Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-034)
What's this bulletin about?
Microsoft Security Bulletin MS99-034 announces the availability of a patch that eliminates a vulnerability in the TCP/IP stack implementations of Microsoft® Windows® 95, 98 and Windows NT® 4.0. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could allow denial of service attacks against an affected machine. The effect of an attack using this vulnerability varies widely depending upon system loading and other factors, but could result in minor slowdowns in system performance, loss of some networking functionality, or the affected machine could possibly crash altogether.
The machines chiefly at risk from this vulnerability are Windows 95 and 98 machines that are networked via TCP/IP. The vulnerability exists in Windows NT 4.0 as well, but other system mechanisms in Windows NT 4.0 make a successful attack much more difficult.
An attacker could mount a remote attack via this vulnerability. However, the success of such an attack would depend on a number of factors. For example, some firewalls, and some desktop security packages as well, will detect and drop the malformed data packets that exploit this vulnerability. Likewise, a slow network connection could give an affected machine time to recover from such an attack.
What causes the vulnerability?
The vulnerability lies in the implementation of the TCP/IP stack. A series of fragmented IGMP packets causes an affected system to access invalid memory, which can cause system services to fail or can cause the machine to crash altogether.
What are IGMP packets?
IGMP (Internet Group Management Protocol) is one of the protocols in the TCP/IP protocol suite. It's used to allow IP multicasting, wherein data is sent to an IP address which may reach multiple hosts. Typically, a single IGMP packet is sent to set up a multicast, and the multicast data itself is carried by UDP packets.
Various other protocols also use the IGMP protocol number for their own messages. These include the Distance Vector Multicast Routing Protocol (DVMRP), version 1 of the Protocol Independent Multicast (PIM) routing protocol, and the MRInfo and multicast traceroute (Mtrace) protocols. Because they use the IGMP protocol number, fragmented packets sent via these protocols could cause the same problems as fragmented IGMP packets.
The vulnerability is unrelated to the IGMP functionality. Instead, it results because of the specific way that Windows 95, 98 and Windows NT handle fragmented packets. There is no inherent security risk associated with using IGMP.
Could a legitimate multicast program cause my machine to crash?
Yes. In particular, several legitimate debugging utilities use fragmented IGMP packets and could cause your machine to crash unless the patch is applied. In addition, there are several malicious programs that send fragmented IGMP packets, solely for the purpose of crashing an affected machine.
The patch will protect systems against attack, and also ensure that Windows 95, 98 and Windows NT 4.0 will operate correctly with any legitimate programs that may need to send fragmented IGMP packets.
Are all machines equally affected?
No. Windows 95 and 98 machines are the machines primarily affected by this vulnerability. The stack implementation in Windows NT 4.0 contains the vulnerability, but other system mechanisms decrease the likelihood of adverse affects. During exhaustive testing, we were unable to ever successfully attack a Windows NT 4.0 machine using this vulnerability.
If Windows NT 4.0 isn't likely to be affected, why did you make a patch for it?
We developed the patch because, even though it is very difficult to successfully attack a Windows NT machine using this vulnerability, Windows NT does not correctly process fragmented IGMP packets. This means that any legitimate programs that send fragmented IGMP packets would not work correctly with Windows NT unless we developed a patch.
I'm running Windows NT. Should I apply the patch?
Windows NT contains the same vulnerability, but other system mechanisms decreases the likelihood of experiencing adverse effects. We recommend that customers consider applying the patch, for two reasons. First, as long as the vulnerability is present, it is conceivable that it could be exploited. Second, legitimate programs may need the ability to send fragmented IGMP packets, and applying the patch would ensure that Windows NT 4.0 works correctly with them.
Have any users been affected by this vulnerability?
There are several malicious programs available that target a particular machine and send the malformed packets to it. However, to the best of our knowledge, no Windows NT machines have been affected by this vulnerability.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 238329 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
1. | Microsoft has developed a patch that eliminates the vulnerability. |
2. | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
3. | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
4. | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
5. | Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
"Securing Windows NT Installation" provides security best practices for Windows NT. ("Securing Windows NT Installation" can be found in the Security section TechNet).
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
