Microsoft Security Bulletin MS03-043
Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Issued: October 15, 2003
Updated: December 2, 2003
Version Number: 2.3
See all Windows bulletins released October, 2003
Summary
Who Should Read This Document:
Customers using Microsoft® Windows®
Impact of Vulnerability:
Remote Code Execution
Maximum Severity Rating:
Critical
Recommendation:
Customers should disable the Messenger Service immediately and evaluate their need to deploy the patch
Patch Replacement:
None
Caveats:
Windows NT 4.0 Client Computers may have network-related problems after installing this security update. Microsoft encourages customers to review the details of Microsoft Knowledge Base Article http://support.microsoft.com/?kbid=831579
Tested Software and Patch Download Locations:
Affected Software:
- Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download the patch
- Microsoft Windows NT Server 4.0, Service Pack 6a - Download the patch
- Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download the patch
- Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 - Download the patch
- Microsoft Windows XP Gold, Service Pack 1 - Download the patch
- Microsoft Windows XP 64-bit Edition - Download the patch
- Microsoft Windows XP 64-bit Edition Version 2003 - Download the patch
- Microsoft Windows Server 2003 - Download the patch
- Microsoft Windows Server 2003 64-bit Edition - Download the patch
Non Affected Software:
- Microsoft Windows Millennium Edition
The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.
General Information
Technical Details
Technical Description:
Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt. More information on this is available in the FAQ section of this bulletin.
Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 2000, Windows XP, and Windows Server 2003 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed.
A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.
An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.
Mitigating factors:
- Messages are delivered to the Messenger service via NetBIOS or RPC. If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports. Most firewalls, including Internet Connection Firewall in Windows XP, block NetBIOS by default.
- Disabling the Messenger Service will prevent the possibility of attack.
- On Windows Server 2003 systems, the Messenger Service is disabled by default.
Severity Rating:
| Windows NT | Critical |
| Windows Server NT 4.0 Terminal Server Edition | Critical |
| Windows 2000 | Critical |
| Windows XP | Critical |
| Windows Server 2003 | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0717
Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.
- Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003).
If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet.
To enable Internet Connection Firewall feature using the Network Setup Wizard:
- Run the Network Setup Wizard. To access this wizard, point to Control Panel, double-click Network and Internet Connections, and then click Setup or change your home or small office network.
- The Internet Connection Firewall is enabled when you choose a configuration in the wizard that indicates that your computer is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection:
- In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
- Right-click the connection on which you would like to enable ICF, and then click Properties.
- On the Advanced tab, click the box to select the option to Protect my computer or network.
- If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.
- Disable the Messenger Service
Disabling the messenger service will prevent the possibility of an attack. You can disable the messenger service by performing the following:
- Click Start, and then click Control Panel (or point to Settings, and then click Control Panel).
- Double-click Administrative Tools.
- Double-click Services.
- Double-click Messenger.
- In the Startup type list, click Disabled.
- Click Stop, and then click OK.
Impact of Workaround: If the Messenger service is disabled, messages from the Alerter service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log.
Frequently Asked Questions
Why is Microsoft reissuing this security update?
Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt.
What version of Windows does this update apply to?
The only version of Windows affected by this specific issue is Windows XP.
What is the %systemroot%\system32\dllcache?
The %systemroot%\system32\dllcache or "dll cache", is used by the Windows File Protection Feature which prevents programs from replacing critical Windows system files. If a critical Windows system file is deleted or becomes corrupt, the system replaces the file with a correct version from the "dll cache".
What is the Windows File Protection Feature?
Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.
WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. For more information on WFP and how it works, see Microsoft Knowledge Base article http://support.microsoft.com?kbid=222193
What are the ramifications of not having the updated version of wkssvc.dll copied to the dll cache?
If the updated version of the file wkssvc.dll (or any critical Windows system files) is not copied into the dll cache at the same time as the security update is applied to the system, the system is still protected from the vulnerability.
However, if that file is ever deleted or becomes corrupt, WFP will seek to replace the deleted or corrupt file with the version currently available in the dll cache. In this case, the version of wkssvc.dll available would be older than the version which corrects the security vulnerability described in this bulletin. The effect of this would be that the system is returned to an insecure state, and the security update would need to be reinstalled.
If the wkssvc.dll file is inadvertently reverted to the version available prior to this update, will Windows Update notice that my system is no longer protected, and prompt me to install this critical update again?
Yes. Windows Update will recognize that the file version now residing on the system is not the most current version, and you will be prompted to reinstall the security update.
I don't use Windows Update. If the wkssvc.dll file was inadvertently reverted to the version available prior to this update, would I be able to manually reinstall the update?
Yes. The installer technology used by Microsoft will detect that the file version now residing on the system is not the most current version, and you will be able to successfully reinstall the security update.
Even with the original version of the wkssvc.dll-- .1301--, am I still secure?
Yes, the original version of wkssvc.dll will protect you unless it gets corrupted and is replaced with an unpatched version of the file from the dll cache, as described above.
Will the Microsoft Baseline Security Analyzer (MBSA) detect that I have the older version of wkssvc.dll installed on my Windows XP system?
Yes. The Microsoft Baseline Security Analyzer (MBSA) will detect that the version of the wkssvc.dll file on the system is not the most current version, and prompt you to reinstall the updated version.
MBSA is showing me as insecure even though the older version of the wkssvc.dll does protect me. How can I make MBSA stop showing me as unpatched?
The only way to prevent MBSA from showing the system as unprotected is to reinstall MS03-043.
I'm not sure which version of the wkssvc.dll I need to have installed on my Windows XP system in order to receive the security update, and be confident that the wkssvc.dll file also was copied into the dll cache. Which version do I need?
If you are running Windows XP, the correct version of the wkssvc.dll file which is also copied into the dll cache is 5.1.2600.1309. If you still have the version ending in .1301, you should reinstall the security update.
Why has Microsoft reissued this bulletin?
Subsequent to the release of this bulletin and the associated patches, a problem was identified with the Windows 2000, Windows XP, and Windows Server 2003 versions of the patch. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed.
Microsoft has corrected this problem and re-issued this bulletin on October 29th, 2003 to advise on the availability of an updated Windows 2000, Windows XP, and Windows Server 2003 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. If you have previously applied this security patch, this update does not need to be installed.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.
What is the Windows Messenger Service?
The Messenger service is a Windows service that transmits net send messages and messages that are sent through the Alerter service between client computers and servers. For example, the Messenger service can be used by network administrators to send administrative alerts to network users. The Messenger service can also be used by Windows and other software programs. For example, Windows may use it to inform you when a print job is completed or when you lose power to your computer and switch to a Uninterruptible Power Supply (UPS). The Messenger service is not related to your Web browser, e-mail program, Windows Messenger, or MSN Messenger.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Messenger Service. If exploited, an attacker could gain Local System privileges on an affected system, or cause the service to fail.
Is the Messenger Service the same thing as Windows Messenger or MSN Messenger?
No. It's important to note that the Messenger Service is not the same thing as Windows Messenger or MSN Messenger. Windows Messenger (http://messenger.microsoft.com) and MSN Messenger (http://messenger.msn.com) are instant messaging services that allow users to converse, share pictures, video, etc. In contrast, the Messenger service (http://support.microsoft.com/default.aspx?scid=KB;EN-US;168893&) is a simple text-only broadcast service that's typically used by administrators to send alerts to users, and warn them of pending outages, server maintenance, etc.
What's wrong with the Messenger Service?
The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.
What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a specially crafted message and sending it to the Messenger Service on an affected system.
What does the patch do?
The patch eliminates the vulnerability by insuring that the Messenger Service properly validates the length of a message before passing it to the allocated buffer.
Security Patch Information
Installation platforms and Prerequisites:
For information about the specific security patch for your platform, click the appropriate link:
Windows Server 2003 (all versions)
Prerequisites
This security patch requires a released version of Windows Server 2003.
Inclusion in future service packs:
The fix for this issue will be included in Windows Server 2003 Service Pack 1.
Installation Information:
This security patch supports the following Setup switches:
/help Displays the command line options
Setup Modes
/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
/uninstall Uninstalls the package
Restart Options
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options
/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down
Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.
Deployment Information
To install the patch without any user intervention, use the following command line:
Windowsserver2003-kb828035-x86-enu /passive /quiet
To install the patch without forcing the computer to restart, use the following command line:
Windowsserver2003-kb828035-x86-enu /norestart
Note: These switches can be combined in one command line.
For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition:
| Date | Time | Version | Size | File Name | Folder |
|---|---|---|---|---|---|
| 02-Oct-2003 | 22:00 | 5.2.3790.90 | 32,768 | Msgsvc.dll | RTMGDR |
| 02-Oct-2003 | 22:00 | 5.2.3790.90 | 128,000 | Wkssvc.dll | RTMGDR |
| 02-Oct-2003 | 21:53 | 5.2.3790.90 | 33,792 | Msgsvc.dll | RTMQFE |
| 02-Oct-2003 | 21:53 | 5.2.3790.90 | 126,976 | Wkssvc.dll | RTMQFE |
Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:
| Date | Time | Version | Size | File Name | Platform | Folder |
|---|---|---|---|---|---|---|
| 02-Oct-2003 | 22:02 | 5.2.3790.90 | 87,040 | Msgsvc.dll | IA64 | RTMGDR |
| 02-Oct-2003 | 22:02 | 5.2.3790.90 | 311,296 | Wkssvc.dll | IA64 | RTMGDR |
| 02-Oct-2003 | 21:53 | 5.2.3790.90 | 90,112 | Msgsvc.dll | IA64 | RTMQFE |
| 02-Oct-2003 | 21:53 | 5.2.3790.90 | 309,760 | Wkssvc.dll | IA64 | RTMQFE |
Note When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the Contents of a Windows Server 2003 Product Update Package
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828035\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.
Windows XP (all versions)
Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.
Prerequisites:
This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
Inclusion in future service packs:
The fix for this issue will be included in Windows XP Service Pack 2.
Installation Information:
This security patch supports the following Setup switches:
/help Displays the command line options
Setup Modes
/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
/uninstall Uninstalls the package
Restart Options
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options
/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down
Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.
Deployment Information
To install the patch without any user intervention, use the following command line:
Windowsxp-kb828035-x86-enu /passive /quiet
To install the patch without forcing the computer to restart, use the following command line:
Windowsxp-kb828035-x86-enu /norestart
Note: These switches can be combined in one command line.
For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition
| Date | Time | Version | Size | File Name |
|---|---|---|---|---|
| 21-Oct-2003 | 14:42 | 5.1.2600.121 | 32,256 | Msgsvc.dll (pre-SP1) |
| 21-Oct-2003 | 14:42 | 5.1.2600.121 | 120,320 | Wkssvc.dll (pre-SP1) |
| 21-Oct-2003 | 15:06 | 5.1.2600.1309 | 32,256 | Msgsvc.dll (with SP1) |
| 21-Oct-2003 | 15:06 | 5.1.2600.1309 | 119,808 | Wkssvc.dll (with SP1) |
Windows XP 64-Bit Edition Version 2002
| Date | Time | Version | Size | File Name | Platform |
|---|---|---|---|---|---|
| 21-Oct-2003 | 15:43 | 5.1.2600.121 | 93,184 | Msgsvc.dll | IA64 (pre-SP1) |
| 21-Oct-2003 | 15:43 | 5.1.2600.121 | 327,168 | Wkssvc.dll | IA64 (pre-SP1) |
| 21-Oct-2003 | 15:57 | 5.1.2600.1309 | 94,720 | Msgsvc.dll | IA64 (with SP1) |
| 21-Oct-2003 | 15:57 | 5.1.2600.1309 | 325,120 | Wkssvc.dll | IA64 (with SP1) |
Windows XP 64-Bit Edition Version 2003
| Date | Time | Version | Size | File Name | Platform | Folder |
|---|---|---|---|---|---|---|
| 02-Oct-2003 | 22:02 | 5.2.3790.90 | 87,040 | Msgsvc.dll | IA64 | RTMGDR |
| 02-Oct-2003 | 22:02 | 5.2.3790.90 | 311,296 | Wkssvc.dll | IA64 | RTMGDR |
| 02-Oct-2003 | 21:53 | 5.2.3790.90 | 90,112 | Msgsvc.dll | IA64 | RTMQFE |
| 02-Oct-2003 | 21:53 | 5.2.3790.90 | 309,760 | Wkssvc.dll | IA64 | RTMQFE |
Notes
- When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the Contents of a Windows Server 2003 Product Update Package
- The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:
328848 Description of Dual-Mode Hotfix Packages for Windows XP
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:
HHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828035\Filelist
For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB828035\Filelist
For Windows XP 64-Bit Edition, Version 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828035\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.
Windows 2000
Prerequisites:
For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5.
Installation Information:
This security patch supports the following Setup switches:
/help Displays the command line options
Setup Modes
/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
/uninstall Uninstalls the package
Restart Options
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options
/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down
Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.
Deployment Information
To install the patch without any user intervention, use the following command line:
For Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:
Windows2000-kb828035-x86-enu /passive /quiet
To install the security patch without forcing the computer to restart, use the following command line:
For Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:
Windows2000-kb828035-x86-enu /norestart
Note: You can combine these switches into one command line.
For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this security patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
| Date | Time | Version | Size | File Name |
|---|---|---|---|---|
| 02-Oct-2003 | 21:17 | 5.00.2195.6861 | 34,064 | Msgsvc.dll |
| 02-Oct-2003 | 21:17 | 5.00.2195.6861 | 96,528 | Wkssvc.dll |
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828035\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.
Windows NT 4.0 (all versions)
Prerequisites:
This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).
For information about the Windows desktop product life cycle, visit the following Microsoft Web site:
http://www.microsoft.com/lifecycle/
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Installation Information:
This security patch supports the following Setup switches:
/y: Perform removal (only with /m or /q).
/f: Force other programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
/x: Extract the files without running Setup.
Deployment Information
To install the security patch without any user intervention, use the following command line:
Windowsnt4server-kb828035-x86-enu /q
To install the security patch without forcing the computer to restart, use the following command line:
Windowsnt4server-kb828035-x86-enu /z
Note: You can combine these switches into one command line.
For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this security patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB828035$ folder. The utility supports the following Setup switches:
/y: Perform removal (only with /m or /q).
/f: Force programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows NT 4.0:
| Date | Time | Version | Size | File Name |
|---|---|---|---|---|
| 02-Oct-2003 | 13:28 | 4.0.1381.7236 | 39,184 | Msgsvc.dll |
| 14-Apr-2003 | 15:45 | 4.0.1381.7215 | 80,784 | Mup.sys |
| 10-Jun-2003 | 13:41 | 4.0.1381.7220 | 256,272 | Netapi32.dll |
| 02-Oct-2003 | 13:28 | 4.0.1381.7236 | 60,688 | Wkssvc.dll |
Windows NT Server 4.0, Terminal Server Edition:
| Date | Time | Version | Size | File Name |
|---|---|---|---|---|
| 02-Oct-2003 | 13:45 | 4.0.1381.33553 | 44,816 | Msgsvc.dll |
| 22-Jan-2002 | 23:50 | 4.0.1381.33522 | 82,224 | Mup.sys |
| 28-Aug-2001 | 01:57 | 4.0.1381.33478 | 255,760 | Netapi32.dll |
| 02-Oct-2003 | 13:44 | 4.0.1381.33553 | 60,688 | Wkssvc.dll |
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828035\File 1
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to protect customers:
- The Last Stage of Delirium Research Group for reporting the issue in MS03-043.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the Windows Update web site
Support:
- Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
Security Resources:
- The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
- Microsoft Software Update Services: http://www.microsoft.com/sus/
- Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.
- Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
- Windows Update: http://windowsupdate.microsoft.com
- Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 October 15, 2003: Bulletin published.
- V1.1 October 22, 2003: Updated the security patch supports in the "Security Patch Information" section for Windows Server 2003, Windows XP, and Windows 2000.
- V2.0 October 29, 2003: A revised version of the security patch for Windows 2000, Windows XP, and Windows Server 2003 has been released to correct the issue documented by Knowledge Base Article 830846.
- V2.1 November 13, 2003: Bulletin updated to reflect correct file versions for Windows XP update.
- V2.2 November 14, 2003: Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt. More information on this is available in the FAQ section of this bulletin. Caveats section has been updated to include new information relevant to NT 4.0 clients.
- V2.3 December 2, 2003: Bulletin updated to reflect correct file versions and date/time stamp for Windows XP update.