Microsoft Security Bulletin MS00-091 - Important
Patch Available for 'Incomplete TCP/IP Packet' Vulnerability
Published: November 30, 2000
Originally posted: November 30, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT 4.0 and a recommended workaround for Windows 95, 98, 98 Second Edition, and Windows Me. The vulnerability could allow a malicious user to temporarily prevent an affected machine from providing any networking services or cause it to stop responding entirely.
- Windows NT 4.0
- Windows 95, 98, 98 Second Edition, and Windows Me
Note: Windows 2000 is not affected by this vulnerability.
Vulnerability Identifier: CAN-2000-1039
There is a denial of service vulnerability that affects Windows NT 4.0 Windows 95, 98, 98 Second Edition and Windows Me. By sending a flood of specially malformed TCP/IP packets to a victim's machine a malicious user could cause either of two effects. In the most likely case, the flood would temporarily prevent any networking resources on an affected computer from responding to client requests; as soon as the packets stopped arriving, the machine would resume normal operation. In a less likely case, the system could hang, and remain unresponsive until it was rebooted.
This vulnerability could only be exploited if TCP port 139 was open on the target machine. If the server service or File/Print sharing were disabled on a computer it would not be susceptible to this vulnerability.
What's this bulletin about?
Microsoft Security Bulletin MS00-091 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0 and a recommended workaround for Windows® 95, 98,98 Second Edition and Windows Me. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a Denial of Service vulnerability that could be exploited to achieve either of two effects. In the most likely scenario, a malicious user could use the vulnerability to temporarily cause the networking services on an affected machine to stop responding to client requests during an attack. Networking services would return to normal once an attack has terminated. In a very small percentage of cases, the attack could cause the system to hang, requiring that it be rebooted.
The vulnerability does not affect Windows 2000. Even in affected systems, the vulnerability only occurs if the Server service or File/Printer Sharing are enabled.
What causes the vulnerability?
A flaw exists in the implementation of the NetBIOS over TCP/IP (NBT) protocol in Windows NT 4.0, Windows 95, 98, 98 Second Edition, and Windows Me. If a malicious user sent a large number of network packets with a specific type of malformation, it could cause an affected system to temporarily stop responding to all network requests, or possibly hang altogether.
What is NetBIOS, and what is NBT?
NetBIOS is a set of networking services for PC networking. NetBIOS can be implemented atop a number of different networking protocols, and there is a standard that describes how the services will be implemented for each case. NBT is the protocol standard that describes how NetBIOS services are provided on a TCP/IP network.
For more information on NetBIOS over TCP/IP please see RFC 1001.
Is this a flaw in the NBT protocol?
No. The vulnerability results because of an implementation error in certain systems. Other systems, such as Windows 2000 provide implementations of the protocol that are not affected by the vulnerability.
What is the problem with the NBT implementation in the affected systems?
There is a flaw in the way the NBT implementation handles a particular type of invalid data packet. If a series of such packets were directed at an affected system, it could prevent it from providing useful service.
What would be the effect of sending the malformed packets to the server?
There are primarily two effects of this vulnerability once a machine is affected. The most likely scenario is the machine will stop responding to any client network requests. The less likely scenario is a complete resource drain that would necessitate rebooting the machine to resume normal operation.
You said that the attacker has to send a series of malformed packets. Is this a flooding attack?
No. In a flooding attack, there's a rough correlation between the resources the attacker must use and the resources he consumes on the target machine. For instance, in a flooding attack against a web server, the attacker might have to dedicate one machine for every server he wanted to attack. In contrast, denial of service attacks usually involve a multiplier effect of some kind - the attacker must dedicate far fewer resources than he consumes on the target machine.
In this case, there is a multiplier effect, but it's not particularly large. The attacker would need to continually send malformed packets to the server, but not at a particularly high rate. In addition, as discussed above, in some cases the packets can cause the server to fail altogether.
Who could exploit this vulnerability?
Any malicious user who has access to the NBT port on a victim machine could exploit this vulnerability. If an affected machine were directly connected to the Internet, the vulnerability could be exploited by a malicious user located on the Internet. If a machine on a Corporate intranet was protected by a properly configured firewall that blocked the NBT ports, the machine could only be attacked by an intranet user
Note: If File and Printer sharing were disabled on a Windows 9x or Windows Me computer, it would not be affected by this vulnerability. Though enabled by default under certain configurations, Microsoft recommends that File and Printer sharing be disabled on Windows 9x or Windows Me machines that are directly connected to the Internet.
Could this vulnerability be exploited accidentally?
No. The malicious user would need to construct the specific type of invalid packet at issue here. To the best of our knowledge, no legitimate client creates such data.
Why isn't there a patch for the Windows 95, 98, 98 Second Edition, or Windows Me?
The vulnerability only affects computers with File and Printer sharing enabled. Microsoft recommends disabling the use of File and Printer sharing services on any Windows 9x or Windows Me machine directly connected to the Internet. Customers who need a robust file server solution should use either Windows NT 4.0 or Windows 2000. The risk is slightly lower for customers on an internal LAN, with a properly-configured firewall that blocks incoming NBT ports, since only an attacker internal to the company's network could exploit the vulnerability.
File and Printer sharing on Windows 9x and Windows Me are best suited for controlled network environments. Home PCs or small businesses whose internal networks are not connected to the Internet or protected by a firewall can safely use this service with minimal risk.
Who should use the patch?
Microsoft recommends that anyone running Windows NT 4.0 should install this patch.
What does the patch do?
The patch eliminates the flaw in NBT and modifies how it handles the malformed packets that can be sent by a malicious client tool.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article Q275567 contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q275567 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Windows NT 4.0 (Intel):
Note: The patch has been tested on a Windows NT 4.0 computer with Service Pack 6a. Customers needing the Alpha version should contact PSS under the "Obtaining Support on this Issue" section below.
- Windows 95, 98, 98 Second Edition, and Windows Me:
As discussed in the FAQ, Microsoft recommends a workaround for computers running Windows 95, 98 and 98 Second Edition. Please see KB article, Q199346 for more details.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base article Q275567,
Microsoft thanks BindView's Razor Team for reporting these issues to us and helping us protect our customers.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at:
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- November 30, 2000: Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00