Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-023)
What's this bulletin about?
Microsoft Security Bulletin MS99-023 announces the availability of a patch that eliminates a denial of service vulnerability in Microsoft® Windows NT®. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. By running a program that has a specific type of invalid data in the so-called image header, a Windows NT machine could be made to crash. The vulnerability does not destroy any data on the machine (although any work in progress on the machine at the time that it crashed would be lost), nor does it allow users to gain elevated privileges.
The security bulletin says this patch was delivered as part of Windows NT 4.0 Service Pack 5. Why are you providing it as a stand-alone patch as well?
Some customers have locked down their systems in preparation for Y2K and may have chosen not to upgrade to Service Pack 5. Microsoft is therefore delivering a standalone version of every patch, which can be applied to Service Pack 4.
I've already applied Service Pack 5. What do I need to do?
Nothing. This patch was included in Windows NT 4.0 Service Pack 5. If you've applied the service pack, you've already got the patch.
What's an Image Header?
Every executable file contains an image header that is produced as part of the link process and describes how the program will use system resources; where it will reside in memory, how big the stack is, etc. If the data in the image header is malformed in a particular way, it will cause the machine on which the program is run to crash. The machine can be put back into service by rebooting.
What causes the Image Header to be malformed?
The particular malformation that causes this vulnerability is not produced accidentally. A person must edit an executable file and take deliberate steps to malform its image header in a particular way.
What's the threat from this vulnerability?
The vulnerability poses two threats to safe computing. First, it could be sent to an unsuspecting user as part of a mail bomb or similar attack. If the user ran the program, it would crash their machine. Second, a malicious user who had been given the ability to run programs on a server could run a program with a malformed image header in order to crash the machine and prevent other users from being able to use it.
What machines are at risk from this vulnerability?
The vulnerability affects all Windows NT machines. However, the actual threat depends largely on which of the two scenarios (discussed above) an attacker chose to use. If the executable were simply sent to users, then any machine could be affected - it would simply be a matter of the attacker getting the executable into the hands of the victim and convincing them to run it.
Fewer machines would be affected by the second scenario, because it would require that the attacker be able to log onto the target machine interactively. Terminal Servers typically do allow normal users to log on and run programs, and so would be at risk. However, servers such as domain controllers, print and file servers, ERP servers and the like are unlikely to be affected if normal security practices are observed, because recommended security practices militate against allowing users to log on interactively to servers like these. It's unlikely that workstations would be affected by this scenario, as the attacker would only deny service to himself or herself.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
| • | Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products. |
Where can I learn more about best practices for my network?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
