Microsoft Security Bulletin MS00-026 - Critical
Patch Available for "Mixed Object Access" Vulnerability
Published: April 20, 2000
Originally Posted: April 20, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000 that could, under very specific conditions, allow a malicious user to change information in the Active Directory that he should not be able to change.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-026.mspx
Active Directory allows for access control of directory objects on a per-attribute basis. However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a particular way with ones involving attributes that he does have permission to modify.
The vulnerability does not afford the malicious user an opportunity to modify all objects in a class - only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by whom.
Affected Software Versions
- Windows 2000 Server
- Windows 2000 Advanced Server
Note The vulnerability only affects the above products when they are used as domain controllers.
Vulnerability Identifier: CVE-2000-0311
Note Additional security patches are available at the Microsoft Download Center
Please see the following references for more information related to this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-026, http://www.microsoft.com/technet/security/bulletin/fq00-026.mspx
- Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.mspx
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
- April 20, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00