Microsoft Security Bulletin (MS00-027): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-027 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT® 4.0 and Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. If a Windows NT 4.0 or Windows 2000 server provides scripts for its customers use, it could be possible for a malicious user to use this vulnerability to consume memory on the server, thereby slowing its response or preventing it from providing useful service altogether. The most commonly affected servers would be web servers that are remotely administered in a so-called "headless" configuration.
This vulnerability could not be used to compromise data, run arbitrary code on the server, or to usurp administrative control of it. It would only be exposed under very specific conditions that are not present on all servers. Moreover, coding practices in batch and script files can prevent this vulnerability from manifesting itself on an otherwise-affected server.
What is the vulnerability?
The Windows NT 4.0 and Windows 2000 command processor (CMD.EXE) does not correctly constrain the length of environment strings that it receives. If CMD.EXE received an excessively-long environment string, it would crash. Under certain conditions, this could cause the memory allocated to the process to become temporarily unavailable.
Why is this a security vulnerability?
If a malicious user were able to exploit this vulnerability repeatedly against a machine, he could eventually deplete the available memory to the point where the machine's could be slowed or stopped altogether.
How would someone pass such an environment string to CMD.EXE?
The most likely means of doing this would be via a batch file. If a machine offered a publicly-accessible .BAT or .CMD file that used one of the inputs as an environment variable, it would offer a malicious user the opportunity to exploit the vulnerability.
What are the conditions under which the memory allocated to CMD.EXE could become unavailable?
When the CMD.EXE process aborts, it displays an error message on the console. When this dialogue is cleared, the memory is freed and made available to other processes. However, if the dialogue is not cleared, the memory remains allocated to the now-dead process.
This is an important point, and goes to the heart of understanding what servers are most affected by the vulnerability. If there is an administrator present at the console of an affected machine, he can simply clear the dialogue, at which point all of the memory allocated to the process will be returned for use by other processes. It's only in the case of a "headless" server - one where there is no administrator present - that this vulnerability would allow denial of service attacks against the machine.
Could the malicious user cause code to run via this vulnerability?
There is an unchecked buffer involved in this vulnerability, but Microsoft has thoroughly researched it and believes that code could not be made to run on the machine via this vulnerability. The overrun occurs on the heap, rather than the stack. In general, heap overruns do not offer the prospect of running arbitrary code.
Could the author of the batch file prevent malicious users from exploiting this vulnerability?
Yes. Standard defensive coding practices could prevent malicious users from exploiting this vulnerability, even on an otherwise affected machine. If the batch file or script validates its inputs before using them, it almost certainly would reject the long environment string that causes the problem.
If CMD.EXE is the command processor, why doesn't crashing it cause the entire machine to fail?
There can be multiple command environments on the machine at the same time, each working independently. This vulnerability, under the conditions described above, provides a way for a malicious user to cause a new command environment to be spawned, and then to fail. However, it does not allow him to affect any other processes running on the machine, including other processes' environments. What it does allow him to is "starve" the other processes by denying them memory.
What machines would primarily be at risk?
The machines most likely to be affected would be ones that have the following characteristics:
| • | They are publicly accessible |
| • | They provide .BAT, .CMD or other scripting files that enable a user to spawn a new copy of CMD.EXE on the machine. |
| • | They are running in a "headless" configuration, and do not have an administrator present at the console to clear the error dialogue. |
By and large, web servers are more likely to fit this description than other types of servers.
Will Windows 2000 Datacenter Server be affected by the vulnerability?
No.
What does the patch do?
The patch checks the length of all environment strings passed to CMD.EXE, and ensures that they cannot overrun the buffer.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
The KB article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
