Microsoft Security Bulletin (MS01-008): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS01-008 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. If an attacker successfully exploited this vulnerability, she would gain complete control over the machine. This would allow her to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
In order to exploit this vulnerability, the attacker would need to already have the ability to execute code on the local system. This means the attacker would need the ability to log onto the machine interactively and run code on the system. By default, unprivileged users cannot interactively log onto NT4 Domain Controllers, and these machines would therefore be at less risk from this vulnerability.
What causes the vulnerability?
The NTLM Security Support Provider (NTLMSSP) service (present on every NT 4.0 system) contains a flaw that could enable a local user account to initiate a specially formed request to the NTLMSSP service that would execute arbitrary code with LocalSystem security privileges.
Commands executed with LocalSystem privileges are run with privileges equal to or greater than a local administrator account. With these privileges, the specified commands could take any action on the machine, including adding the locally logged-on user to the local administrators group.
What is NTLMSSP?
The NTLMSSP service handles authentication requests associated with the NTLM protocol. This service operates as part of the NT4 operating system and is enabled by default.
How could an attacker exploit this vulnerability?
She would first need the ability to interactively logon to the machine with valid user credentials. Once logged in, she would need to be able to copy custom code to the machine, and/or execute this code from a floppy disk or CD-ROM on the local machine. The custom code would need to contain specifically formatted commands to initiate communication with the NTLMSSP service and execute the arbitrary code of her choice.
What could the attacker if she exploited this vulnerability?
An attacker could use this vulnerability to run any code she wanted in the LocalSystem context - that is, as the operating system itself. This would allow her to take any desired action on the machine.
Could this vulnerability be executed remotely?
No. The attacker's program would need to run locally on the machine. This means that the attacker would need the ability to log onto the machine interactively and start his program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as servers, and would as a result be unable to attack them.
Is this vulnerability present in Windows 2000? What about Windows NT 4.0 systems that were updgraded to Windows 2000?
The NTLMSSP service in Windows 2000 is not vulnerable to this flaw. Systems that were upgraded from NT 4.0 to Windows 2000 are also not susceptible to this flaw.
Who should use the patch?
Microsoft recommends that Windows NT 4.0 users consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by properly handling requests made to the NTLMSSP service.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How do I use the patch?
Knowledge Base article 280119 (available soon) contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article 280119 (available soon) provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article (available soon) explaining the vulnerability and procedure in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
