Microsoft Security Bulletin (MS00-017): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-017 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows® 95, Windows 98, and Windows 98 Second Edition. Under certain circumstances, the vulnerability could cause affected systems to crash. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. If a malicious user were able to entice another user into attempting to access a file whose path contains certain reserved words, it would cause the machine to crash.
The vulnerability does not provide any way for the malicious user to usurp control of the machine or to read, add or modify data on it. The machine could restored to normal operation by restarting it, but any work that hadn't been saved when the attack occurred would be lost.
What causes the vulnerability?
The vulnerability results because of a flaw in the way Windows 95 and 98 (including Windows 98 Second Edition) parse file path names. Device names such as COM1, CON or LPT1 are reserved words, and they can't be used as folder or file names. When parsing a reference to a path, Windows 95 and 98 check for the presence of a single DOS device name in the path. If one is found, the path is correctly treated as invalid and an error is returned. However, neither Windows 95 nor 98 check for multiple DOS device names. This is the source of the vulnerability.
If a read or write operation is attempted to a path whose name contains multiple DOS device names, it will cause Windows 95 and 98 to attempt to access invalid resources. In some cases, the effect of this invalid access would be to cause the application that supplied the path to hang, but the more likely effect is that the machine would present a blue debug screen and crash.
What names could cause this problem?
It's not possible to compile an exhaustive list of all DOS device names, because third-party application developers can create their own device drivers and add their names to the reserved list. However, Microsoft Knowledge Base article 256015 (available soon) provides a list of all standard DOS device names.
What would need to happen for me to be affected by this vulnerability?
You would need to try to reference a path that contains more than one DOS device name. The operations by which this could happen are familiar file and folder access operations - reading a file, listing a folder's contents, etc. Under normal conditions, this problem is unlikely to occur. Users cannot create files and folders whose names are reserved words like DOS device names. Because of this, it would be very unusual for a user to try to access such a file or folder. For example, it would be very unlikely that a user would try to list the contents of C:\COM1\COM1, since it is impossible for him to have created such a folder. However, a malicious user might use this vulnerability to try to cause other users' systems to crash.
How could a malicious user do this?
He would need to entice the user into doing something that resulted in an attempt to access a file whose path contained reserved words. For example, if he hosted a web site, he could include a link on a web page that displayed a file located in C:\COM1\COM1. Normally, it's safe to allow a web site to do this - the site can't read or change the file, only display it in the owner's browser. However, when Windows tried to locate the file, it would cause the system to crash. It wouldn't matter that the file doesn't even exist on the user's machine, because the very act of trying to find it is what would cause the crash.
There also are scenarios in which it would not be necessary for the user to click on a link to be affected by the vulnerability. For example, web pages can specify that an image file on the user's computer should be used as the page background. If this were done, simply displaying the page would cause the user's computer to crash. HTML mails could be used in a similar manner.
Are customers who have Preview Mode enabled on their mail viewers at any greater risk from this vulnerability?
Yes. HTML mail renders in Preview Mode, so if a malicious user sent an HTML mail to someone who had Preview Mode enabled, the vulnerability be exploited as soon as the mail was previewed.
I have preview mode enabled in Outlook. If I received such a mail, what should I do?
Start Outlook from a command prompt, and use the /safe and /nopreview options to turn off preview mode. Microsoft Knowledge Base articles 197180 and 182112 provide information on how to do this. Once you're able to get into Outlook, you can simply delete the offending mail. Obviously, you should do this without opening the mail.
What would I need to do to put my machine back in service after a crash?
You would just need to restart the machine. There's no lasting harm from the crash, although any work that was in progress would be lost during the crash.
Could this vulnerability be exploited accidentally?
No. As discussed above, it is not possible to create a file or folder name that contains one of the reserved words at issue here. Thus, a web site that attempts to reference such a file could not do so with any realistic expectation that it would succeed.
Does this vulnerability affect Windows NT 4.0 or Windows 2000?
No.
Who should install the patch?
Customers using Windows 95, Windows 98 or Windows 98 Second Edition should install the patch.
What does the patch do?
The patch causes paths containing more than one DOS device name to be treated as invalid paths. This is correct behavior.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
Knowledge Base article 256015 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
