Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-024)
What's this bulletin about?
Microsoft Security Bulletin MS99-024 announces the availability of a patch that eliminates a vulnerability that could allow denial of service attacks against a Microsoft® Windows NT® machine by disabling the keyboard or mouse. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow denial of service attacks against a Windows NT machine by enabling a malicious user to disable the mouse and keyboard. The machine would need to be rebooted to restore the mouse and keyboard. This vulnerability does not allow any data to be compromised, nor does it allow any elevation of privileges.
Why is this vulnerability called the "Unprotected IOCTL" vulnerability?
First, let's explain what an IOCTL is. Windows NT provides the ability for applications to directly request services of device drivers. The interface through which this is done is called an Input Output Control, or IOCTL. Like all operating system services, some IOCTLs are appropriate for normal users to use and others should be reserved for privileged users only. The root problem in this vulnerability is that the IOCTLs for the mouse and keyboard are unprotected-that is, available for use by normal users-when they should not be.
This doesn't sound so bad. Why is this a security vulnerability?
For workstations and servers, this poses a denial of service threat because the mouse and keyboard are not returned to service when the user logs off. For example, if a kiosk workstation allowed users to run arbitrary programs, or if a server allowed normal users to log on interactively and run arbitrary programs, a malicious user could disable the machine's keyboard and mouse, thereby preventing the machine's use until it had been rebooted. It's worth noting that normal security practices recommend against allowing either of these situations - kiosk workstations should restrict users to running only approved applications, and servers should generally allow only administrators to log on interactively.
For terminal servers, a malicious user could use this vulnerability to disable not only the keyboard and mouse on the local machine, but also those on the console. This would not interfere with any of the ongoing terminal server sessions, but the server would need to be rebooted in order to restore the console's mouse and keyboard.
How does the patch eliminate the vulnerability?
The patch prevents normal user-level applications from being able to access certain IOCTLs.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletin. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
| • | Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products. |
Where can I learn more about best practices for my network?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
