Microsoft Security Bulletin (MS99-049): Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in the Windows 95 and Windows 98 networking software. The vulnerability could cause the Windows machine to crash or to run arbitrary code.
What's the scope of the vulnerability?
The vulnerability could enable a malicious web site operator or the malicious sender of an e-mail message to exploit a buffer overrun on a user's Windows machine. The buffer overrun could crash the Windows machine, or cause arbitrary code to run on the machine. The primary danger in this vulnerability is that the buffer overrun would occur if a user simply browsed a malicious web page or displayed an e-mail message that was configured to exploit the vulnerability.
This vulnerability can affect a user even if the user follows what would normally be safe computing practices such as avoiding opening attachments from unknown senders and disabling macros unless they come from known and expected sources.
What is the vulnerability?
The vulnerability involves a buffer overrun in the Windows networking software that supports access to local and remote files. If this software is provided with a very long Universal Naming Convention (UNC) string, the UNC string will overrun the buffer provided. If the UNC string is random, it may cause the machine to crash. If the UNC string is specially formed, it can cause the machine to execute arbitrary code that could disclose, modify, or destroy data on the machine.
What is a UNC string?
A UNC string is a string such as \\machine\directory\file.dat that is used to specify the location of a file on the local machine or on a remote machine in a network.
Why is this called the "File Access URL" vulnerability?
While a user can cause the buffer overrun to occur by entering a long file name, the user does not normally pose a threat to his or her machine. The remote exploitation that poses a danger to users involves embedding a File:// URL or a UNC string in a web page or HTML e-mail message. If the user browses the page containing the File:// URL or UNC string or displays the e-mail message either in its own window or in the Preview Pane in Outlook Express, the buffer overrun will occur and the vulnerability will be triggered.
What is a file:// URL?
A file:// URL is a URL that is used to specify that a web browser or e-mail client is to open a specific file in its host machine's local or remote file system.
Why can't a user simply avoid web pages and e-mail messages that contain a file:// URL or UNC string?
URLs (and UNC strings which are treated similarly) are not normally visible in web pages or e-mail messages as they are displayed to a user.
Doesn't the vulnerability require the user to click on the file: URL or UNC string in the malicious web page?
No. Simply displaying the web page or e-mail message is sufficient to cause the buffer overrun to occur.
Could the vulnerability be exploited no matter what e-mail reader the recipient uses?
No. It would only be effective if the e-mail reader allows HTML e-mails to be displayed. Outlook and Outlook Express are two e-mail readers that support HTML e-mail.
Why is this a patch to the Windows operating systems rather than to Internet Explorer and the e-mail readers?
Although an attack exploiting the vulnerability would appear through the browser or e-mail reader, the underlying vulnerability results from a buffer overrun in the Windows 95 and Windows 98 operating systems. We have corrected the buffer overrun at its source.
What does the patch do?
The patch changes the Windows networking software to eliminate the buffer overrun. The modified software simply returns an error when presented with a file name longer than the length of the buffer.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 245729 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
How common are buffer overrun vulnerabilities?
It's been estimated that anywhere from two-thirds to three-quarters of all computer security vulnerabilities involve a buffer overrun. They occur in all vendors' products, and are an industry problem. Microsoft is working hard to develop coding and testing methods that will reduce or eliminate buffer overrun vulnerabilities in its software.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
