Microsoft Security Bulletin MS00-072 - Critical
Patch Available for 'Share Level Password' Vulnerability
Published: October 10, 2000 | Updated: February 16, 2001
Originally posted: October 10, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows 95, 98, 98 Second Edition, and Windows Me. The vulnerability could allow a malicious user to programmatically access a Windows 9x/Me file share without knowing the entire password assigned to that share.
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
Vulnerability Identifier: CVE-2000-0979
Microsoft Windows 9x/Me provides a password protection feature referred to as (share level access) for the File and Print Sharing service. However, due to the way the password feature is currently implemented, a file share could be compromised, by a malicious user who used a special client utility, without that user knowing the entire password required to access that share.
Only share level access permissions are vulnerable. If a Windows 9x or Windows Me machine were part of a Windows NT domain, user-level access controls could be enforced on file shares and passwords would not be needed to allow access to those shares. Windows NT and Windows 2000 machines can only be setup with user-level file share access controls and are not susceptible to this vulnerability.
What's this bulletin about?
Microsoft Security Bulletin MS00-072 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 95, 98, 98 Second Edition, and Windows Me. Through a special utility, the vulnerability could allow a malicious user to connect to a password protected file share on any of the products listed above without knowing the entire password. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privacy compromise vulnerability. The vulnerability could potentially allow unauthorized access to a user's password protected file share through the use of a malicious client utility without requiring a user to know the complete password for the share.
For customers using File and Print Sharing within a corporate environment, care should be taken when enabling this service. Microsoft recommends that user-level access permissions be granted to shares rather than share level permissions based on passwords. A still more robust solution is to use a Windows NT or Windows 2000 system as a file server.
What causes the vulnerability?
There is a flaw in the way the File and Print Sharing service implements password protection for a directory when that directory is shared over a network using share level access. The flaw could allow a malicious program to gain access to that share without knowing the complete password.
What is the File and Print Sharing Service?
The Microsoft Windows 9x and Windows Me family of products incorporate peer to peer networking capabilities that enable share level security on a file share. In other words a client can act like a server and vice versa in any Windows networking environment. Windows 9x and Windows Me offers share level access control to file shares and user-level access control when the Windows 9x or Windows Me system is part of a Windows NT domain.
Only share level security suffers from this vulnerability since only share level security uses passwords as the security mechanism for protecting the share.
I understand about sharing files, but what's the difference between share level and user-level access?
Share level security provides a password controlled gate to protected resources. The advantage of this security paradigm is that it allows granting access to a large number of people with very little effort. However, it is not very secure, since the password is widely distributed and there is no notion of personal accountability. Windows NT's security paradigm is based on granting access to individuals each of whom has an account. This paradigm allows fine-grained control over per-user access and allows individual accountability. The disadvantage is that you must create a user account for each user you want to grant access to and you must grant that user the access (either directly or by adding the user to an appropriate group).
Note: User-level access permissions are only available on Windows 9x and Windows Me machines when they are part of a Windows NT domain.
What would this vulnerability allow a malicious user to do?
If a malicious user could exploit this vulnerability, they would be able to retrieve, modify, or delete any file within that share.
What protection does a password provide?
A password is like a lock on your door. It provides protection against unauthorized entry while still allowing you access. However the vulnerability that affects the password protection on a Windows 9x or Windows Me file share would allow unauthorized access, by a user who exploits a malicious client utility, without requiring that the user know the password for that share.
Who should use the patch?
Microsoft recommends that anyone with File and Print sharing enabled and using share level access on a Windows 9x or Windows Me system consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by eliminating the flaw in the password mechanism.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Windows 95
- Microsoft Windows 98 and 98 Second Edition
- Microsoft Windows Me
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q273991, http://support.microsoft.com/default.aspx?scid=kb;en-us;273991&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- October 10, 2000: Bulletin Created.
- February 16, 2001: Windows 98 Patch section updated.
Built at 2014-04-18T13:49:36Z-07:00