Microsoft Security Bulletin (MS00-021): Frequently Asked Questions

What's this bulletin about?
Microsoft Security Bulletin MS00-021 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT® 4.0 and Windows® 2000. The vulnerability could allow denial of service attacks against a network print server. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use this vulnerability to prevent a server from providing certain types of network services.
The print service at issue here is the TCP/IP Printing Service, (called Print Services for Unix in Windows 2000), not the native Windows NT print service. The TCP/IP printing service is not installed by default, and systems that have not installed it could not be affected by the vulnerability. If a server were affected by this vulnerability, it could be put back into service by restarting the TCP/IP printing service.

What causes the vulnerability?
The TCP/IP Printing Service does not correctly handle certain types of malformed print requests. If one were received, it would cause the service to fail, as well as potentially causing other services to also fail.

What is the TCP/IP Printing Service?
The TCP/IP Printing Service is a printing service provided for integration into Unix environments. TCP/IP Printing Service is based on the Berkeley remote printing protocols commonly called Line Printer Daemon (LPD) and Line Printer Remote (LPR). These are described in RFC 1179.
TCP/IP Printing Service is not the same thing as the native Windows NT and Windows 2000 printing services (SPOOLSS). Although the native Windows NT and Windows 2000 printing services do operate in a TCP/IP environment, they operate using a different protocol. The native Windows NT and Windows 2000 printing services are not affected by this vulnerability.

Are TCP/IP Printing Services installed by default?
No. They are optional services installed as part of Simple TCP/IP Services.

What would this vulnerability allow a malicious user to do?
By sending a specially-malformed print request, a malicious user could cause TCP/IP Printing Services to stop, thereby preventing them from servicing print requests. Service could be restored by restarting TCP/IP Printing Services. It would not be necessary to reboot the machine.
It's important to note that native Windows NT and Windows 2000 print services are not affected by the vulnerability, and would be unaffected by such an attack.

Would there be any other effects of such an attack?
Yes. The attack would cause the TCPSVC.EXE process to crash; this process provides not only TCP/IP Printing Services, but several other services as well. Here's a full list of the services that would be affected by the crash, and which would need to be restarted (if they are installed on the machine):

Does this mean that a malicious user could use this vulnerability to mount denial of service attacks against DHCP and FTP servers?
Yes, but only if the server had TCP/IP Printing Services installed. Although there is no reason why this could not be the case, it would nevertheless be somewhat unusual for a print server to also serve as the DHCP server or FTP server.

I've installed DHCP but not TCP/IP Printing Services. Could I be affected by the vulnerability?
No. Although the vulnerability affects the process that provides DHCP (as well as the other services listed above), it can only be exploited via TCP/IP Printing Services. If TCP/IP Printing Services are not installed on the machine, there is no risk, even if other services that run in TCPSVC.EXE are installed.

Could this vulnerability be exploited accidentally?
No. The particular malformation is extremely unlikely to be created accidentally.

Could this vulnerability be exploited remotely?
If port 515 is filtered at the firewall, external users would be unable to deliver packets to the service and hence unable to exploit the vulnerability.

Will this vulnerability affect Windows 2000 Datacenter Server?
No. Windows 2000 Datacenter Server has not yet been released, and this issue will be corrected prior to release.

What does the patch do?
The patch causes the specific type of malformed print request to be treated as an error case. This is correct behavior.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin 

How can I tell if I installed the patch correctly?
The KB article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of page