What's this bulletin about?
Microsoft Security Bulletin MS00-072 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 95, 98, 98 Second Edition, and Windows Me. Through a special utility, the vulnerability could allow a malicious user to connect to a password protected file share on any of the products listed above without knowing the entire password. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privacy compromise vulnerability. The vulnerability could potentially allow unauthorized access to a user's password protected file share through the use of a malicious client utility without requiring a user to know the complete password for the share.
For customers using File and Print Sharing within a corporate environment, care should be taken when enabling this service. Microsoft recommends that user-level access permissions be granted to shares rather than share level permissions based on passwords. A still more robust solution is to use a Windows NT or Windows 2000 system as a file server.
What causes the vulnerability?
There is a flaw in the way the File and Print Sharing service implements password protection for a directory when that directory is shared over a network using share level access. The flaw could allow a malicious program to gain access to that share without knowing the complete password.
What is the File and Print Sharing Service?
The Microsoft Windows 9x and Windows Me family of products incorporate peer to peer networking capabilities that enable share level security on a file share. In other words a client can act like a server and vice versa in any Windows networking environment. Windows 9x and Windows Me offers share level access control to file shares and user-level access control when the Windows 9x or Windows Me system is part of a Windows NT domain.
Only share level security suffers from this vulnerability since only share level security uses passwords as the security mechanism for protecting the share.
I understand about sharing files, but what's the difference between share level and user-level access?
Share level security provides a password controlled gate to protected resources. The advantage of this security paradigm is that it allows granting access to a large number of people with very little effort. However, it is not very secure, since the password is widely distributed and there is no notion of personal accountability. Windows NT's security paradigm is based on granting access to individuals each of whom has an account. This paradigm allows fine-grained control over per-user access and allows individual accountability. The disadvantage is that you must create a user account for each user you want to grant access to and you must grant that user the access (either directly or by adding the user to an appropriate group).
Note: User-level access permissions are only available on Windows 9x and Windows Me machines when they are part of a Windows NT domain.
What would this vulnerability allow a malicious user to do?
If a malicious user could exploit this vulnerability, they would be able to retrieve, modify, or delete any file within that share.
What protection does a password provide?
A password is like a lock on your door. It provides protection against unauthorized entry while still allowing you access. However the vulnerability that affects the password protection on a Windows 9x or Windows Me file share would allow unauthorized access, by a user who exploits a malicious client utility, without requiring that the user know the password for that share.
Who should use the patch?
Microsoft recommends that anyone with File and Print sharing enabled and using share level access on a Windows 9x or Windows Me system consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by eliminating the flaw in the password mechanism.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
