Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-047)
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates two security vulnerabilities in Microsoft® Windows NT® 4.0. The net effect of the vulnerabilities is that a malicious user could crash the print spooler service or to cause arbitrary code to run on the server. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerabilities?
There are two distinct vulnerabilities at issue here, but their overall effect is that a user could crash the print spooler on a server or run arbitrary code in a privileged state, either on the server or on the local machine.
The first vulnerability is a buffer overrun vulnerability that could be exploited in two ways. In the simplest case, a malicious user could simply crash the spooler service as a denial of service attack. An administrator would need to restart the service, but in most cases would not need to reboot the server. The vulnerability could also be used in more advanced attacks to run arbitrary code on the server. This would constitute a privilege elevation because the print spooler runs in a System context.
The chief limiting factor in this vulnerability is the fact that most of the affected APIs can only be called by a member of the Administrators or Power Users groups. However, at least one can be called by a normal user. The calls can be made remotely, if the user was an authenticated domain user or had a user account on the machine.
The second vulnerability results because of incorrect permissions on a print provider, and would allow a malicious user to run arbitrary code in a privileged context. However, this vulnerability would not be as serious as the buffer overrun, because it could only be used to run code on the local machine rather than a server.
What causes the buffer overrun vulnerability?
The print spooler provides a number of APIs that allow users to request or configure printing services. However, several of these APIs have unchecked buffers.
The unchecked buffers could be exploited in two ways. In the simplest case, a malicious user could simply provide random data as an argument to an affected function in order to crash the print spooler service. An administrator would need to restart the spooler service, but in most cases would not need to reboot the machine. A more advanced attack could involve providing a specially-malformed argument to an affected API in it could be used to cause arbitrary code to run on the server in a System context.
An important point regarding this vulnerability is the fact that most of the affected APIs can only be called by members of the Administrators and Power Users groups. Only a few can be called by normal users.
Why does it matter who can call these APIs?
It significantly limits the scope of the problem. There would be little gain for an Administrator to exploit a buffer overrun vulnerability, as administrators already have full control over the machine. Likewise, Power Users already have significant privileges on the machine, and the actual privileges gained through this attack would be relatively few. The greatest risk is posed by the APIs that allow normal users to call them, because normal users have the most to gain through exploiting the vulnerability.
What causes the print provider vulnerability?
First, let's define what a print provider is. Print providers are pieces of software that handle particular printing tasks. For instance, there is a print provider that handles print requests that originate from non-Microsoft operating systems. Windows NT comes equipped with a number of standard print providers, but also provides the ability to install custom ones as well.
By design, only administrators should be able to install print providers, because they run in the security context of the local system. However, certain print providers allow normal users to install them as well. A malicious user could install a custom print provider as a way of getting code to run in a higher privilege than he or she has. However, they could only use this vulnerability to run code on the local machine, because print providers can't be added remotely.
What does the patch do?
The patch eliminates both vulnerabilities. It adds code that checks all API arguments to ensure that they will not overrun their buffers, and also ensures that only administrators can add print providers.
What machines should I install the patch on?
You should install the patch on any machine that is running the print spooler service. By default, the spooler service is started on all Windows NT machines.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I verify that I installed the patch correctly?
Knowledge Base article 243649 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What are best practices for the Power Users group?
Membership in the Power Users group provides significant administrator-like privileges, and should only be granted to trusted users. If a malicious user is given membership in this group, they can cause significant damage, even without a security vulnerability. Microsoft recommends that customers review the membership of the Power Users group and ensure that it has the minimum possible membership and that all members are trusted.
How common are buffer overrun vulnerabilities?
It's been estimated that anywhere from two-thirds to three-quarters of all computer security vulnerabilities involve a buffer overrun. They occur in all vendors' products, and are an industry problem. Microsoft is working hard to develop coding and testing methods that will reduce or eliminate buffer overrun vulnerabilities in its software.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security. A good reference regarding security best practices for Windows NT is a white paper titled "Securing Windows NT Installation", available at http://www.microsoft.com/technet/security/white.mspx.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.