Microsoft Security Bulletin MS01-005 - Critical

Packaging Anomaly Could Cause Hotfixes to be Removed

Published: January 30, 2001 | Updated: July 10, 2003

Version: 1.2

Originally posted: January 30, 2001
Updated: July 10, 2003

Summary

Who should read this bulletin:
System administrators using Microsoft® Windows® 2000

Impact of vulnerability:
Previously installed hotfixes, including security patches, could be removed.

Recommendation:
System administrators who have installed hotfixes issued after Windows 2000 Service Pack 1 and have run System File Checker should use apply the patch and use the diagnostic tool.

Affected Software:

• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server

General Information

Technical details

Technical description:

Microsoft packages all Windows 2000 hotfixes (including security patches) with a catalog file that lists all of the valid hotfixes that have been issued to date. The catalog is digitally signed to ensure its integrity, and Windows File Protection uses the signed catalog to determine which hotfixes are valid. An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer's system to revert to a version of a Windows 2000 module that contained a security vulnerability.

A tool is available that will determine whether any hotfixes have been removed from a system and should be re-installed. A patch is available that installs an updated system catalog, thereby ensuring that any hotfixes already on the machine will not be affected by the anomaly. All of the affected hotfixes on the Microsoft web site have been repackaged to correct the anomaly.

Mitigating factors:

• The hotfixes would only be removed if (a) they had been applied in an order other than that in which Microsoft produced and packaged them and (b) System File Checker had been run explicitly (by running sfc/scannow for instance) or triggered by some administrator action (such as specifying that it be invoked under a group policy).
• Only hotfixes for Windows 2000, and produced after Service Pack 1, are affected by this problem

Vulnerability identifier: None.

Frequently asked questions

What's the scope of the vulnerability?
This problem could potentially cause previously-applied hotfixes, which could include security patches, to be removed from a Windows 2000 system. This could result in a situation in which a system that was believed to be up to date on all security patches actually was still susceptible to known vulnerabilities. There are significant limitations to the scope of the problem:

• It only affects English-language post-Service Pack 1 hotfixes made available through December 18, 2000.
• It could only occur if the administrator installed multiple hotfixes in an order other than the order in which they were packaged, and then ran System File Checker.

What causes the problem?
The catalogs associated with all Windows 2000 post-Service Pack 1 hotfixes, including security patches, made available through December 18, 2000, were assigned the same version number. Under some conditions, this could cause Windows File Protection to treat some hotfixes as invalid and remove them.

What is Windows File Protection?
Windows File Protection is a Windows 2000 feature that ensures that operating system files cannot be modified or replaced by older versions. On versions of Windows before Windows 2000, installing software in addition to the operating system could overwrite shared system files such as dynamic link libraries (.dll files) and executable files (.exe files). When system files are overwritten in error, system performance can become unpredictable, programs can behave erratically, and the operating system can fail. In Windows 2000, Windows File Protection prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. If a user or program attempts to replace a protected system file, Windows File Protection restores the correct version from the backup store located in the Dllcache folder or the Windows 2000 CD. Windows File Protection only allows protected system files to be replaced when installing Windows 2000 Service Packs, Windows 2000 hotfixes, new operating system versions, or downloads from Windows Update. Knowledge base article Q222193, Description of the Windows 2000 Windows File Protection Feature, provides additional information on Windows File Protection.

What files are protected by Windows File Protection?
Windows File Protection applies to almost all system files associated with any component of Windows 2000. These components include Internet Explorer, Internet Information Server, Index Server, and the Microsoft Virtual Machine as well as other operating system components.

How does Windows File Protection determine if a protected system file is valid?
Microsoft computes the cryptographic hash for each protected file it releases at the time of release. When Windows File Protection is invoked to determine whether a file is valid, it attempts to verify that the hash for the file is identical to the hash for that particular file as recorded in the "system catalog". If the hash for a file on the system fails to match the hash in the catalog for the version that Microsoft distributed, Windows File Protection replaces the file with a valid version from the Dllcache folder or the Windows 2000 CD.

What is the system catalog?
The "system catalog" on a Windows 2000 system lists the names and cryptographic hashes of all protected system files. Microsoft digitally signs the catalog file with a Microsoft private key before it is released.

Doesn't that mean that the system catalog has to change every time Microsoft issues a hotfix for a protected system file?
That's correct. When Microsoft packages a Service Pack or hotfix that changes protected system files, the package includes not only the protected system files but also a new signed supplemental system catalog file. The hotfix or Service Pack installation procedure verifies the signature on the supplemental catalog file, installs the new supplemental catalog file in parallel to the old system catalog file, and then verifies the hashes of any new protected system files that are included with the hotfix or Service Pack.

What's the problem with the system catalog?
The system catalogs packaged with all post Service Pack 1 Windows 2000 hotfixes made available through December 18, 2000, were built with the same version number. As a result, it was possible for an older version of the system catalog to replace a newer one.

What is a post Service Pack 1 hotfix?
Post Service Pack 1 hotfixes are those that were built after the cutoff date for inclusion in Windows 2000 Service Pack 1. Knowledge Base Article Q281767 includes a list of the post Service Pack 1 hotfixes that were issued with Microsoft security bulletins.

Why is it a problem for an older version of the system catalog to replace a newer one?
If an older version of the system catalog can replace a newer one, some of the hashes in the catalog may not correspond to protected system files that have been installed on the system by hotfixes. If Windows File Protection were triggered and detected the files whose hashes were not in the catalog, it would attempt to replace them from the Dllcache folder or the Windows CD. This sequence of events might have the effect of "uninstalling" a patch that had been installed by a hotfix.

When is Windows File Protection triggered?
Windows File Protection can be triggered in either of two cases:

• when System File Checker (SFC.EXE) is run from the command line, or
• when a user or software installation process attempts to modify or delete a protected system file.

The latter occurrence is uncommon, and will only result in Windows File Protection restoring the version of the protected file that is specified in the catalog. Windows File Protection is triggered when SFC.EXE is run with any of the following options:

• /scannow (do a Windows File Protection scan immediately)
• /scanboot (do a scan each time the system boots)
• /scanonce (do a scan the next time the system boots).

SFC.EXE can also be run periodically on machines in a domain by an administrator-specified group policy. Knowledge Base article Q222471, Description of the Windows 2000 System File Checker Tool, provides additional information about SFC.EXE.

Is Windows File Protection enabled by default?
Windows File Protection scanning is not enabled by default. If you have not run SFC.EXE, and Windows File Protection is not invoked by a group policy, Windows File Protection will not scan your system, the hashes on protected system files will not be compared with those in the catalog, and there is essentially no danger of newly installed (security or other) hotfixes being replaced with older versions.

How can I tell whether Windows File Protection scanning has been enabled on my system?
If you have set your system to scan for invalid files at every boot (by running "sfc /scanboot"), you will find that registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\SFCScan will be set to 1.

How do I know if I've installed hotfixes that are affected by the problem?
Any post Service Pack 1 hotfix that was available prior to December 19, 2000 is potentially affected by this problem. Knowledge Base article Q281767 includes a list of affected hotfixes that were issued with Microsoft security bulletins. Microsoft has released a tool, QFECHECK.EXE, designed to help customers manage operating system updates in their environment. One of the benefits of this tool is that it will detect any anomalies with hotfix installation and will allow customers to determine if their systems have been affected by this issue.

If I've installed affected hotfixes, does that mean that I have a problem?
Probably not. In order to be affected, you must have installed hotfixes in a different order from the order in which they were produced. If you installed the hotfixes in order, then you always replaced an older catalog file with a newer one, and all of the hotfixes that you've installed will be listed correctly in the catalog file on your system. Even if you installed hotfixes out of order, the hotfixes won't have been removed from your system unless you ran SFC.EXE at some point after installing them.

You said that this problem affects post Service Pack 1 hotfixes. Would it matter whether I've installed Windows 2000 Service Pack 1?
No. The catalog files at issue postdate Service Pack 1 but this issue can arise whether you've installed Service Pack 1 or not.

I'm using Windows NT 4.0 or 3.51, or Windows Me, 98, or 95. Does this issue affect me?
No. Windows File Protection was introduced as a part of Windows 2000. This issue does not affect users of Windows NT 4.0 or earlier versions of Windows NT, nor does it affect users of Windows 95, 98, or Me.

I've installed several hotfixes and don't remember the exact order, but I do know that the last hotfix I installed was for a Microsoft security bulletin issued in mid-December. Am I at risk of having earlier hotfixes removed?
Probably not. Even though the versions numbers of catalog files were not incremented, each new hotfix issued included a catalog file that listed all of the previous hotfixes. So when you installed a hotfix in response to a mid-December security bulletin, it installed on your system a catalog file that listed all of the previous hotfixes. Unless you ran SFC.EXE between the time when you installed the earlier hotfixes and the time when you installed that last hotfix, all of your hotfixes are almost certainly still in place and the catalog will protect them from being removed from your system.

You've said a lot about the different risk scenarios. How likely is it that I've actually had hotfixes removed from my system because of this issue?
To the best of our knowledge, it's very unlikely. Microsoft has tested systems internal to Microsoft and at customer locations to see whether this issue has caused the removal of hotfixes. We've found very few cases in which hotfixes have been removed from operational systems. However, because there is a potential for the problem to arise, we do encourage you to run QFECHECK.EXE and follow its recommendations as discussed below.

Is there still a risk to my system from downloading and installing hotfixes?
No. As soon as Microsoft discovered this problem, we began to evaluate its scope and take corrective action. As of December 19, 2000, Microsoft updated all of the Windows 2000 post Service Pack 1 hotfixes on its web sites to include valid catalogs. Installing any of those hotfixes will make you immune from new problems. However, if Windows File Protection was triggered while an incorrect catalog was present on your system, some of the hotfixes that you installed previously may have been removed.

I've not installed any hotfixes on my system yet. What impact does this issue have on me?
If you did not install any hotfixes on your system before December 19, 2000, this issue has no effect on you at all. However, we would encourage you to review the other Microsoft Security Bulletins at https: and to follow their guidance and install patches as appropriate to your environment and your concerns about the security of your system.

How can I tell whether I've actually had hotfixes removed from my system as a result of this issue?
The "system catalog" on a Windows 2000 system lists the names and cryptographic hashes of all protected system files. Microsoft digitally signs the catalog file with a Microsoft private key before it is released.

Does this issue only affect security hotfixes?
No, this issue affects all hotfixes. However, we are communicating it through our security bulletin process because many customers have installed security hotfixes and because we want to ensure that customers have complete and timely information about any issue that might affect their security hotfix configurations.

I have installed security hotfixes. How do I ensure that my system is protected from any potential security problems?
You should run QFECHECK.EXE and follow the guidance it provides. The tool will tell you whether your system is safe as it is, or whether you need to reinstall one or more hotfixes, or whether you should install the catalog-only hotfix that is listed in the security bulletin. Once you have run QFECHECK.EXE and followed the guidance it provides, you needn't worry further about this issue.

Who should use QFECHECK.EXE?
Microsoft recommends that Windows 2000 (English language version) customers who downloaded and installed one or more post Service Pack 1 hotfixes (whether security or not) before December 18, 2000 download and run QFECHECK.EXE. QFECCHECK.EXE has been built to help customers quickly identify and validate the hotfixes that have been applied to their systems. Microsoft also encourages customers to run this tool as needed to identify the hotfixes that are present in their environments.

What does QFECHECK.EXE do?
QFECHECK.EXE compares the current hotfix catalog on your system, the record in the registry of hotfixes that have been installed on your system, and the actual set of protected system files on your system. It notes any inconsistencies and provides you with guidance on how to return your system to the intended (latest) hotfix configuration.

It sounds like QFECHECK.EXE is not restricted to checking for this issue. Does it have more general applicability?
QFECHECK.EXE is a general-purpose tool that system administrators can use to manage the hotfix status of the Windows 2000 machines they are responsible for. It will identify and validate any set of updates that have previously been applied to a system and report the current Service Pack level, and the status of each additional update that has been applied. You can use the tool to ensure that you have installed the appropriate set of hotfixes or that you've applied the same set of hotfixes across a set of similar machines. Microsoft encourages administrators to use QFECHECK.EXE to help manage the hotfix configurations of their systems.

How do I use QFECHECK.EXE?
Knowledge Base article Q282784 contains detailed instructions for using QFECHECK.EXE.

Patch availability

Download locations for this patch

• Diagnostic tool:

  </https:>https:

• Microsoft Windows 2000 Gold:

  https://www.microsoft.com/download/details.aspx?FamilyId=CC8C90A1-628D-499D-A65C-8411BD359847&displaylang;=en

• Microsoft Windows 2000 SP1:

  https://www.microsoft.com/download/details.aspx?FamilyId=BA0CA5EB-E1F9-4A85-A59C-FEEF053CE504&displaylang;=en

Additional information about this patch

Installation platforms:

Patches are available that can be installed on Windows 2000 Gold and Service Pack 1. The tool can be run on any Windows 2000 system.

Inclusion in future service packs:

The packaging anomaly has already been corrected in all previously released hotfixes, and we have taken steps to ensure that future hotfixes will not be affected by it.

Verifying patch installation:

• Windows 2000 Gold

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\Q285083.

  • To verify the individual files, consult the file manifest in Knowledge Base article Q285083.

• Windows 2000 Service Pack 1

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q281767.

  • To verify the individual files, consult the file manifest in Knowledge Base article Q285083.

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Support:

• Microsoft Knowledge Base articles Q281767 and Q282784 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 January 30, 2001: Bulletin Created.
• V1.1 October 2, 2002: Updated the link for the diagnostic tool.
• V1.2 July 10, 2003: Corrected links to Windows Update in Additional Information.

Built at 2014-04-18T13:49:36Z-07:00 </https:>