Microsoft Security Bulletin MS00-074

Patch Available for 'WebTV for Windows Denial of Service' Vulnerability

Originally posted: October 11, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® WebTV for Windows. The vulnerability could allow a malicious user to remotely crash systems running WebTV for Windows.

Affected Software:

Microsoft WebTV for Windows on Windows 98, Windows 98SE, and Windows Me
Note: This vulnerability is not related to the WebTV(tm) service provided by WebTV Networks.

Vulnerability Identifier: CVE-2000-0830

General Information

Technical details

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-074 announces the availability of a patch that eliminates a vulnerability in Microsoft® WebTV for Windows. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a Denial of Service vulnerability. A malicious user could use the vulnerability to crash either the operating system or the WebTV for Windows application.
By default, WebTV for Windows is not automatically installed on Windows 98, 98Se, or Windows Me operating systems, and only customers who have installed it would be at risk from this vulnerability. The vulnerability could be used to crash the WebTV for Windows application and/or the host operating system, but could not be used for any broader attack - that is, it could not be used to compromise data on an affected system or usurp administrative control.
The WebTV for Windows application could be restored on an affected machine by restarting the application.

What causes the vulnerability?
A flaw in the WebTV for Windows application may cause either the application or the operating system to fail when provided with a particular malformed input string from a malicious client machine.

What is WebTV for Windows?
WebTV for Windows is an add-in application that ships with Windows 98, 98SE and Windows Me Operating Systems. The application works in conjunction with a TV tuner card to display TV programming on the computer.

What's the problem with the WebTV for Windows application?
The WebTV for Windows application does not correctly handle a particular kind of malformed input string that could be sent to it from a client. If such a string were received by an affected system, it would cause the application and/or operating system to fail.

Who could exploit this vulnerability?
Any malicious user who could send data to an affected machine could exploit the vulnerability. If an affected machine were directly connected to the Internet, the vulnerability could be exploited by a malicious user on the Internet.

Does this have anything to do with WebTV?
No. WebTV (www.webtv.com) is a service that provides Internet services to users via their television. WebTV for Windows is an unrelated product that enables users to view TV programs on their computer.

Who should use the patch?
Microsoft recommends that users who have installed WebTV for Windows consider installing the patch.

What does the patch do?
The patch eliminates the vulnerability by causing the WebTV for Windows application to process the string at issue correctly.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

Microsoft has delivered a patch that eliminates the vulnerability.
Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Patch availability

Other information:

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

October 11, 2000: Bulletin Created.