What's this bulletin about?
Microsoft Security Bulletin MS00-091 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0 and a recommended workaround for Windows® 95, 98,98 Second Edition and Windows Me. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a Denial of Service vulnerability that could be exploited to achieve either of two effects. In the most likely scenario, a malicious user could use the vulnerability to temporarily cause the networking services on an affected machine to stop responding to client requests during an attack. Networking services would return to normal once an attack has terminated. In a very small percentage of cases, the attack could cause the system to hang, requiring that it be rebooted.
The vulnerability does not affect Windows 2000. Even in affected systems, the vulnerability only occurs if the Server service or File/Printer Sharing are enabled.
What causes the vulnerability?
A flaw exists in the implementation of the NetBIOS over TCP/IP (NBT) protocol in Windows NT 4.0, Windows 95, 98, 98 Second Edition, and Windows Me. If a malicious user sent a large number of network packets with a specific type of malformation, it could cause an affected system to temporarily stop responding to all network requests, or possibly hang altogether.
What is NetBIOS, and what is NBT?
NetBIOS is a set of networking services for PC networking. NetBIOS can be implemented atop a number of different networking protocols, and there is a standard that describes how the services will be implemented for each case. NBT is the protocol standard that describes how NetBIOS services are provided on a TCP/IP network.
For more information on NetBIOS over TCP/IP please see RFC 1001.
Is this a flaw in the NBT protocol?
No. The vulnerability results because of an implementation error in certain systems. Other systems, such as Windows 2000 provide implementations of the protocol that are not affected by the vulnerability.
What is the problem with the NBT implementation in the affected systems?
There is a flaw in the way the NBT implementation handles a particular type of invalid data packet. If a series of such packets were directed at an affected system, it could prevent it from providing useful service.
What would be the effect of sending the malformed packets to the server?
There are primarily two effects of this vulnerability once a machine is affected. The most likely scenario is the machine will stop responding to any client network requests. The less likely scenario is a complete resource drain that would necessitate rebooting the machine to resume normal operation.
You said that the attacker has to send a series of malformed packets. Is this a flooding attack?
No. In a flooding attack, there's a rough correlation between the resources the attacker must use and the resources he consumes on the target machine. For instance, in a flooding attack against a web server, the attacker might have to dedicate one machine for every server he wanted to attack. In contrast, denial of service attacks usually involve a multiplier effect of some kind - the attacker must dedicate far fewer resources than he consumes on the target machine.
In this case, there is a multiplier effect, but it's not particularly large. The attacker would need to continually send malformed packets to the server, but not at a particularly high rate. In addition, as discussed above, in some cases the packets can cause the server to fail altogether.
Who could exploit this vulnerability?
Any malicious user who has access to the NBT port on a victim machine could exploit this vulnerability. If an affected machine were directly connected to the Internet, the vulnerability could be exploited by a malicious user located on the Internet. If a machine on a Corporate intranet was protected by a properly configured firewall that blocked the NBT ports, the machine could only be attacked by an intranet user
Note: If File and Printer sharing were disabled on a Windows 9x or Windows Me computer, it would not be affected by this vulnerability. Though enabled by default under certain configurations, Microsoft recommends that File and Printer sharing be disabled on Windows 9x or Windows Me machines that are directly connected to the Internet.
Could this vulnerability be exploited accidentally?
No. The malicious user would need to construct the specific type of invalid packet at issue here. To the best of our knowledge, no legitimate client creates such data.
Why isn't there a patch for the Windows 95, 98, 98 Second Edition, or Windows Me?
The vulnerability only affects computers with File and Printer sharing enabled. Microsoft recommends disabling the use of File and Printer sharing services on any Windows 9x or Windows Me machine directly connected to the Internet. Customers who need a robust file server solution should use either Windows NT 4.0 or Windows 2000. The risk is slightly lower for customers on an internal LAN, with a properly-configured firewall that blocks incoming NBT ports, since only an attacker internal to the company's network could exploit the vulnerability.
File and Printer sharing on Windows 9x and Windows Me are best suited for controlled network environments. Home PCs or small businesses whose internal networks are not connected to the Internet or protected by a firewall can safely use this service with minimal risk.
Who should use the patch?
Microsoft recommends that anyone running Windows NT 4.0 should install this patch.
What does the patch do?
The patch eliminates the flaw in NBT and modifies how it handles the malformed packets that can be sent by a malicious client tool.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article Q275567 contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has delivered a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article Q275567 explaining the vulnerability and procedure in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
