Security Bulletin

Microsoft Security Bulletin MS03-041 - Critical

Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)

Published: October 15, 2003 | Updated: November 17, 2003

Version: 1.2

Issued: October 15, 2003
Updated: November 17, 2003
Version Number: 1.2

See all Windows bulletins released October, 2003

Summary

Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the patch immediately

Patch Replacement: None

Caveats: None

Tested Software and Patch Download Locations:

Affected Software:

Non Affected Software:

  • Microsoft Windows Millennium Edition

The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.

General Information

Technical Details

Technical Description:

There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog.

To exploit this vulnerability, an attacker could host a malicious Web Site designed to exploit this vulnerability. If an attacker then persuaded a user to visit that site an ActiveX control could be installed and executed on the user's system. Alternatively, an attacker could create a specially formed HTML e-mail and send it to the user. If the user viewed the HTML e-mail an unauthorized ActiveX control could be installed and executed on the user's system. In both scenarios the vulnerability in Authenticode could allow an unauthorized ActiveX control to be installed and executed on the user's system, with the same permissions as the user, without prompting the user for approval.

The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

  • You have applied the patch included with Microsoft Security bulletin MS03-040
  • You are using Internet Explorer 6 or later
  • You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.

Mitigating factors:

  • By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent this vulnerability from being automatically exploited would be removed.
  • In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit this vulnerability. An attacker would have no way to force a user to visit a malicious Web Site. Instead, the attacker would need to lure them there, typically by getting them to click a link that would take them to the attacker's site.
  • By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at a reduced risk from an e-mail borne attack that attempted to exploit this vulnerability unless the user clicked a malicious link in the email.
  • Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges.

Severity Rating:

Windows NT 4.0 Critical
Windows Server NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0660

Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

  • Disable downloading of ActiveX controls in the Internet zone:

    You can help protect against this vulnerability by changing your settings for the Internet security zone to disable the downloading of ActiveX components. To do this, perform the following steps:

    1. In Internet Explorer, select Tools, Internet Options
    2. Click on the Security tab
    3. Highlight the Internet icon and click on the Custom Level button
    4. Scroll through the list to the ActiveX controls and plugins section
    5. Under Download signed ActiveX controls click Disable
    6. Click OK, then click OK again to return to Internet Explorer

    Impact of Workaround:

    Many Web sites on the Internet use ActiveX to provide additional functionality. For instance, an online e-commerce site or banking site might use ActiveX controls to provide menus, ordering forms, or even account statements.

    Disabling the downloading of ActiveX controls is a global setting for all Internet sites. If you feel that there are sites on the Internet where you require the page to download ActiveX components, you can instead use the "Restrict Web sites to only your trusted Web sites" workaround.

  • Restrict Web sites to only your trusted Web sites

    After disabling the downloading of ActiveX in the Internet zone, you can add sites that you trust into Internet Explorer's Trusted sites. This will allow you to continue using trusted Web sites exactly as you do today, while helping protect you from this attack on untrusted sites. When you are able to deploy the patch, you can safely re-enable the downloading of ActiveX in the Internet zone.

    To do this, perform the following steps:

    1. In Internet Explorer, select Tools, then Internet Options. Click the Security tab.
    2. In the box labeled Select a Web content zone to specify its current security settings, click Trusted Sites, then click Sites
    3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
    4. In the box labeled Add this Web Site to the zone, type the URL of a site that you trust, then click the Add button. Repeat for each site that you want to add to the zone.
    5. Click OK twice to accept the changes and return to Internet Explorer.

    Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is https://*.windowsupdate.microsoft.com. This is the site that hosts the patch, and it requires the use of an ActiveX control to install the patch.

    Note that there is generally a trade-off between ease-of-use and security; by selecting a high-security configuration, you could make it extremely unlikely that a malicious Web site could take action against you, but at the cost of missing a lot of rich functionality. The appropriate balance between security and ease-of-use is different for everyone, and you should pick a configuration that fits your needs.

    Impact of Workaround:

    For those sites you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require ActiveX controls to function properly. Adding sites to your Trusted sites zone will allow them to be able to download the ActiveX control required to function correctly. However you should only add Web sites you trust to the Trusted sites zone.

  • Install Outlook Email Security Update if you are using Outlook 2000 SP1 or Earlier.

    The Outlook Email Security Update causes Outlook 98 and 2000 to open HTML mail in the Restricted Sites Zone by default. Outlook Express 6.0 and Outlook 2002 by default open HTML mail in the Restricted Sites Zone. Customers who use any of these products would be at reduced risk from an e-mail borne attack that attempts to exploit this vulnerability unless the user clicks a malicious link in the email.

  • If you are using Outlook 2002 or Outlook Express 6.0 or higher, to help protect yourself from the HTML email attack vector, read email in plain text format.

    Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied Service Pack 1 and or higher can enable a feature to view all nondigitally-signed e-mail or nonencrypted e-mail messages in plain text only. Digitally signed e-mail or encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information on enabling this setting in Outlook 2002 can be found in the following Knowledge Base article:

    https:

    Information on enabling this setting in Outlook Express 6.0 can be found in the following Knowledge Base article:

    </https:>https:

    Impact of Workaround:

    E-mail viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. In addition:

  • The changes are applied to the preview pane and open messages.

  • Pictures become attachments to avoid loss.

  • Since the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text or HTML format in the mail store.

Frequently Asked Questions

What's the scope of the vulnerability?
This is a remote attack vulnerability. If an attacker were to successfully exploit this vulnerability then the attacker could execute arbitrary code in the context of the logged on user.

What causes the vulnerability?
The vulnerability results because of the method in which Authenticode checks for authorization when prompting a user to install an ActiveX control.

What is Authenticode?
Authenticode is a technology which allows users to verify the publisher of an ActiveX control. Through its code signing mechanisms, Authenticode identifies the publisher of the signed software and verifies that it hasn't been tampered with, before users download the software to their systems. Based on this knowledge the end user can then make a decision on whether or not to download and install the code.

What is ActiveX?
ActiveX is a technology that allows programmers to develop self-contained software modules called controls, that perform a single task or a collection of related tasks. An ActiveX control can be called by programs or web sites that need the functionality it provides.

What's wrong with Authenticode?
By default, Authenticode prompts a user prior to the installation of an ActiveX control. Authenticode prevents ActiveX controls from installing automatically on a user's system by presenting the user with a dialog requiring the user to confirm that they trust the publisher of a control and that they want to install the control on their system. Only when the user clicks "Yes" is the ActiveX control downloaded and installed on the user's system. There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with the dialog discussed above.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to install and execute an unauthorized ActiveX control on the user's system. This could allow an attacker to take any action on a user's system in the security context of the currently logged in user.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability in one of two ways:

  • By hosting a specially constructed Web Page. If the attacker lured a user to this Web Page, the Authenticode checks could fail and could allow arbitrary code to execute in the context of the user.
  • By sending a user a specially crafted HTML email. If a user viewed this E-mail, the Authenticode checks could fail and could allow arbitrary code to execute in the context of the user.

Does this mean the vulnerability is in Internet Explorer?
No - the vulnerability is in the underlying Authenticode technology in Microsoft Windows. Internet Explorer is one product that uses this underlying Authenticode technology

I'm not using Internet Explorer as my web browser, do I need the patch?
Yes - the vulnerability is in the underlying Authenticode technology in Microsoft Windows. Any application that uses Authenticode technology could be vulnerable.

I am running Internet Explorer on Windows Server 2003. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration.

What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:

  • Security level for the Internet zone is set to High. This setting disables scripts, ActiveX Controls, Microsoft Java Virtual Machine (MSJVM) HTML content, and file downloads.
  • Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
  • Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
  • Multimedia content is disabled. This setting prevents music, animations, and video clips from running.

Disabling Internet Explorer Enhanced Security Configuration would remove the protections put in place that help prevent these vulnerabilities from being exploited. For more information regarding Internet Explorer Enhanced Security Configuration, please consult the Managing Internet Explorer Enhanced Security Configuration guide, which can be found at the following location: https://www.microsoft.com/download/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang;=en

Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration Disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to use Internet Explorer in an unrestricted mode.

Is there anything that helps mitigate the risk of an HTML email attack?
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

  • You have applied the patch included with Microsoft Security bulletin MS03-040
  • You are using Internet Explorer 6 or later
  • You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.

What does the patch do?
The patch addresses the vulnerability by ensuring Authenticode always correctly prompts the user prior to the installation of an ActiveX control.

Security Patch Information

For information about the specific security patch for your platform, click the appropriate link:

Windows Server 2003 (all versions)

Prerequisites:

This security patch requires a released version of Windows Server 2003.

Inclusion in future service packs:

The fix for this issue will be included in Windows Server 2003 Service Pack 1.

Installation Information:

This security patch supports the following Setup switches:

/?: Display the list of installation switches.

/u: Use Unattended mode.

/f: Force other programs to quit when the computer shuts down.

/n: Do not back up files for removal.

/o: Overwrite OEM files without prompting.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

/l: List the installed hotfixes.

/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

WindowsServer2003-KB823182-x86-ENU /u /q

To install the patch without forcing the computer to restart, use the following command line:

WindowsServer2003-KB823182-x86-ENU /z

Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

</https:>https:

Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallKB823182$\Spuninst folder, and it supports the following Setup switches:

/?: Display the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition

Date Time Version Size File Name Platform Folder
10-Jul-2003 22:05 5.131.3790.67 503,296 Cryptui.dll X86 RTMGDR
10-Jul-2003 22:05 2,560 Cryptui.hp.dll X86 RTMGDR
10-Jul-2003 21:56 5.131.3790.67 484,864 Cryptui.dll X86 RTMQFE

Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:

Date Time Version Size File Name Platform Folder
10-Jul-2003 22:09 5.131.3790.67 1,093,632 Cryptui.dll IA64 RTMGDR
10-Jul-2003 22:04 5.131.3790.67 484,864 Wcryptui.dll X86 RTMGDR
10-Jul-2003 21:55 5.131.3790.67 1,093,632 Cryptui.dll IA64 RTMQFE
10-Jul-2003 21:56 5.131.3790.67 484,864 Wcryptui.dll X86 RTMQFE

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823182\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 823182 security patch into the Windows installation source files.

Windows XP (all versions)

Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites:

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Inclusion in future service packs:

The fix for this issue will be included in Windows XP Service Pack 2.

Installation Information:

This security patch supports the following Setup switches:

/?: Display the list of installation switches.

/u: Use Unattended mode.

/f: Force other programs to quit when the computer shuts down.

/n: Do not back up files for removal.

/o: Overwrite OEM files without prompting.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

/l: List the installed hotfixes.

/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

WindowsXP-KB823182-x86-ENU /u /q

To install the patch without forcing the computer to restart, use the following command line:

WindowsXP-KB823182-x86-ENU /z

Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

</https:>https:

Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallKB823182$\Spuninst folder, and it supports the following Setup switches:

/?: Display the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

Security Patch Replacement Information:

This patch does not replace any other patches.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition

Date Time Version Size File Name
25-Jul-2003 00:43 5.131.2600.117 476,160 Cryptui.dll  X86 (pre-SP1)
25-Jul-2003 00:40 5.131.2600.1243 477,696 Cryptui.dll  X86 (with SP1)

Windows XP 64-Bit Edition Version 2002

Date Time Version Size File Name
25-Jul-2003 00:43 5.131.2600.117 1,181,184 Cryptui.dll  IA64  (pre-SP1)
24-Jul-2003 22:25 5.131.2600.117 476,160 Wcryptui.dll  X86  (pre-SP1)
25-Jul-2003 00:40 5.131.2600.1243 1,185,792 Cryptui.dll  IA64  (with SP1)
08-Jul-2003 18:38 5.131.2600.1243 477,696 Wcryptui.dll  X86  (with SP1)

Windows XP 64-Bit Edition Version 2003

Date Time Version Size File Name Platform Folder
10-Jul-2003 22:09 5.131.3790.67 1,093,632 Cryptui.dll IA64 RTMGDR
10-Jul-2003 22:04 5.131.3790.67 484,864 Wcryptui.dll X86 RTMGDR
10-Jul-2003 21:55 5.131.3790.67 1,093,632 Cryptui.dll IA64 RTMQFE
10-Jul-2003 21:56 5.131.3790.67 484,864 Wcryptui.dll X86 RTMQFE

Notes

  • When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    824994 Description of the Contents of a Windows Server 2003 Product Update Package

  • The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

    328848 Description of Dual-Mode Hotfix Packages for Windows XP

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823182\Filelist

For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823182\Filelist

For Windows XP 64-Bit Edition, Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823182\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 823182 security patch into the Windows installation source files.

Windows 2000

Prerequisites:

For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

</https:>https:

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 5.

Installation Information:

This security patch supports the following Setup switches:

/?: Display the list of installation switches.

/u: Use Unattended mode.

/f: Force other programs to quit when the computer shuts down.

/n: Do not back up files for removal.

/o: Overwrite OEM files without prompting.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

/l: List the installed hotfixes.

/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-KB823182-x86-ENU /u /q

For Windows 2000 Service Pack 2:

Windows2000-KB823182-x86-ENU-CustomServicePackSupport.EXE /u /q

To install the security patch without forcing the computer to restart, use the following command line:

For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-KB823182-x86-ENU /z

For Windows 2000 Service Pack 2:

Windows2000-KB823182-x86-ENU-CustomServicePackSupport.EXE /z

Note: You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

</https:>https:

Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallKB823182$\Spuninst folder, and it supports the following Setup switches:

/?: Display the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

Security Patch Replacement Information:

This patch does not replace any other patches.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

For Windows 2000 Service Pack 2, Service Pack 3 and Service Pack 4:

Date Time Version Size File Name
18-Jun-2003 20:13 5.131.2195.6758 443,664 Cryptui.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823182\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 823182 security patch into the Windows installation source files.

Windows NT 4.0 (all versions)

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites:

This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

</https:>https:

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Installation Information:

This security patch supports the following Setup switches:

/y: Perform removal (only with /m or /q).

/f: Force other programs to be closed at shutdown.

/n: Do not create an Uninstall folder.

/z: Do not restart when update completes.

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).

/l: List the installed hotfixes.

/x: Extract the files without running Setup.

Deployment Information

To install the security patch without any user intervention, use the following command line:

For Windows NT 4.0 Server (all versions):

WindowsNT4Server-KB823182-x86-ENU /q

For Windows NT 4.0 Workstation:

WindowsNT4Workstation-KB823182-x86-ENU /q

To install the security patch without forcing the computer to restart, use the following command line:

For Windows NT 4.0 Server (all versions):

WindowsNT4Server-KB823182-x86-ENU /z

For Windows NT 4.0 Workstation:

WindowsNT4Workstation-KB823182-x86-ENU /z

Note: You can combine these switches into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

</https:>https:

Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallKB823182$\Spuninst folder, and it supports the following Setup switches:

/y: Perform removal (only with /m or /q).

/f: Force other programs to be closed at shutdown.

/n: Do not create an Uninstall folder.

/z: Do not restart when update completes.

/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).

/l: List the installed hotfixes.

Security Patch Replacement Information:

This patch does not replace any other patches.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT 4.0 Workstation:

Date Time Version Size File Name
24-Jan-2003 03:24 5.131.1878.13 465,680 Crypt32.dll   X86
09-Aug-2003 00:37 5.131.1878.14 440,080 Cryptui.dll   X86
25-Jul-2003 19:07 5.00.2195.6792 53,520 Msasn1.dll    X86
22-Feb-2001 23:34 5.131.1877.9 6,928 Softpub.dll    X86
22-Feb-2001 23:27 5.131.1877.9 165,648 Wintrust.dll   X86

Windows NT Server 4.0:

Date Time Version Size File Name
24-Jan-2003 03:24 5.131.1878.13 465,680 Crypt32.dll   X86
09-Aug-2003 00:37 5.131.1878.14 440,080 Cryptui.dll   X86
25-Jul-2003 19:07 5.00.2195.6792 53,520 Msasn1.dll    X86
22-Feb-2001 23:34 5.131.1877.9 6,928 Softpub.dll    X86
22-Feb-2001 23:27 5.131.1877.9 165,648 Wintrust.dll   X86

Windows NT Server 4.0, Terminal Server Edition:

Date Time Version Size File Name
24-Jan-2003 03:24 5.131.1878.13 465,680 Crypt32.dll X86
09-Aug-2003 00:37 5.131.1878.14 440,080 Cryptui.dll   X86
25-Jul-2003 19:07 5.00.2195.6792 53,520 Msasn1.dll    X86
22-Feb-2001 23:34 5.131.1877.9 6,928 Softpub.dll    X86
22-Feb-2001 23:27 5.131.1877.9 165,648 Wintrust.dll   X86

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB823182\File1

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 823182 security patch into the Windows installation source files.

Other Information

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the Windows Update web site

Support:

Security Resources:

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 October 15, 2003: Bulletin published.
  • V1.1 October 22, 2003: Updated "File Information" in the "Windows 2000" section of "Security Patch Information."
  • V1.2 November 17, 2003: Updated "File Information" for all platforms in the "Security Patch Information" sections.

Built at 2014-04-18T13:49:36Z-07:00 </https:>