Microsoft Security Bulletin MS00-069

Technical description:

Input Method Editors (IMEs) enable character-based languages such as Chinese to be entered via a standard 101-key keyboard. When an IME is installed as part of the system setup, it is available by default as part of the logon screen. In such a case, the IME should recognize that it is running in the context of the LocalSystem and not in the context of a user, and restrict certain functions. However, the IME for Simplified Chinese does not correctly recognize the machine state, and exposes inappropriate functions as part of the logon screen. As a result, a malicious user who had access to either a physical keyboard or a terminal server session on an affected machine could gain LocalSystem privilege even without logging onto the machine.

This vulnerability only affects the Simplified Chinese version of Windows 2000 by default - customers using any other version of Windows 2000 are not affected. Even if the Simplified Chinese IMEs were installed after setup as part of a language pack, it would not be present as part of the logon screen and therefore would not pose a security threat. The vulnerability allows only the local machine to be compromised, but does not grant any domain privileges (unless, of course, the local machine happens to be a domain controller). Because the vulnerability is exposed as part of the logon screen, it could only be exploited by a user who had physical access to a keyboard, or who could start a terminal server session on an affected machine. If best practices - which strongly recommend against giving normal users physical access to critical servers, or allowing terminal server session on such servers - have been followed, this vulnerability would affect only workstations and terminal servers.

What's this bulletin about?
Microsoft Security Bulletin MS00-069 announces the availability of a patch that eliminates a vulnerability in the Simplified Chinese version of Microsoft® Windows 2000. Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. In the Simplified Chinese version of Windows 2000, a system component that allows Chinese characters to be entered via a keyboard could enable a malicious user to gain full control of a Windows 2000 system without needing to log on. The user could then take any desired action on the computer: he could add users to the machine, install or remove system components, add or remove software, compromise data, or take any other action on the machine.
There are a number of significant restrictions associated with the vulnerability:

• The system component at issue here is only installed by default on the Simplified Chinese version of Windows 2000.
• The vulnerability could only be used to gain control of the local machine.
• To exploit the vulnerability, the malicious user would need physical access to the machine's keyboard, or would need the ability to start a Terminal Server connection to the machine. If best practices are followed, this restriction would tend to minimize the risk to servers and other critical systems.

What causes the vulnerability?
Under certain conditions, the Input Method Editor (IME) for Simplified Chinese inappropriately exposes functionality that runs in LocalSystem context. A malicious user who could access the logon screen on an affected system could use this functionality to run code of his choice and take any desired action on the machine.

What's an IME?
IMEs help solve a problem associated with entering information in certain languages via a keyboard. Languages like Chinese and Japanese contain thousands of different characters, and it isn't feasible to build a keyboard that includes all of them. IMEs allow the characters to be built using a standard 101-key keyboard, by specifying the strokes that compose each character.
An IME consists of an engine that converts keystrokes into phonetic and ideographic characters and a dictionary of commonly-used ideographic words. As the user enters keystrokes via the keyboard, the IME identifies the keystrokes and converts them into characters.

What's wrong with the Simplified Chinese IMEs?
When an IME is installed on a system, it needs to recognize what state the machine is in, and either expose or hide certain functions as appropriate. Specifically, an IME may be needed to be present as part of the logon screen, in order to allow users to log onto the system using a character-based userid and password, but in such cases it should restrict the functionality available to the user. However, the Simplified Chinese IMEs in Windows 2000 don't correctly recognize when they are running as part of the logon screen, and as a result don't restrict the functionality the way they should.

Why should the IME hide some of its functionality when running as part of the logon screen?
Normally, an IME runs under the user's security context, and has only the rights and privileges that the user has. The IME provides features that let the user take certain actions, but under normal conditions it's safe to let the user use all of them - after all, if the IME is running in the user's own security context, it can only take actions that the user himself can take.
However, when an IME runs as part of the logon screen, there isn't a user yet. As a result, the IME must run as part of the operating system, in the so-called LocalSystem context. This is a highly-privileged security context, and it's no longer appropriate to let users access all of the IME's features. The Simplified Chinese IME exposes all of its normal functionality regardless of whether it's running in the user's context or the LocalSystem context.

What IMEs are affected by the vulnerability?
Only the Simplified Chinese IMEs are affected. All other languages' IMEs correctly identify when they're running as part of the logon screen and only expose the appropriate functions.

What versions of Windows 2000 ship with the Simplified Chinese IME installed?
The Simplified Chinese IME is only installed by default on the Simplified Chinese version of Windows 2000. It is not installed by default on any other version of Windows 2000.

Is the IME enabled at logon time by default on Simplified Chinese Windows 2000 systems?
Yes.

Can the Simplified Chinese IME be installed on other language versions of Windows 2000?
Yes, although the Simplified Chinese IME doesn't ship with any version other than the Simplified Chinese version of Windows 2000. If this IME is installed on a different version of Windows 2000, the critical factor with respect to this vulnerability is whether the IME is installed as part of system setup or at some time after setup.
When an IME is installed as part of system setup, it becomes available as part of the logon screen. Thus, if the Simplified Chinese IME is installed as part of system setup, the system would be vulnerable. However, if the IME is installed at any time after system setup, it won't be available as part of logon, and the system wouldn't be vulnerable.

Does the Simplified Chinese IME pose any threat if it's not exposed as part of the logon screen?
No. The IME operates correctly in all other cases.

Who could exploit the vulnerability?
A malicious user could exploit the vulnerability if he had either of two types of access to an affected machine:

• Access to a physical keyboard. That is, the malicious user could exploit the vulnerability if he could lay his hands on the keyboard attached to an affected machine.
• Access to a virtual keyboard. That is, the malicious user could exploit the vulnerability if he could start a terminal server session with an affected machine.

What could a user do if he exploited this vulnerability?
If a malicious user exploited this vulnerability, he could gain complete control of the machine. He could run code of his choice, change the system configuration, create new users, add or remove system services, add, change or delete data, or take any other action he desired.

What machines are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk, because they typically allow untrusted users to access either a physical or virtual keyboard.

Are servers vulnerable to this issue?
There is no capability to exploit this vulnerability via a file share, printer share, web server session, database session, or any other type of network sharing. Unless the user can physically touch the keyboard, or can start a terminal server session with an affected machine, the vulnerability cannot be exploited.
Best practices strongly recommend against ever allowing normal users to have either type of access to critical machines. Servers such as print/file servers, database servers, domain controllers, ERP servers, web servers, and others should be physically protected and should not serve as terminal servers. If these recommendations have been followed, this vulnerability would pose no threat to machines like these.

Would this vulnerability enable the malicious user to take control of a network?
It would depend on the particular machine on which the user exploited the vulnerability. The vulnerability only enables the user to gain control of the local machine, so if the user exploited it on a workstation or a terminal server, he would gain control only of that particular machine. On the other hand, if he exploited it on a domain controller, control of the local machine would also give him control over the entire network. This is but one reason why best practices militate against ever allowing physical or remote access to critical servers like domain controllers.

Could a malicious user who had the ability to log onto a machine install an IME, and then exploit the vulnerability?
No. Only administrators can install IMEs.

Does this vulnerability affect Windows NT 4.0 systems?
No. It only affects Windows 2000 systems, and only if they are running the Simplified Chinese version of Windows 2000.

Who should use the patch?
Microsoft strongly recommends that all customers using the Simplified Chinese version of Windows 2000 install the patch on their system.

What does the patch do?
The patch eliminates the vulnerability by causing the Simplified Chinese IME to recognize the machine state and only expose the appropriate functions at logon time.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• Microsoft Windows 2000, Simplified Chinese version: http://www.microsoft.com/downloads/details.aspx?FamilyId=6CD4A747-9DE4-4F2F-817F-92BB597B8F5B&displaylang=en
• Microsoft Windows 2000, English version: http://www.microsoft.com/downloads/details.aspx?FamilyId=6CD4A747-9DE4-4F2F-817F-92BB597B8F5B&displaylang=en

  Note: This patch can be installed on systems running Windows 2000, either with or without Service Pack 1. The patch will be incorporated into Service Pack 2.