Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-033)
What's this bulletin about?
Microsoft Security Bulletin MS99-033 announces the availability of a patch that eliminates a vulnerability in the Telnet client that ships as part of Microsoft® Windows® 95 and 98. The vulnerability could allow a web page to run arbitrary code on the computer of a user who visited it. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerabilities?
The vulnerability could allow a web page to take unauthorized action on the computer of a user who visited the page. Specifically, it could do anything on the computer that the user could do. This generally would include creating, deleting or modifying files, reformatting the hard drive, sending data to or from a web page, and other actions.
The vulnerability is limited by the fact that the malformed arguments must be passed via web browser. Some web browsers, such as the version of Internet Explorer that ships with Windows 98 Second Edition, prevent the malformed argument from being passed to the Telnet client, and users would not be vulnerable to this attack even if they had an otherwise-affected Telnet client.
What's the vulnerability?
The Telnet client has an unchecked buffer in part of the code that processes program arguments. If a specially-malformed argument were provided, it could overflow the buffer and be used to execute arbitrary code via a classic buffer overrun technique. The malformed argument would need to be carefully constructed, and this attack could not happen by accident.
Exploiting a buffer overrun in general is not a simple task, and exploiting this one would be harder than usual because of the way that the overrun occurs. With that said, however, a single malicious user could develop a program that exploits this vulnerability and then share it with other malicious users.
If the vulnerability is in the Telnet client, why did Microsoft recommend applying a previous patch for IE as a workaround?
As discussed above, the version of Internet Explorer that ships with Windows 98 Second Edition prevents the malformed argument from being passed to the Telnet client. The IE patch that we recommended installing, the "Malformed Favorites Icon" patch, includes a similar change. The unchecked buffer in Telnet still remains, but is no longer exploitable via a web page.
Note The "Malformed Favorites Icon" patch is a temporary workaround for Internet Explorer 5 only. Although a version of the patch is available for Internet Explorer 4.0, it does not protect against the "Malformed Telnet Argument" vulnerability.
Can this vulnerability only be exploited via a web browser?
No. The effect of a web browser is to make it possible to exploit this vulnerability remotely. It also would be possible to exploit the vulnerability locally. For instance, a malicious user might create a batch file that calls the Telnet client and causes the buffer overrun. However, it's worth keeping in mind that the larger issue in such an attack is the fact that the attacker could trick the user into running an untrusted batch file at all. The same attack could be carried out much more easily by simply putting the desired commands into the batch file and not bothering with the buffer overrun at all.
Unchecked buffers usually also provide an opportunity to crash the program. Is that the case here as well?
Yes. A web site operator could use this vulnerability to crash a user's web browser. However, there aren't any security ramifications from being able to do this. Simply crashing the web browser wouldn't endanger the user's data, nor would it allow the attacker to usurp any control over the machine. The user could simply restart the browser with no ill effects.
I have Windows 98 Second Edition. Do I still need to apply the patch?
Yes. The version of Internet Explorer included in Windows 98 Second Edition prevents malformed arguments from being passed to the Telnet client, but doesn't eliminate the underlying vulnerability in Telnet.
I applied the "Malformed Favorites Icon" patch to IE5. Do I still need to apply the patch?
Yes. The patch prevents malformed arguments from being passed to the Telnet client, but doesn't eliminate the underlying vulnerability in Telnet.
I use Windows NT®. Do I need the patch?
No. Windows NT is not affected by the vulnerability. The affected Telnet client only ships with Windows 95 and 98.
What does the patch do?
The patch loads a corrected version of the Telnet client.
Where can I get the patch?
The download location for the patch is provided in the security bulletin. Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply it.
How can I tell if I installed the patch correctly?
Click "Start", then "find", then "Files or folders". Search for Telnet.exe. When it's found, right-click on the icon and select the "Version" tab. If the version is 5.0.1755.2, the patch has been installed correctly.
I keep hearing about buffer overruns in software. How widespread a problem is it?
Buffer overruns are an industry-wide problem. It's been estimated that over half of the security vulnerabilities reported in software products involve an unchecked buffer in some way.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
The Internet Explorer Security web page contains information about IE security.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
