Microsoft Security Bulletin MS00-077
Patch Available for 'NetMeeting Desktop Sharing' Vulnerability
Originally posted: October 13, 2000
Updated: June 20, 2001
On October 13, 2000, Microsoft released the original version of this bulletin, to discuss the availability of a patch that eliminates a security vulnerability in NetMeeting, an application that ships with Microsoft® Windows 2000 and is also available as a separate download for Windows NT® 4.0. The vulnerability could allow a malicious user to temporarily prevent an affected machine from providing any NetMeeting services and possibly consume 100% CPU utilization during an attack.
On June 20, 2001, the bulletin was updated to advise that a patch is available, to address a new variant of the vulnerability. The effect of the new variant is exactly the same as that of the original one. Customers who applied the original patch should apply the updated patch, which contains fixes to both issues.
- NetMeeting Version 3.01 (4.4.3385) on Windows 2000 or Windows NT 4.0.
Microsoft thanks the following people for working with us to protect customers:
- Kirk Corey of Diversified Software Industries, Inc. (www.dsi-inc.net) for reporting the original issue.
- Peter Grundl for reporting the new variant.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support .
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- October 13, 2000: Bulletin Created.
- November 14, 2000: Updated to add new Windows 2000 patch
- June 20, 2001: Bulletin re-released to advise that both the original vulnerability and a new variant could be remediated via a new patch.