What's this bulletin about?
Microsoft Security Bulletin MS00-040 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could allow denial of service attacks against a Windows NT 4.0 machine. If a malicious user sent an affected machine a particular type of malformed request for remote registry access, it could cause Windows NT 4.0 to fail.
Under default conditions, only authenticated users - users with an account and password on the network -- could exploit this vulnerability. If a machine has been configured to deny all registry access requests, it would not be affected by this vulnerability under any conditions. An affected machine could be put back into service by rebooting.
What causes the vulnerability?
The vulnerability results because, when authenticating a user's request to remotely interrogate the registry, the Winlogon process does not correctly handle a certain type of malformed request. Depending on the circumstances, the Winlogon process itself could fail, and cause the entire system to stop.
What is Winlogon?
Winlogon.exe is the process that manages security-related user interactions in Windows NT. It handles logon and logoff requests, locking or unlocking the machine, changing the password, and other requests. Winlogon on Windows NT 4.0 also contains the remote registry service.
What do you mean by "remotely interrogating" the registry?
By "remotely interrogating" the registry, we mean reading or changing registry entries on a remote machine.
Isn't there a way to configure Windows NT 4.0 to prevent remote access to the registry?
Yes. Windows NT 4.0 Service Pack introduced a new registry key, the so-called Winreg key, which regulates who can remotely access the registry. The Security permissions set on this key define what Users or Groups can connect to the system for remote access to the registry. The default permissions only allow administrators full access to the registry, and deny all other users access. More information on the Winreg key is available in Microsoft Knowledge Base article Q153183.
However, it's important to understand that the Winreg key would not protect against this vulnerability by default. As long as any key can be interrogated, a malicious user could exploit this vulnerability. As discussed in the Knowledge Base article, the default setting of the Winreg key allows a small number of registry keys to be interrogated by authenticated users. The specific list of such keys is specified via the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg\AllowedPaths key. Machines whose AllowedPaths value prevents authenticated users from accessing any keys would not be at risk from this vulnerability.
What would the effect of an attack via this vulnerability be?
In most cases, the vulnerability causes Winlogon to fail; because winlogon is a critical system process, this would cause Windows NT 4.0 to fail altogether.
Who could exploit this vulnerability?
Under default conditions, only members of the Authenticated Users group - users who have an account and password on the domain - could exploit it. An external user connecting to a server via a null session would not be able to exploit it.
How could an affected machine be put back into service?
An affected machine could be put back into normal service by rebooting it.
Could this vulnerability be exploited accidentally?
It's very unlikely. The specific malformation at issue is not generated as part of any standard registry-editing tool like Regedit or Regedt32. It only occurs when a call is made to the appropriate Win32 API, with a specific (and invalid) malformed parameter.
What machines are primarily at risk from this vulnerability?
Although the vulnerability affects all Windows NT 4.0 machines, the ones most likely to be targeted by this attack would be servers, especially domain controllers. As discussed above, by targeting the domain controllers in a network, a malicious user could prevent users from logging onto the network.
Is Windows 2000 affected by the vulnerability?
No. The Windows 2000 remote registry server correctly handles the malformed packet. In any event, the Windows 2000 remote registry server is not located in the Winlogon process, so even if the same problem had existed in Windows 2000, it would not result in a system failure.
What does the patch do?
The patch causes the Winlogon process to reject the malformed packet at issue here.
How do I use the patch?
Microsoft Knowledge Base article Q264684 contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Microsoft Knowledge Base article Q264684 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft Knowledge Base article Q264684 explaining the vulnerability and patch in more detail
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
