnerability.
What causes the vulnerability?
The vulnerability results because Windows 2000 does not properly constrain applications to the appropriate desktop. An application created by an unprivileged user could access the desktop of another, more privileged user, and take action there that he could not normally take.
What do you mean by a "desktop"?
Normally, when we refer to a "desktop", we mean the Windows desktop that you see on your screen during a Windows session. However, in the Windows 2000 security architecture, the term desktop actually has a different meaning. Desktops are used to encapsulate processes in Windows 2000, in order to ensure that a process is properly restricted to only authorized activities. It's easier to explain what a desktop is and how it works if we start with the layer of granularity above the desktop, the windows station.
What's a windows station?
A windows station is a secure container that contains a clipboard, some global information, and a set of one or more desktops. A Windows 2000 session will have several windows stations, one assigned to the logon session of the interactive user, and others assigned to the Winlogon process, the secure screen saver process, and any service that runs in a security context other than that of the interactive user.
The interactive window station assigned to the logon session of the interactive user also contains the keyboard, mouse, and display device. The interactive window station is visible to the user and can receive input from the user. All other window stations are noninteractive, which means that they cannot be made visible to the user, and cannot receive user input.
What's a desktop?
A desktop is a secure container object that is contained within a window station. There may be many desktops contained within a windows station.
A desktop has a logical display surface and contains windows, menus, and hooks. Only the desktops of the interactive window station can be visible and receive user input. On the interactive window station, only one desktop at a time is active. This active desktop, also known as the input desktop, is the one that is currently visible to the user and that receives user input.
What's the problem with desktop security in Windows 2000?
Windows 2000 does not properly implement the desktop security model. This makes it possible for a user to create a process that will run in a different desktop. Specifically, it enables processes to access other desktops within the same windows station, or within other windows stations in the same session.
If a malicious user created a process in a desktop belonging to a higher-privilege process, what could it do?
The more interesting case is what it could not do. Running a process in a higher-privilege desktop would not automatically confer elevated privileges upon the process. For example, even if a malicious user succeeding in getting a process to run in a desktop owned by, say, System, it would not allow the process to simply add the user to the Administrator's group.
What it would let the process do is access the display and the input devices owned by the higher-privilege desktop. So, for instance, if a malicious user succeeded in placing a process into the desktop owned by the Winlogon process, it could watch and record the passwords that users entered as they logged onto the machine.
How easy would it be to launch a process in the wrong desktop?
It would not be as simple as just launching a process and letting it run. There are several steps that the malicious user would need to take, in order to launch the process at the right time. Fortunately, most of these are precluded by other standard security precautions.
Could a malicious user take action on a different machine via this vulnerability?
No. The vulnerability only affects the local machine. There is no capability via this vulnerability to cause a process to run in a desktop that resides on a different machine.
What machines are primarily affected by this vulnerability?
Because the vulnerability only allows the user to gain additional privileges on the local machine, Windows 2000 workstations would be primarily affected. If normal security recommendations have been followed, servers will not allow normal users to interactively log onto them. As discussed below, Windows 2000 Terminal Servers are not affected by this vulnerability under any conditions.
Why aren't Terminal Servers affected by the vulnerability?
The vulnerability does not span session boundaries. That is, it allows a process to access other desktops within the same session. However, every Terminal Server user runs within his own session, so there is no capability for one user's processes to interfere with those of another.
Would this vulnerability allow a malicious user to take over a network?
It would depend on the specific machine that was attacked. If a malicious user compromised a workstation, the vulnerability would not give him any means of extending his control to other machines. If he compromised a domain controller, it would provide de facto control over the domain. However, he could only compromise a domain controller if he already had the ability to log onto it interactively. The importance of security-critical servers like these is one reason why, as a matter of course, only administrators should be given the ability to interactively log onto them.
Could this vulnerability be exploited accidentally?
No. The steps that would need to be taken to interfere with another desktop could not happen accidentally.
Will this vulnerability affect Windows 2000, Datacenter Server?
No. Windows 2000 Datacenter Server has not yet been released, and this issue will be corrected prior to release.
What does the patch do?
The patch restores the desktop security model so that it appropriately separates processes in different desktops.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
The KB article 260197 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that the file is present on your computer, and has the same size and creation date as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article 260197 explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.