Microsoft Security Bulletin (MS00-004) Frequently Asked Questions

What's this bulletin about?
Microsoft Security Bulletin MS00-004 announces the availability of a patch that eliminates a vulnerability in a utility that ships as part of Microsoft® Windows NT 4.0. Under certain circumstances, the vulnerability could allow users on the server to read administrative information that should be denied to them. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could cause administrative information on a Windows NT 4.0 system to be divulged to unprivileged users. A tool that allows administrators to recover from catastrophic system errors creates a temporary file containing the names and values of registry entries, but assigns it permissions that allow normal users to read it while the tool is creating it.
The tool erases the file upon successful completion, so window of vulnerability is narrow. The vulnerability provides the ability to read the values, but not to change or delete them. Also, the information is only available by default to users who can interactively log onto the server; it is not shared by default, so other network users would not be able to access it.

What causes the vulnerability?
The vulnerability results because RDISK, the utility used to create an Emergency Repair Disk (ERD), creates a temporary file that enumerates the registry, with permissions that make it readable by any user on the machine. RDISK erases the file when it completes, but a malicious user could read the file while RDISK was creating it.

What is RDISK?
RDISK is an administrative utility that saves the current configuration of a Windows NT machine. It saves the values of registry keys and other machine settings so that, in the event of a problem that renders the machine unusable, the administrator will be able to restore the machine to a known working state. The machine state is saved on a disk called the Emergency Repair Disk.

What is the problem with RDISK?
As it runs, RDISK creates a temporary file that contains registry names and values. The problem is that the file's permissions are not appropriate set, and allow any user who can interactively log onto the machine to read it.

What's the problem with users reading the file?
The registry can contain security-sensitive information that it may not be appropriate for users to read. Administrators can set read, write and change permissions individually for every registry value; however, by reading this file, a malicious user could learn information that would otherwise be denied to them.

Who could read the file?
By default, any user who can interactively log onto the machine can read the file. However, the file is not shared by default, so other network users would not be able to read it.

What about the ERD itself? Doesn't it also contain sensitive information?
The ERD does contain sensitive information, and it's very important that it be protected. We recommend that administrators always store the ERDs for their machines in a safe or other physically protected location.

How often do administrators run RDISK?
RDISK usually is run fairly infrequently - either before or after making large configuration changes to the machine.

How would the malicious user know that RDISK was being run?
This would be a social engineering problem. There are no outward signs that would alert the user to the fact that RDISK was being run. Instead, the user would need to know, for instance, the administrator's typical routine.

What machines would primarily be at risk from this vulnerability?
Terminal Servers would be primarily affected. The reason is because the scenario requires that the malicious user be interactively logged onto the machine while RDISK is running on it.
On servers and workstations, the only way RDISK could run while a normal user was interactively logged on would be as part of a scheduled job. However, on a Terminal Server, an administrator could run RDISK directly as well. This means that the risk scenario for a Terminal Server is somewhat broader than for servers and workstations

Who should apply the patch?
Administrators should apply this patch to all machines on which RDISK is used.

Does this vulnerability affect Windows 2000?
No.

What does the patch do?
The patch eliminates the vulnerability by applying permissions to the file that protect it against being read by normal users.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How can I tell if I installed the patch correctly?
Knowledge Base article 249108 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of page