What's this bulletin about?
Microsoft Security Bulletin MS00-066 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a Denial of Service vulnerability. A malicious user could exploit the vulnerability to cause the RPC (Remote Procedure Call) service on a remote Windows 2000 Server to crash. An affected RPC service will stop responding to client requests.
The computers at greatest risk from this vulnerability are Windows 2000 servers that are directly exposed on the Internet. Computers that are protected by a firewall where the security best practice of blocking incoming and outgoing traffic on ports 135-139 and 445 are protected from attacks that attempt to exploit this vulnerability.
Microsoft Windows NT 4.0 computers are not affected by this vulnerability.
What causes the vulnerability?
A flaw in the RPC service can cause the RPC service to crash when sent a particular kind of malformed RPC client packet. A server that had been subject to a successful attack exploiting this vulnerability would have to be rebooted in order to restore RPC service.
What is the RPC service?
Remote Procedure Call (RPC) is a facility that allows a program on one Windows system (the client) to invoke the services of another program running on a separate Windows system (the server) in a distributed network. RPC is an application level protocol that can use the communications services of any of the Windows networking protocols including TCP/IP.
For example, RPC is used when a Windows NT or Windows 2000 client logs into a domain or when an Outlook client connects to an Exchange server. The client uses RPC to call the server to validate the user login attempt or to connect to the Exchange server.
What would this vulnerability let a malicious user do?
A malicious user could exploit this vulnerability to crash the RPC service on a Windows 2000 server and render it incapable of responding to service requests. This vulnerability would provide no capability for an attacker to gain administrative privileges on the server or to gain unauthorized access to files or other resources on the server. After a successful attack, the server could be restored to operation by rebooting.
How would this vulnerability be exploited?
In order to exploit this vulnerability, a malicious RPC client would have to send a malformed RPC packet to a Windows 2000 server. On receiving the malformed RPC packet, the server would crash, and could be restarted by rebooting.
Could this vulnerability be exploited accidentally?
No. Exploiting this vulnerability would require a very specific series of steps that have no legitimate purpose. Those steps would only be taken by a malicious user attempting to exploit this vulnerability.
Could this vulnerability be exploited remotely?
Yes. This vulnerability is present in the Windows 2000 RPC service, which is as intended to be accessed remotely. However, if best practices were followed and the server were protected by a firewall that blocked ports 135-139 and 445, only systems behind the firewall would have the potential to launch a successful attack.
What machines are at greatest risk from this vulnerability?
The computers at greatest risk are those directly connected to the Internet. If best practices were followed and a server was protected by a firewall that blocked ports 135-139 and 445, it would only be subject to attack by other machines on its local intranet.
Where can I get more information on Port 135-139 and 445?
Please reference http://www.iana.org/assignments/port-numbers for more information.
Would it be possible to prevent the attack by disabling the RPC service?
It is not practical to disable the RPC service on a Windows 2000 server. RPC is an integral part of the Operating System and many services will not function with RPC disabled.
Does this vulnerability affect Windows NT 4.0?
This vulnerability does not affect computers running Windows NT 4.0.
Who should use the patch?
Microsoft recommends that customers with direct Internet exposed Windows 2000 computers should install the patch and other customers consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by removing the flaw in the RPC service when sent a malformed RPC packet from a client.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article Q272303 contains detailed instructions for applying the patch.
Note: This patch will also be included in the next Service Pack for Windows 2000. The patch can be applied to a computer with or without Service Pack 1.
How can I tell if I installed the patch correctly?
The Knowledge Base article Q272303 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q272303 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
