Microsoft Security Advisor Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-021)
What's this bulletin about?
Microsoft Security Bulletin MS99-021 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT® that could be used to create a denial of service condition on a machine that allows interactive logons. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability only. It does not provide the opportunity to compromise data or obtain any additional privileges on the machine.
The machines chiefly at risk are ones that allow users to interactively log onto them and either run programs or install services. This is because the situation that creates the denial of service condition must be initiated on the target machine itself, and cannot be directly caused from a remote machine.
Are all Windows NT machines equally likely to be affected?
No. The machines chiefly at risk are Windows NT servers, and only if they allow normal users to interactively log onto them. To understand why this is so, you need to understand what causes the vulnerability. You should also understand that normal recommended security practices militate against allowing anyone but administrators to interactively log onto servers, so domain controllers, ERP servers, file servers and other servers are unlikely to be affected by this vulnerability.
What causes the vulnerability?
The vulnerability affects CSRSS.EXE, the Win32 subsystem. CSRSS provides Windows NT services to client processes running on the local machine; when a client process requests a Win32 service, CSRSS generates a worker thread to service the request. If all worker threads are occupied, the request waits in a queue until one of the threads completes its work and becomes available.
The underlying cause of the vulnerability is the way in which CSRSS handles requests that require user input. A worker thread that needs user input will display a message box and wait for the user to provide the needed information, and will remain occupied until it receives the input. If all of the worker threads in CSRSS are waiting for user input, they can't service any other requests, which effectively causes the machine to hang until the user input is provided. Once user input is received, processing returns to normal.
OK, now tell me why all Windows NT machines aren't equally likely to be affected?
Windows NT workstations are unlikely to be affected, because the user can always provide the information that's requested, and so can prevent the supply of worker threads from being exhausted. Windows NT terminal servers are also unlikely to be affected, because each user session has its own pool of worker threads; a user who exhausted the worker thread supply would affect only himself or herself and, as in the case of a workstation, the user could always provide the information that's requested and resume normal processing.
However, all processes on a Windows NT Server share a common copy of CSRSS, so if one user exhausted the worker threads and did not provide the needed input, all processes on the server would hang, including those of other users. It's worth reiterating, though, that there is rarely a good reason to allow normal users to interactively log onto servers.
How does the patch eliminate the vulnerability?
The patch changes how worker threads are allocated by CSRSS. If CSRSS is down to its last worker thread, it will not use it to service a request that requires user input; instead, it will service the first queued request that doesn't require it.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin .
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service , a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for my network?
The Microsoft Security web site is the best to place to get information about Microsoft security. A particularly helpful reference regarding best practices for servers is Securing Windows NT Server Installation, which details recommended settings for Windows NT servers.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
