Microsoft Security Bulletin MS03-045
Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
Issued: October 15, 2003
Updated: March 9, 2004
Version Number: 4.1
See all Windows bulletins released October, 2003
Summary
Who Should Read This Document:
Customers using Microsoft® Windows®
Impact of Vulnerability:
Local Elevation of Privilege
Maximum Severity Rating:
Important
Recommendation:
Customers should install this security patch at the earliest opportunity
Patch Replacement: This patch replacesMS02-071 on Windows NT 4.0, Windows 2000, and Windows Server 2003. This patch does not replace MS02-071on Windows XP.
Caveats:
None
Tested Software and Patch Download Locations:
Affected Software:
- Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download the patch
- Microsoft Windows NT Server 4.0, Service Pack 6a - Download the patch
- Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download the patch
- Microsoft Windows 2000, Service Pack 2 - Download the patch
- Microsoft Windows 2000 Service Pack 3, Service Pack 4 - Download the patch
- Microsoft Windows XP Gold, Service Pack 1 - Download the patch
- Microsoft Windows XP 64 bit Edition - Download the patch
- Microsoft Windows XP 64 bit Edition Version 2003 - Download the patch
- Microsoft Windows Server 2003 - Download the patch
- Microsoft Windows Server 2003 64 bit Edition - Download the Patch
Non Affected Software:
- Microsoft Windows Millennium Edition
The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.
General Information
Technical Details
Technical Description:
Microsoft re-issued this bulletin on Janurary 13, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation and Server patch for the Arabic, Hebrew, and Thai languages.
This revised patch corrects an installation issue that some customers experienced with the original patch. This problem is unrelated to the security vulnerability discussed in this bulletin, however the problem has caused some customers difficulty installing the patch. If you have previously applied this security patch, this update does not need to be installed. This issue only affects the language versions of the patch listed (Arabric, Hebrew, and Thai) and only those versions of the patch are being re-released. Other language versions of this patch are not affected and are not being re-released.
Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows XP patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This problem is unrelated to the security vulnerability discussed in this bulletin, however the problem has caused some customers difficulty installing the patch. If you have previously applied this security patch, this update does not need to be installed.
Microsoft has also investigated reports of application compatibilty problems with some third party applications. Many of the affected applications have released updated versions to address these issues. For more information on these issues please view Knowledge Base Article 831739.
Microsoft re-issued this bulletin on October 22, 2003 to advise of a compatibility problem with some third party software that has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have applied the patch are protected against the vulnerability discussed in this bulletin. Subsequent to the release of this bulletin and the associated patches, a compatibility problem with some third party software has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have applied the patch are protected against the vulnerability discussed in this bulletin.
Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated patches. The compatibility problems only affect the language versions of the patch listed below and only those versions of the patch are being re-released. Other language versions of this patch are not affected and are not being re-released. Please note that the new security patches support both the Setup switches originally documented in this bulletin as well as a set of new Setup switches that are document in the Installation Information Section of this bulletin. Additionally, the updated language versions support Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4 in a single security patch.
Brazilian
Czech
Danish
Finnish
Hungarian
Italian
Norwegian
Polish
Portuguese
Russian
Spanish
Swedish
Turkish
Not Affected versions:
Arabic
Dutch
English
French
German
Greek
Hebrew
Hong Kong
Japanese
Korean
Simplified Chinese
Traditional Chinese
A vulnerability exists because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent from a specially-crafted Windows message. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability exists because the function that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. One process in the interactive desktop could use a specific Windows message to cause the ListBox control or the ComboBox control to execute arbitrary code. Any program that implements the ListBox control or the ComboBox control could allow code to be executed at an elevated level of administrative credentials, as long as the program is running at an elevated level of privileges (for example, Utility Manager in Windows 2000). This could include third-party applications.
An attacker who had the ability to log on to a system interactively could run a program that could send a specially-crafted Windows message to any applications that have implemented the ListBox control or the ComboBox control, causing the application to take any action an attacker specified. This could give an attacker complete control over the system by using Utility Manager in Windows 2000.
Mitigating factors:
- An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited remotely.
- Properly-secured systems are at little risk from this vulnerability. Standard best practices recommend only allowing trusted users to log on to systems interactively.
- Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this vulnerability in the ListBox control and in the ComboBox control. However, in Windows XP and in Windows Server 2003, Utility Manager runs under the context of the logged-on user and does not allow for elevation of privileges. Windows NT 4.0 does not implement Utility Manager.
Severity Rating:
| Microsoft Windows NT 4.0 | Low |
| Microsoft Windows NT Server 4.0, Terminal Server Edition | Low |
| Microsoft Windows 2000 | Important |
| Microsoft Windows XP | Low |
| Microsoft Windows Server 2003 | Low |
The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0659
Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.
- Disable the Utility Manager on all affected systems that do not need this feature through software polices
Since the Utility Manager Service is a possible attack vector this can be disabled using software restriction polices within Active Directory or within the Local Security Policy. The Utility Manager process name is utilman.exe. You may use the following software restriction policy guides to help prevent users from accessing this file:
- Using Software Restriction Policies to Protect Against Unauthorized Software
- HOW TO: Use Software Restriction Policies in Windows Server 2003 (324036)
- Protect Your System from Viruses (Using Software Restriction Polices)
- To create new software restriction policies
Impact of Vulnerability:
The Utility Manager Service provides many of the accessibility features of the operating system. These would be unavailable until the restrictions are removed.
Frequently Asked Questions
Why has Microsoft reissued this bulletin?
Microsoft re-issued this bulletin on Janurary 13, 2004 to advise on the availability of an updated Windows NT 4.0 Workstation and Server patch for the Arabic, Hebrew, and Thai languages.
This revised patch corrects an installation issue that some customers experienced with the original patch. This problem is unrelated to the security vulnerability discussed in this bulletin, however the problem has caused some customers difficulty installing the patch. If you have previously applied this security patch, this update does not need to be installed. This issue only affects the language versions of the patch listed (Arabric, Hebrew, and Thai) and only those versions of the patch are being re-released. Other language versions of this patch are not affected and are not being re-released.
Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows XP patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. If you have previously applied this security patch, this update does not need to be installed.
Microsoft has also investigated reports of application compatibilty problems with some third party applications. Many of the affected applications have released updated versions to address these issues. For more information on these issues please view Knowledge Base Article 831739.
Microsoft re-issued this bulletin on October 22, 2003 to advise of a compatibility problem with some third party software that has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have applied the patch are protected against the vulnerability discussed in this bulletin. Subsequent to the release of this bulletin and the associated patches, a compatibility problem with some third party software has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have applied the patch are protected against the vulnerability discussed in this bulletin.
Microsoft developed a fix for this issue and re-released this bulletin on October 22, 2003 to reflect the new updated patches. The compatibility problems only affect the language versions of the patch listed below and only those versions of the patch are being re-released. Other language versions of this patch are not affected and are not being re-released. Please note that the new security patches support both the Setup switches originally documented in this bulletin as well as a set of new Setup switches that are document in the Installation Information Section of this bulletin. Additionally, the updated language versions support Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4 in a single security patch.
Brazilian
Czech
Danish
Finnish
Hungarian
Italian
Norwegian
Polish
Portuguese
Russia
Spanish
Swedish
Turkish
Not Affected versions:
Arabic
Dutch
English
French
German
Greek
Hebrew
Hong Kong
Japanese
Korean
Simplified Chinese
Traditional Chinese
I have Windows NT, Windows XP, Windows Server 2003 am I affected by the compatibility problems which only affect certain language versions of the patch?
No - Windows 2000 Service Pack 4 is the only affected platform.
I have Windows 2000 Service Pack 4 but a language in the 'not affected versions' am I affected by the compatibility problems which only affect certain language versions of the patch?
No - You are only affected if you have Windows 2000 Service Pack 4 and one of the languages mentioned in the 'affected languages' section.
Can I uninstall this patch?
Yes - See the removal section for more information on how to uninstall this patch.
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability on Windows 2000 could gain complete control over a system. This would give the attacker the ability to take any action that they want on a system such as adding, deleting, or modifying data. It could also give the attacker the ability to create or to delete user accounts, or to add accounts to the local administrators group.
The vulnerability could only be exploited by an attacker who has credentials to log on to the computer interactively. Since restricted users are not normally permitted to logon to mission critical server this vulnerability primarily of concern on workstations and terminal servers.
Any application that has implemented the ListBox control or the ComboBox control, which is in the User32.dll file, could allow code to be executed at an elevated level of privileges, as long as the program is running at an elevated level of privileges (for example, the Utility Manager utility in Windows 2000). This could include third-party applications.
What causes the vulnerability?
A vulnerability results because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent from a specially-crafted Windows message.
What is Utility Manager?
Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (for example, Microsoft Magnifier, Narrator, or On-Screen Keyboard) and to start or to stop them.
What are Windows messages?
Processes that run on Windows interact with the system and other processes by using messages. For example, each time the user presses a key on the keyboard, moves the mouse, or clicks a control such as a scroll bar, Windows generates a message. The purpose of this message is to alert the program that a user event has occurred and to deliver the data from that event to the program. Similarly, a program can generate messages to allow the various windows that it controls to communicate with each other.
What is wrong with the way that Windows messages are handled by the List Box control?
The vulnerability lies in the way that the function that both the ListBox control and the ComboBox control use to handle messages when the controls present the list of available accessibility functions to the user. The function that is called does not correctly validate Windows messages that are sent to it. When Utility Manager is running on Windows 2000, another process could run on the system and could send a specially-crafted message to Utility Manager. In Windows 2000, Utility Manager runs under the context of the Local System. This context has a higher level of administrative credentials than a logged-on user and could allow arbitrary code to be executed.
Why does this pose a security vulnerability?
The vulnerability in the ListBox control and in the ComboBox control could provide a way for a process to cause Utility Manager to run arbitrary code on Windows 2000. Although it is against best practice guidelines, a third-party application could use the ListBox control or in the ComboBox control under the context of the Local System.
What might an attacker use the vulnerability to do?
To exploit this vulnerability an attacker would first have to start Utility Manager on Windows 2000 and then could run a specially-designed application that could exploit the vulnerability in the ListBox control and the ComboBox control. In default configurations of Window 2000, Utility Manager is installed but is not running. This vulnerability could allow an attacker to gain complete control over the system on Windows 2000.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on to the system, start Utility Manager, and execute a program that sends a specially-crafted message to Utility Manager that exploits the vulnerability.
What versions of the ListBox control or of the ComboBox control are vulnerable to this attack?
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this vulnerability. However, the Windows XP and Windows Server 2003 versions of Utility Manager do not allow elevation of permissions because Utility Manager runs under the context of the logged-on user. Windows NT 4.0 does not implement Utility Manager however the vulnerable function is still present within User32.dll.
I'm using Windows 2000, but I'm not using Utility Manager or any of the accessibility features, am I still vulnerable?
Yes - Utility Manager is installed and enabled by default.
Which systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. The attacker must be able to log on to the specific system that they want to attack. The attacker cannot load and run a program remotely.
What does the patch do?
The patch addresses the vulnerability by changing way that the function used by the ListBox control and the ComboBox control use to handle Windows messages so that the parameters that are passed are correctly validated.
Security Patch Information
Installation platforms and Prerequisites:
For information about the specific security patch for your platform, click the appropriate link:
Windows Server 2003 (all versions)
Prerequisites:
This security patch requires a released version of Windows Server 2003.
Inclusion in future service packs:
The fix for this issue will be included in Windows Server 2003 Service Pack 1.
Installation Information:
This security patch supports the following Setup switches:
/?: Display the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.
Deployment Information
To install the patch without any user intervention, use the following command line:
Windowsserver2003-kb824141-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:
Windowsserver2003-kb824141-x86-enu /z
Note: These switches can be combined in one command line.
For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824141$\Spuninst folder, and it supports the following Setup switches:
/?: Display the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition
| Date | Time | Version | Size | File Name | Folder |
| 06-Aug-2003 | 21:44 | 5.2.3790.73 | 575,488 | User32.dll | RTMGDR |
| 06-Aug-2003 | 21:41 | 5.2.3790.73 | 575,488 | User32.dll | RTMQFE |
Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:
| Date | Time | Version | Size | File Name | Platform | Folder |
| 06-Aug-2003 | 21:44 | 5.2.3790.73 | 1,372,672 | User32.dll | IA64 | RTMGDR |
| 06-Aug-2003 | 21:44 | 5.2.3790.73 | 567,296 | Wuser32.dll | x86 | RTMGDR\WOW |
| 06-Aug-2003 | 21:43 | 5.2.3790.73 | 1,372,672 | User32.dll | IA64 | RTMQFE |
| 06-Aug-2003 | 21:41 | 5.2.3790.73 | 567,296 | Wuser32.dll | x86 | RTMQFE\WOW |
Note: When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the Contents of a Windows Server 2003 Product Update Package
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824141\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.
Windows XP (all versions)
Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites:
This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
Inclusion in future service packs:
The fix for this issue will be included in Windows XP Service Pack 2.
Installation Information:
This security patch supports the following Setup switches:
/?: Display the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.
Deployment Information
To install the patch without any user intervention, use the following command line:
Windowsxp-kb824141-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:
Windowsxp-kb824141-x86-enu /z
Note: These switches can be combined in one command line.
For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824141$\Spuninst folder, and it supports the following Setup switches:
/?: Display the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:
| Date | Time | Version | Size | File Name | Folder |
| 26-Sep-2003 | 18:51 | 5.1.2600.118 | 528,896 | User32.dll | (pre-SP1) |
| 19-May-2003 | 17:28 | 5.1.2600.115 | 1,671,296 | Win32k.sys | (pre-SP1) |
| 25-Sep-2003 | 16:49 | 5.1.2600.1255 | 560,128 | User32.dll | (with SP1) |
| 25-Sep-2003 | 16:35 | 5.1.2600.1275 | 1,796,864 | Win32k.sys | (with SP1) |
Windows XP 64-Bit Edition Version 2002:
| Date | Time | Version | Size | File Name | Platform |
| 29-Sep-2003 | 23:03 | 5.1.2600.118 | 1,480,704 | User32.dll | IA64 (pre-SP1) |
| 19-May-2003 | 17:28 | 5.1.2600.115 | 5,534,848 | Win32k.sys | IA64 (pre-SP1) |
| 19-May-2003 | 17:30 | 5.1.2600.115 | 889,344 | Wow64win.dll | IA64 (pre-SP1) |
| 28-Aug-2003 | 23:03 | 5.1.2600.118 | 555,520 | Wuser32.dll | X86 (pre-SP1) |
| 06-Oct-2003 | 18:43 | 5.1.2600.1255 | 1,482,752 | User32.dll | IA64 (with SP1) |
| 22-Sep-2003 | 21:34 | 5.1.2600.1275 | 5,622,528 | Win32k.sys | IA64 (with SP1) |
| 05-Aug-2003 | 22:28 | 5.1.2600.1255 | 556,544 | Wuser32.dll | X86 (with SP1) |
Windows XP 64-Bit Edition Version 2003:
| Date | Time | Version | Size | File Name | Platform | Folder |
| 06-Aug-2003 | 21:44 | 5.2.3790.73 | 1,372,672 | User32.dll | IA64 | RTMGDR |
| 06-Aug-2003 | 21:44 | 5.2.3790.73 | 567,296 | Wuser32.dll | x86 | RTMGDR\WOW |
| 06-Aug-2003 | 21:43 | 5.2.3790.73 | 1,372,672 | User32.dll | IA64 | RTMQFE |
| 06-Aug-2003 | 21:41 | 5.2.3790.73 | 567,296 | Wuser32.dll | x86 | RTMQFE\WOW |
Notes
- When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the Contents of a Windows Server 2003 Product Update Package
- The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:
328848 Description of Dual-Mode Hotfix Packages for Windows XP
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824141\Filelist
For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist
For Windows XP 64-Bit Edition, Version 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824141\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.
Windows 2000 (all versions)
Prerequisites:
For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).
For information about the Windows desktop product life cycle, visit the following Microsoft Web site:
http://www.microsoft.com/lifecycle/
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5.
Installation Information:
This security patch supports the following Setup switches:
/?: Display the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.
Note: Microsoft has begun releasing security patches that support an improved set of Setup switches. For backward compatibility, these new security patches also support the Setup switches used by the previous version of the setup utility as documented above. Not all new security patches have been updated at this time. The supported setup switches for a security patch can be verified by using the '/?' Setup switch. These updated security patches provide support for the following Setup switches:
/help Displays the command line options
Setup Modes
/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
/uninstall Uninstalls the package
Restart Options
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options
/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down
Deployment Information
To install the patch without any user intervention, use the following command line:
For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:
Windows2000-kb824141-x86-enu /u /q
For Windows 2000 Service Pack 2:
Windows2000-kb824141-x86-enu-customservicepacksupport /u /q
To install the security patch without forcing the computer to restart, use the following command line:
For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:
Windows2000-kb824141-x86-enu /z
For Windows 2000 Service Pack 2:
Windows2000-kb824141-x86-enu-customservicepacksupport /z
Note: These switches can be combined in one command line.
For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
Note: Due the recent changes in Windows 2000 Service Pack 2 support, Microsoft released this security patch using two files for Windows 2000 on October 15th on the Download Center, one security patch that only supported Windows 2000 Service Pack 3 and Windows 2000 Service Pack 4, and a separate file that supported Windows 2000 Service Pack 2 as shown above. Microsoft has now released an updated version of this security patch through Windows Update on October 22nd. The only change with the newer version of the security patch is that it now supports Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4 in a single security patch. The file name will be based on the first of the two file names shown directly above. This updated security patch also supports the new Setup switches documented in the Installation Information section.
Additionally, the updated language versions of the security patches that are being re-released as documented in the Technical Details section support Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4 in a single security patch. These updated language versions of the security patch also support the new Setup switches documented in the Installation Information section.
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this security update, use the Add/Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824141$\Spuninst folder, and it supports the following Setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:
| Date | Time | Version | Size | File Name |
| 05-Aug-2003 | 22:14 | 5.00.2195.6738 | 42,256 | Basesrv.dll |
| 17-Jan-2003 | 16:06 | 5.00.2195.6656 | 236,304 | Cmd.exe |
| 05-Aug-2003 | 22:14 | 5.00.2195.6762 | 222,992 | Gdi32.dll |
| 05-Aug-2003 | 22:14 | 5.00.2195.6794 | 711,440 | Kernel32.dll |
| 05-Aug-2003 | 22:14 | 5.00.2195.6789 | 333,072 | Msgina.dll |
| 08-Apr-2003 | 05:54 | 5.00.2195.6701 | 90,232 | Rdpwd.sys |
| 15-Jul-2003 | 22:08 | 5.00.2195.6776 | 4,858,368 | Sp3res.dll |
| 05-Aug-2003 | 22:14 | 5.00.2195.6799 | 380,176 | User32.dll |
| 05-Aug-2003 | 22:14 | 5.00.2195.6794 | 385,808 | Userenv.dll |
| 22-Jul-2003 | 23:32 | 5.00.2195.6790 | 1,628,912 | Win32k.sys |
| 17-Jul-2003 | 17:20 | 5.00.2195.6785 | 182,032 | Winlogon.exe |
| 05-Aug-2003 | 22:14 | 5.00.2195.6775 | 243,984 | Winsrv.dll |
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB824141\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.
Windows NT 4.0 (All Versions)
Prerequisites:
This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).
For information about the Windows desktop product life cycle, visit the following Microsoft Web site:
http://www.microsoft.com/lifecycle/
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Installation Information:
This security patch supports the following Setup switches:
/y: Perform removal (only with /m or /q).
/f: Force programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
/x: Extract the files without running Setup.
Deployment Information
To install the security patch without any user intervention, use the following command line:
For Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition:
Windowsnt4server-kb824141-x86-enu /q
For Windows NT Workstation 4.0:
Windowsnt4workstation-kb824141-x86-enu /q
To install the security patch without forcing the computer to restart, use the following command line:
For Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition:
Windowsnt4server-kb824141-x86-enu /z
For Windows NT 4.0 Workstation:
Windowsnt4workstation-kb824141-x86-enu /z
Note: These switches can be combined in one command line.
For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
Restart Requirement:
You must restart your computer after you apply this security patch.
Removal Information:
To remove this security patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB824141$ folder. The utility supports the following Setup switches:
- /y: Perform removal (only with /m or /q).
- /f: Force programs to quit during the shutdown process.
- /n: Do not create an Uninstall folder.
- /z: Do not restart when update completes.
- /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
- /m: Use Unattended mode with a user interface.
- /l: List the installed hotfixes.
- /x: Extract the files without running Setup.
File Information:
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows NT Workstation 4.0, Windows NT Server 4.0:
| Date | Time | Version | Size | File Name |
| 06-Aug-2003 | 09:04 | 4.0.1381.7177 | 169,744 | Gdi32.dll |
| 06-Aug-2003 | 09:04 | 4.0.1381.7229 | 326,928 | User32.dll |
| 21-Jul-2003 | 13:50 | 4.0.1381.7224 | 1,255,152 | Win32k.sys |
| 06-Aug-2003 | 09:04 | 4.0.1381.7202 | 175,888 | Winsrv.dll |
Windows NT Server 4.0, Terminal Server Edition:
| Date | Time | Version | Size | File Name |
| 06-Apr-2002 | 01:38 | 4.0.1381.33535 | 170,256 | Gdi32.dll |
| 06-Aug-2003 | 10:19 | 4.0.1381.33550 | 332,048 | User32.dll |
| 01-Jul-2003 | 13:45 | 4.0.1381.33549 | 1,280,432 | Win32k.sys |
| 12-Nov-2002 | 00:09 | 4.0.1381.33544 | 196,368 | Winsrv.dll |
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824141\File 1
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to protect customers:
- Brett Moore of Security-Assessment.com for reporting the issue in MS03-045.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the Windows Update web site
Support:
- Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
Security Resources:
- The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
- Microsoft Software Update Services: http://www.microsoft.com/sus/
- Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.
- Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
- Windows Update: http://windowsupdate.microsoft.com
- Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 October 15, 2003: First Published.
- V1.1 October 17, 2003: Re-issued to advise of a language specific compatibility issue with some third-party software.
- V2.0 October 22, 2003: Version changed to reflect the availability of updated patch for specific languages.
- V3.0 October 29, 2003: A revised version of the security patch for Windows XP has been released to correct the issue documented by Knowledge Base Article 830846.
- V3.1 November 3, 2003: Updated Patch Replacement section. This patch replaces the patch provided by Security Bulletin MS02-071.
- V3.2 November 5, 2003: Updated Technical Details and Frequently Asked Questions sections. This update documents the availability of Knowledge Base Article 831739 which addresses reports of application compatibilty problems with some third party applications.
- V3.3 November 13, 2003: Bulletin updated to reflect correct file versions for Windows NT 4.0 update.
- V4.0 January 13, 2004: Bulletin updated to reflect the release of updated Windows NT 4.0 Workstation and Server updates for Arabic, Hebrew, and Thai languages only.
- V4.1 March 9, 2004: Bulletin updated to reflect updated information on Patch Replacement. This patch replaces MS02-071 on Windows NT 4.0, Windows 2000, and Windows Server 2003. This patch does not replace MS02-071on Windows XP.