Microsoft Security Bulletin (MS01-003): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS01-003 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who could log onto a machine interactively could use this vulnerability to make it stop responding to network traffic. This would not cause the machine to fail, but it would prevent it from communicating with other machines.
Security best practices strongly recommend against ever allowing unprivileged users to interactively log onto critical servers like domain controllers, print and file servers, ERP servers, database servers, and so forth. If these recommendations have been followed, this vulnerability would pose a risk only to workstations and terminal servers.
What causes the vulnerability?
The vulnerability results because a networking mutex has inappropriate permissions. An attacker could write a program that could gain control of the mutex and deny access to it. This would prevent any other processes from being able to perform networking operations, essentially isolating the machine from the network.
What is a mutex?
A mutex is a synchronization object used to prevent more than one process from accessing certain resources at the same time. Multiprocessing operating systems like Windows NT 4.0 allow multiple programs to run at the same time. However, even so, there are certain resources that can only be used by one program at a time. Mutexes are used to help control access to resources like these.
What's the problem with mutexes in Windows NT 4.0?
There's no problem with mutexes in general. However, mutexes, like all objects in Windows NT 4.0, have permissions that regulate how and by whom they can be accessed. The mutex involved in this vulnerability has inappropriate permissions. By design, this mutex should only be accessible by programs with administrator or system privileges; however, in reality, everyone can access it. As a result, an attacker could write a program that waits its turn for the mutex and change its permissions allowing no access. If this happened, no other program could use the resource.
What's the resource that the mutex governs?
The particular mutex in this case regulates access to a networking resource. By denying access to the mutex, the attacker's program could prevent any other programs from using the networking functions in Windows NT 4.0.
What would be the result?
The machine would stop communicating with other machines on the network, because no other programs would be able to use the networking resources. The operator would need to reboot the machine to restore normal operation.
Could this vulnerability be exploited remotely?
No. The attacker's program would need to run locally on the machine. This means that the attacker would need the ability to log onto the machine interactively and start his program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as servers, and would as a result be unable to attack them.
What machines are at greatest risk from this vulnerability?
Typically, unprivileged users are only allowed to log onto workstations and terminal servers interactively. It would do little good for an attacker to attack a workstation via this vulnerability, because he would only succeed in denying service to himself. However, if he attacked a terminal server via this vulnerability, he could render the server useless until it was rebooted.
Who should use the patch?
Microsoft recommends that customers consider installing this patch on all Windows NT 4.0 Terminal Servers.
What does the patch do?
The patch eliminates the vulnerability by correcting the permissions on the affected mutex.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article 279336 (available soon) contains detailed instructions for applying the patch to your site
How can I tell if I installed the patch correctly?
The Knowledge Base article 279336 (available soon) provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article
What is Microsoft doing about this issue?
| • | Microsoft has delivered a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article Q27933 (available soon) explaining the vulnerability and procedure in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
