What's this bulletin about?
Microsoft Security Bulletin MS00-073 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 95, 98, 98 Second Edition and Windows Me Edition. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service attack. A malicious user could use this vulnerability to cause an affected machine to fail and possibly cause a broadcast storm on the network.
The chief limitation on this vulnerability is that the affected system component is not installed by default on Windows 98 and later versions. Even if it was installed, the vulnerability could only be exploited in restricted circumstances. In a corporate setting, the vulnerability could only be exploited by a user who could log onto the network. In a home setting, the vulnerability could only be exploited if the machine was connected to the Internet via a cable modem or DSL connection, and the malicious user was on the same network segment as the affected machine. Neither Windows NT 4.0 nor Windows 2000 are affected by the vulnerability.
What causes the vulnerability?
The IPX NMPI (Netbios Name Management Port Interface) implementation in the affected systems will accept and process a specially-malformed packet sent to it, with potential consequences that could cause that machine to fail or possibly cause a broadcast storm.
What's IPX?
IPX (Internetworked Packet Exchange, or, more properly, IPX/SPX - Internetworked Packet Exchange/Sequenced Packet Exchange) is a networking protocol popularized by Novell Netware. Windows platforms implement IPX through the NWLink feature, which allows Windows and Netware computers to communicate.
IPX is primarily used in small- to medium-sized networks, because it's routable and relatively efficient. It's typically not used in large networks because, under IPX, machines periodically send broadcast messages to announce their continued presence on the network. In large networks these messages can cause network congestion.
What is NMPI?
NMPI (Name Management Protocol on IPX) is a protocol that allows computers on a network to determine the names of other computers, in order to allow them to communicate with each other. Normally, Windows machines use a protocol called NetBIOS to perform name management. However, when using IPX, it's possible to improve the efficiency of data sharing through a technique known as direct hosting. In direct hosting, NMPI rather than NetBIOS is used for name management. Although NMPI isn't part of the IPX protocol, NMPI support is automatically enabled whenever IPX is installed on the machine, and can't be enabled except through IPX. That is, the only customers who could be affected by this vulnerability would be those who have IPX installed on their machines, and all customers with IPX installed would be affected.
Is this a problem in either the IPX or NMPI protocols?
No. The vulnerability has nothing to do with either protocol per se. It results because of an error in the NMPI implementation that causes it to mishandle a particular type of malformed request.
Is IPX installed by default?
In general, no. Windows 98, Windows 98 Second Edition, and Windows Me Edition do not install IPX by default. Windows 95 does install IPX by default if there is a plug-and-play network card present in the machine when the system is installed - however, at the time when most Windows 95 systems were installed, there were very few plug-and-play network cards available, so it is likely that IPX is not installed on most Windows 95 systems.
What's wrong with the malformed packet at issue here?
The vulnerability causes the affected systems to handle a received NMPI packet inappropriately if the source network address in the packet equals the destination address.
What do you mean by a network address?
Like most networking protocols, IPX provides the ability to send a packet to specific machines in the network by addressing it with the appropriate network address. In this vulnerability, however, the malicious user wouldn't send a malformed packet to the broadcast address - instead, he would provide the broadcast address as the source address.
What do you mean when you say that an affected system would handle such a packet inappropriately?
The broadcast address is clearly an invalid source address, and NWLink should simply drop such a packet when it receives it. Instead, it processes the packet, and, because of the malformation, responds to the entire network rather than to the requester.
What's the effect of responding to the entire network?
It would have two effects. First, it would cause the machine to respond to the "sender" of the NMPI packet - the broadcast address. That is, it would cause the machine to send a NMPI response to the entire network. This would require every machine that received it to process it. If a single machine sent a NMPI reply to the entire network, it might not have a significant effect on the overall network. However, the malicious user might not send the packet to a single machine. He might set the destination address, as well as the source address, to broadcast, in order to cause every affected machine within broadcast range to respond to the entire network. Depending on the number of affected machines on the network, this could create a "broadcast storm" that could significantly impede network operations.
To see why, consider a case in which there are ten machines on the network. The malicious user would initiate the attack by sending a single malformed NMPI packet to the broadcast address. Upon receiving the request, all ten machines would process it and reply to the broadcast address. Thus, by sending a single request, the malicious user would have succeeded in causing ten times as much traffic to be sent in response, and would have caused all ten machines to process the other machines' responses. Now consider the case where a thousand affected machines are on the network. In this case, a single malformed NMPI packet would cause a thousand responses. If the number of affected machines were sufficiently high, the attack could cause the network to be swamped with responses.
How long would the broadcast storm last?
It would be brief - first of all, because the responses wouldn't trigger any additional responses, and second because each affected machine would crash after seeing its response.
Who is at risk from this vulnerability?
Let's start with who's not at risk. If IPX isn't installed on the machine, the vulnerability can't affect it. Even if IPX were installed, a malicious user couldn't attack the machine via this vulnerability unless he could deliver a malformed NMPI packet to it.
Are Windows NT 4.0 and Windows 2000 affected by the vulnerability?
No.
Who should use the patch?
Microsoft recommends that customers who have IPX enabled consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by causing NWLink to ignore NMPI requests containing the specific malformation at issue here.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article Q273727 contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
Knowledge Base article Q273727 provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q273727 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
