Microsoft Security Bulletin MS00-077

Technical description:

A remote denial of service vulnerability has been discovered in a component of NetMeeting. The denial of service can occur when a malicious client sends a particular malformed string to a port which the NetMeeting service is listening on and with Remote Desktop Sharing enabled.

Although the NetMeeting application is provided as part of Windows 2000 products, the application and affected component is not enabled by default, and customers who have not enabled it would not be at risk from this vulnerability.

What's this bulletin about?
Microsoft Security Bulletin MS00-077 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000 and also the latest version that is available for Windows NT 4.0. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

Why was the bulletin re-released on June 20, 2001? 
The bulletin was re-released to announce the availability of a new patch that addresses a newly-discovered variant of the vulnerability as well as the original vulnerability. The scope of the new variant is exactly the same as that of the original, and customers who applied the original patch should apply the new one to ensure that they are fully protected against all known variants of the vulnerability.

What's the scope of the vulnerability?
This is a Denial of Service vulnerability. A malicious user could use the vulnerability to temporarily cause the NetMeeting application on an affected machine to stop responding to client during an attack. NetMeeting services will return to normal once an attack has terminated or by terminating the NetMeeting application.
By default, NetMeeting or Remote Desktop Sharing is not enabled on Windows 2000, is an extra download for Windows NT 4.0, and only customers who have enabled it would be at risk from this vulnerability. The vulnerability could be used to deny NetMeeting services, but could not be used for any broader attack - that is, it could not be used to compromise data on an affected server or usurp administrative control.

What causes the vulnerability?
There is a flaw in a NetMeeting feature which drives CPU utilization to 100% and also causes the application to hang when sent a particular malformed input string from a malicious client machine.

What is NetMeeting?
NetMeeting is an application included with Windows 2000 (or can be downloaded from http://www.microsoft.com/netmeeting for Windows NT 4.0) that enables real-time audio, video, and data communication over the Internet.
The feature of NetMeeting at issue in this vulnerability is Remote Desktop Sharing.

What's the problem with the NetMeeting Application?
The affected version of NetMeeting, with Remote Desktop Sharing enabled, does not correctly handle a particular kind of malformed input string sent to it from a client. If such data were received by an affected system, it could temporarily cause the NetMeeting application to hang and also temporarily drive CPU utilization to 100%.

What would be the effect of the NetMeeting application failing?
If the NetMeeting application temporarily failed, it would cause any existing NetMeeting sessions to fail, with the loss of any work that was in progress at the time. It could also hinder the affected machine from performing other tasks due to 100% CPU utilization during an attack.

Is NetMeeting running by default in Windows 2000 or Windows NT 4.0?
The NetMeeting application is not enabled by default on a standard Windows 2000 installation and needs to be downloaded for Windows NT 4.0.

Who could exploit this vulnerability?
Any malicious user who could send data to an affected machine could exploit the vulnerability. If an affected machine were directly connected to the Internet, the vulnerability could be exploited by a malicious user; on the other hand, an affected machine that provided NetMeeting services only within an intranet could only be attacked by an intranet user.

Note: NetMeeting listens on port 1720 -- if that were blocked on Corporate firewalls intranet user's would not be affected by this vulnerability from an external attack.

What is the scope of the new variant?
The scope of the new variant is identical to the original vulnerability. The exploit used was a little different than the original and the fix was completed to take into account the symptom of the new exploit.

Who should use the patch?
Microsoft recommends that anyone who enables the NetMeeting application with the Remote Desktop Sharing service should install the patch.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
Knowledge Base article 273854 contains detailed instructions for applying the patch to your machine.

How can I tell if I installed the patch correctly?
If the NetMeeting application temporarily failed, it would cause any existing NetMeeting sessions to fail, with the loss of any work that was in progress at the time. It could also hinder the affected machine from performing other tasks due to 100% CPU utilization during an attack.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base articles 273854 and 299796 explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• Windows NT 4.0:

  http://www.microsoft.com/downloads/details.aspx?FamilyID=26c9da7c-f778-4422-a6f4-efb8abba021e&DisplayLang=en

• Windows 2000:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=DD418CE9-699F-4D62-8282-5C4337BE5785&displaylang=en