Microsoft Security Bulletin (MS01-005): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS01-005 announces the availability of a tool and patch that customers can use to diagnose and eliminate the effects of anomalies in the packaging of some hotfixes for English language versions of Microsoft® Windows® 2000. Under certain circumstances, these anomalies could cause the removal of hotfixes, which could include some security patches, from a Windows 2000 system. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the potential problem and what they can do about it.
What's the scope of the problem?
This problem could potentially cause previously-applied hotfixes, which could include security patches, to be removed from a Windows 2000 system. This could result in a situation in which a system that was believed to be up to date on all security patches actually was still susceptible to known vulnerabilities.
There are significant limitations to the scope of the problem:
| • | It only affects English-language post-Service Pack 1 hotfixes made available through December 18, 2000. |
| • | It could only occur if the administrator installed multiple hotfixes in an order other than the order in which they were packaged, and then ran System File Checker. |
What causes the problem?
The catalogs associated with all Windows 2000 post-Service Pack 1 hotfixes, including security patches, made available through December 18, 2000, were assigned the same version number. Under some conditions, this could cause Windows File Protection to treat some hotfixes as invalid and remove them.
What is Windows File Protection?
Windows File Protection is a Windows 2000 feature that ensures that operating system files cannot be modified or replaced by older versions. On versions of Windows before Windows 2000, installing software in addition to the operating system could overwrite shared system files such as dynamic link libraries (.dll files) and executable files (.exe files). When system files are overwritten in error, system performance can become unpredictable, programs can behave erratically, and the operating system can fail. In Windows 2000, Windows File Protection prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. If a user or program attempts to replace a protected system file, Windows File Protection restores the correct version from the backup store located in the Dllcache folder or the Windows 2000 CD. Windows File Protection only allows protected system files to be replaced when installing Windows 2000 Service Packs, Windows 2000 hotfixes, new operating system versions, or downloads from Windows Update. Knowledge base article 222193, Description of the Windows 2000 Windows File Protection Feature, provides additional information on Windows File Protection.
What files are protected by Windows File Protection?
Windows File Protection applies to almost all system files associated with any component of Windows 2000. These components include Internet Explorer, Internet Information Server, Index Server, and the Microsoft Virtual Machine as well as other operating system components.
How does Windows File Protection determine if a protected system file is valid?
Microsoft computes the cryptographic hash for each protected file it releases at the time of release. When Windows File Protection is invoked to determine whether a file is valid, it attempts to verify that the hash for the file is identical to the hash for that particular file as recorded in the "system catalog". If the hash for a file on the system fails to match the hash in the catalog for the version that Microsoft distributed, Windows File Protection replaces the file with a valid version from the Dllcache folder or the Windows 2000 CD.
What is the system catalog?
The "system catalog" on a Windows 2000 system lists the names and cryptographic hashes of all protected system files. Microsoft digitally signs the catalog file with a Microsoft private key before it is released.
Doesn't that mean that the system catalog has to change every time Microsoft issues a hotfix for a protected system file?
That's correct. When Microsoft packages a Service Pack or hotfix that changes protected system files, the package includes not only the protected system files but also a new signed supplemental system catalog file. The hotfix or Service Pack installation procedure verifies the signature on the supplemental catalog file, installs the new supplemental catalog file in parallel to the old system catalog file, and then verifies the hashes of any new protected system files that are included with the hotfix or Service Pack.
What's the problem with the system catalog?
The system catalogs packaged with all post Service Pack 1 Windows 2000 hotfixes made available through December 18, 2000, were built with the same version number. As a result, it was possible for an older version of the system catalog to replace a newer one.
What is a post Service Pack 1 hotfix?
Post Service Pack 1 hotfixes are those that were built after the cutoff date for inclusion in Windows 2000 Service Pack 1. Knowledge Base Article 281767 includes a list of the post Service Pack 1 hotfixes that were issued with Microsoft security bulletins.
Why is it a problem for an older version of the system catalog to replace a newer one?
If an older version of the system catalog can replace a newer one, some of the hashes in the catalog may not correspond to protected system files that have been installed on the system by hotfixes. If Windows File Protection were triggered and detected the files whose hashes were not in the catalog, it would attempt to replace them from the Dllcache folder or the Windows CD. This sequence of events might have the effect of "uninstalling" a patch that had been installed by a hotfix.
When is Windows File Protection triggered?
Windows File Protection can be triggered in either of two cases:
| • | when System File Checker (SFC.EXE) is run from the command line, or |
| • | when a user or software installation process attempts to modify or delete a protected system file. |
The latter occurrence is uncommon, and will only result in Windows File Protection restoring the version of the protected file that is specified in the catalog.
Windows File Protection is triggered when SFC.EXE is run with any of the following options:
| • | /scannow (do a Windows File Protection scan immediately) |
| • | /scanboot (do a scan each time the system boots) |
| • | /scanonce (do a scan the next time the system boots). |
SFC.EXE can also be run periodically on machines in a domain by an administrator-specified group policy. Knowledge Base article 222471, Description of the Windows 2000 System File Checker Tool, provides additional information about SFC.EXE.
Is Windows File Protection enabled by default?
Windows File Protection scanning is not enabled by default. If you have not run SFC.EXE, and Windows File Protection is not invoked by a group policy, Windows File Protection will not scan your system, the hashes on protected system files will not be compared with those in the catalog, and there is essentially no danger of newly installed (security or other) hotfixes being replaced with older versions.
How can I tell whether Windows File Protection scanning has been enabled on my system?
If you have set your system to scan for invalid files at every boot (by running "sfc /scanboot"), you will find that registry key
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\SFCScan
will be set to 1.
How do I know if I've installed hotfixes that are affected by the problem?
Any post Service Pack 1 hotfix that was available prior to December 19, 2000 is potentially affected by this problem. Knowledge Base article 281767 includes a list of affected hotfixes that were issued with Microsoft security bulletins. Microsoft has released a tool, QFECHECK.EXE, designed to help customers manage operating system updates in their environment. One of the benefits of this tool is that it will detect any anomalies with hotfix installation and will allow customers to determine if their systems have been affected by this issue.
If I've installed affected hotfixes, does that mean that I have a problem?
Probably not. In order to be affected, you must have installed hotfixes in a different order from the order in which they were produced. If you installed the hotfixes in order, then you always replaced an older catalog file with a newer one, and all of the hotfixes that you've installed will be listed correctly in the catalog file on your system. Even if you installed hotfixes out of order, the hotfixes won't have been removed from your system unless you ran SFC.EXE at some point after installing them.
You said that this problem affects post Service Pack 1 hotfixes. Would it matter whether I've installed Windows 2000 Service Pack 1?
No. The catalog files at issue postdate Service Pack 1 but this issue can arise whether you've installed Service Pack 1 or not.
I'm using Windows NT 4.0 or 3.51, or Windows Me, 98, or 95. Does this issue affect me?
No. Windows File Protection was introduced as a part of Windows 2000. This issue does not affect users of Windows NT 4.0 or earlier versions of Windows NT, nor does it affect users of Windows 95, 98, or Me.
I've installed several hotfixes and don't remember the exact order, but I do know that the last hotfix I installed was for a Microsoft security bulletin issued in mid-December. Am I at risk of having earlier hotfixes removed?
Probably not. Even though the versions numbers of catalog files were not incremented, each new hotfix issued included a catalog file that listed all of the previous hotfixes. So when you installed a hotfix in response to a mid-December security bulletin, it installed on your system a catalog file that listed all of the previous hotfixes. Unless you ran SFC.EXE between the time when you installed the earlier hotfixes and the time when you installed that last hotfix, all of your hotfixes are almost certainly still in place and the catalog will protect them from being removed from your system.
You've said a lot about the different risk scenarios. How likely is it that I've actually had hotfixes removed from my system because of this issue?
To the best of our knowledge, it's very unlikely. Microsoft has tested systems internal to Microsoft and at customer locations to see whether this issue has caused the removal of hotfixes. We've found very few cases in which hotfixes have been removed from operational systems. However, because there is a potential for the problem to arise, we do encourage you to run QFECHECK.EXE and follow its recommendations as discussed below.
Is there still a risk to my system from downloading and installing hotfixes?
No. As soon as Microsoft discovered this problem, we began to evaluate its scope and take corrective action. As of December 19, 2000, Microsoft updated all of the Windows 2000 post Service Pack 1 hotfixes on its web sites to include valid catalogs. Installing any of those hotfixes will make you immune from new problems. However, if Windows File Protection was triggered while an incorrect catalog was present on your system, some of the hotfixes that you installed previously may have been removed.
I've not installed any hotfixes on my system yet. What impact does this issue have on me?
If you did not install any hotfixes on your system before December 19, 2000, this issue has no effect on you at all. However, we would encourage you to review the other Microsoft Security Bulletins at http://www.microsoft.com/technet/security/current.mspx and to follow their guidance and install patches as appropriate to your environment and your concerns about the security of your system.
How can I tell whether I've actually had hotfixes removed from my system as a result of this issue?
Microsoft has released a tool, QFECHECK.EXE designed to help customers manage operating system updates in their environment. One of the benefits of this tool is that it will detect any anomalies with hotfix installation and will allow customers to determine if their systems have been affected by this issue.
If I am affected, what should I do?
QFECHECK.EXE will advise you of the actions you should take if you are affected. The tool may tell you to reapply one or more specific hotfixes, that your catalog file is not consistent with the set of hotfixes on your system, or that your system is in a consistent state and no action is required. Knowledge Base article 282784 provides details on the installation and use of QFECHECK.EXE.
QFECHECK.EXE produces information about hotfixes in the form of a Q number. How do I tell whether a Q number corresponds to a security bulletin?
Knowledge base article 281767 includes a table that lists the Q numbers for hotfixes that were associated with security bulletins. The table tells you which security bulletin is associated with each Q number.
How do I keep this problem from affecting my system in the future?
If QFECHECK.EXE tells you to reinstall a hotfix and you download a new copy of that hotfix, the catalog file packaged with the hotfix will correct the problem and prevent it from reoccurring. If you are not required to reinstall a hotfix, QFECHECK.EXE may tell you that the catalog file on your system is inconsistent with the set of installed hotfixes. In this case, you should install the "catalog-only hotfix" listed in the security bulletin. This hotfix updates the catalog file on your system to a current one that will prevent the problem from occurring in the future.
If QFECHECK.EXE tells me to reapply hotfixes, must I reapply them in a specific order?
No. The hotfixes that are now available for download can be applied in any order. No matter what order they are applied in, they will not make your system subject to having hotfixes removed inappropriately.
Is this issue a result of a flaw in the Windows File Protection technology?
No, this issue resulted from a human error in the packaging of hotfixes. The Windows File Protection technology is sound and functioning as it is supposed to. It's also important to point out that this issue does not provide a hostile party with a capability to change the configuration of your Windows 2000 system.
Does this issue only affect security hotfixes?
No, this issue affects all hotfixes. However, we are communicating it through our security bulletin process because many customers have installed security hotfixes and because we want to ensure that customers have complete and timely information about any issue that might affect their security hotfix configurations.
I have installed security hotfixes. How do I ensure that my system is protected from any potential security problems?
You should run QFECHECK.EXE and follow the guidance it provides. The tool will tell you whether your system is safe as it is, or whether you need to reinstall one or more hotfixes, or whether you should install the catalog-only hotfix that is listed in the security bulletin. Once you have run QFECHECK.EXE and followed the guidance it provides, you needn't worry further about this issue.
Who should use QFECHECK.EXE?
Microsoft recommends that Windows 2000 (English language version) customers who downloaded and installed one or more post Service Pack 1 hotfixes (whether security or not) before December 18, 2000 download and run QFECHECK.EXE.
QFECCHECK.EXE has been built to help customers quickly identify and validate the hotfixes that have been applied to their systems. Microsoft also encourages customers to run this tool as needed to identify the hotfixes that are present in their environments.
What does QFECHECK.EXE do?
QFECHECK.EXE compares the current hotfix catalog on your system, the record in the registry of hotfixes that have been installed on your system, and the actual set of protected system files on your system. It notes any inconsistencies and provides you with guidance on how to return your system to the intended (latest) hotfix configuration.
It sounds like QFECHECK.EXE is not restricted to checking for this issue. Does it have more general applicability?
QFECHECK.EXE is a general-purpose tool that system administrators can use to manage the hotfix status of the Windows 2000 machines they are responsible for. It will identify and validate any set of updates that have previously been applied to a system and report the current Service Pack level, and the status of each additional update that has been applied. You can use the tool to ensure that you have installed the appropriate set of hotfixes or that you've applied the same set of hotfixes across a set of similar machines. Microsoft encourages administrators to use QFECHECK.EXE to help manage the hotfix configurations of their systems.
How do I use QFECHECK.EXE?
Knowledge Base article 282784 contains detailed instructions for using QFECHECK.EXE.
Where can I get QFECHECK.EXE?
The download location for QFECHECK.EXE is provided in the "Tool and Patch Availability" section of the security bulletin.
Where can I get the catalog-only hotfix?
The download location for the catalog-only hotfix is provided in the "Tool and Patch Availability" section of the security bulletin .
Who should install the catalog-only hotfix?
Microsoft recommends that Windows 2000 (English language version) customers who downloaded and installed one or more post Service Pack 1 hotfixes (whether security or not) before December 18, 2000, and who were advised by the QFECHECK.EXE that their catalog files were inconsistent with the set of hotfixes on the system should download and install the catalog-only hotfix.
How can I tell if I installed QFECHECK.EXE correctly?
Knowledge Base article 282784 provides a manifest that lists the size and creation date of the files in the QFECHECK.EXE package. The easiest way to verify that you've installed the tool correctly is to verify that this file is present on your computer, and has the same size and creation date as shown in the KB article.
How can I tell if I installed the catalog-only hotfix correctly?
Knowledge Base articles 281767 and 285083 provide manifests that list the size and creation date of the files in the catalog-only hotfix packages for Windows 2000 SP1 and Windows 2000 Gold systems. The easiest way to verify that you've installed the hotfix correctly is to verify that the correct file is present on your computer, and has the same size and creation date as shown in the appropriate KB article.
What is Microsoft doing about this issue?
| • | Microsoft has updated the catalog files so as to correct the problem in all of the hotfixes it distributes - whether through Windows Update, the Download Center, or Microsoft Product Support Services. |
| • | Microsoft has developed a tool that advises users on steps to eliminate any potential vulnerability. |
| • | Microsoft has provided a catalog-only hotfix that updates the catalog on a Windows 2000 system to prevent the problem from arising in the future. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued Knowledge Base articles 281767, 285083, and 282784 explaining the issue and procedure in more detail. |
| • | Microsoft has significantly improved our hotfix creation process and internal testing to avoid the risk of this and similar problems in the future. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
