Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-038)

What's this bulletin about?
Microsoft Security Bulletin MS99-038 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows® 95, 98 and Windows NT® 4.0. The vulnerability could allow an attacker to perform source routing via a Windows 95, 98 or Windows NT machine even if the administrator had configured the system to prevent it. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it. In addition to eliminating the vulnerability, the patch provides additional functionality that extends the ability to control source routing.

What's the scope of the vulnerability?
When classified by the usual taxonomy of security vulnerabilities, source routing doesn't appear at first to be a significant vulnerability. It doesn't allow an attacker to alter any data on a network, or to usurp any administrative control. At best, it could be classified as a denial of service attack, since it would force the targeted routers and network infrastructure to expend resources that might otherwise not be used.
However, source routing does have the potential to pose a serious threat to safe computing, because of its role in allowing other vulnerabilities to be exploited. Malicious users find source routing to be an invaluable way to discover information about a network that can be used in future attacks. When mounting certain attacks, source routing allows an attacker to control the flow of information in a way that makes the attack possible.

What's the vulnerability?
Windows NT 4.0 Service Pack 5 introduced the ability to disable source routing through a multi-homed Windows NT machine. However, even when Service Pack 5 is installed and source routing is disabled, it is possible to include valid but incorrect information in the packet's route pointer in order to cause source routing to happen anyway.
Windows 95 and 98 also provide the ability to act as a router, and Windows 98 Second Edition provides the ability for multiple machines to share a single Internet connection via its Internet Connection Sharing technology, and these implementations also are affected by the vulnerability. However, Windows NT is chiefly affected by the vulnerability, as Windows NT machines are far more likely to be used as routers or Internet gateways in large networks than Windows 95 or 98 machines.

What's source routing?
Under normal conditions, the sender of a TCP/IP data packet exercises no control over how the packet gets to its destination. The sender simply sends the packet and relies on intermediate routers to dynamically select the best route, as determined by network traffic, router availability and other factors. It's entirely possible that every packet going between Point A and Point B could take a different route.
Source routing allows the sender of the packet to specify the route that a packet must take in traveling to the destination. If the selected route is not available for any reason, the packet would not be delivered. If the recipient replied to the packets, the response would follow the same route.

Why is source routing a security problem?
Source routing is a legitimate activity in some cases. For instance, it can be used to discover the IP addresses of routers within a network. However, it also has the potential for misuse. A malicious user could use source routing to learn more about a network that he or she is targeting for attack. Data packets contain information about where they have been and what machines they have transited. A malicious user might send data into a network in order to collect information about the network's topology. If he or she can perform source routing, they can probe the network more effectively by forcing packets into specific parts of the network.
Source routing also enables certain types of attacks. For example, suppose an attacker is unable to attack Company A because it has a well-configured firewall, but learns that Company B, which has no firewall, is allowed to directly connect to Company A behind its firewall. Source routing would allow the attacker to direct packets to Company A via Company B and circumvent the firewall.

What is a route pointer, and how is it involved in this vulnerability?
The route pointer is one of the fields in a TCP/IP data packet. It keeps track of which hops in the route list the packet already has visited. By manipulating this information to provide incorrect information to the router, a malicious user can bypass the anti-source routing controls in the affected products.

What does the patch do?
The patch restores correct functioning to the anti-source routing features. It prevents packets with spoofed route pointers from being able to perform source routing. It also provides additional functionality that improves customers' ability to control source routing.

What is the additional functionality?
The original functionality provided the ability to prevent a Windows 95, 98 or Windows NT machine from forwarding source routed packets. The patch adds the capability to prevent them from receiving source routed packets as well.

What's the difference, and why is it important?
The original functionality allowed administrators to prevent source routing attacks via machines that are used as routers. If source routing is disabled, a multi-homed machine that acts as a router will not forward any packets that request source routing. The additional functionality extends this protection to non-routing machines, whether single- or multi-homed. Source routing attacks can be mounted against these machines as well, and the new functionality can be used to defend such attacks.

How could a source routing attack be mounted against a non-routing machine?
Source routing attacks sometimes "bounce" packets off a non-routing machine in order to spoof the packets as having come from that machine. For example, if a single-homed machine is outside of a firewall, an attacker might send source-routed packets to that machine, which would then forward them onward to an address inside the firewall. Depending on the specific firewall configuration, packets from the target machine might be allowed to pass through the firewall, thereby providing the attacker with a way to penetrate it.

What machines require the patch?
The patch only needs to be applied to multi-homed Windows 95, 98 or Windows NT machines that are used as routers. However, customers who want to take advantage of the additional functionality it provides may also choose to download the patch and apply it to non-routing machines as appropriate.

Can I add anti-source routing to a Windows NT 4.0 SP4 machine by applying this patch?
No. The patch extends the anti-source routing features that were delivered in SP5, but it cannot be used to add the features if they don't already exist. If you are running Windows NT 4.0 SP4 and need anti-source routing features, the best course is to install Windows NT 4.0 SP5 and then apply the patch.

Where can I get the patch?
The download location for the patch is provided in the security bulletin. http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx 

Why are you releasing the Windows NT patch before the Windows 95 and 98 patch?
The machines primarily at risk from vulnerability are multi-homed machines that serve as routers. Windows NT machines are used far more frequently in this role than Windows 95 or 98 machines are, particularly in large networks. Microsoft is releasing the Windows NT patch immediately in order to protect as many customers as possible, as quickly as possible.

Is Windows NT 4.0 Server, Terminal Server Edition, affected by this vulnerability?
No. Originally, this bulletin reported that Terminal Server was affected, but this is no longer true. As noted above, anti-source routing features were provided for Windows NT 4.0 as part of Service Pack 5. Terminal Server Service Pack 5 has not yet been released, and Microsoft will make the necessary changes to ensure that anti-source routing features in Terminal Server do not contain the vulnerability.

How can I tell if I installed the patch correctly?
Knowledge Base article 238453 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
Specific information on how to disable source routing in Windows NT 4.0 Service Pack 5 can be found in Microsoft Knowledge Base Article 217336.

How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of page