Microsoft Security Bulletin (MS99-052): Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a security vulnerability in Microsoft® Windows® 95 and 98. The vulnerability could allow someone to retrieve a previous user's Windows NT® network credentials from a machine under certain circumstances. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerabilities?
The vulnerability affects Windows 95 and 98 machines that are used to access Windows NT networks; it does not affect Windows 98 Second Edition. When a user logs onto a Windows NT network using a Windows 95 or 98 workstation, his or her network credentials are stored on the local machine for use during the network session. This vulnerability could allow a malicious user to subsequently retrieve the credentials, potentially allowing him or her to access the previous user's network information.
It would be difficult, but not impossible, for a malicious user to target a specific user's credentials via this vulnerability. The vulnerability cannot be exploited remotely, so the malicious user would need physical access to the other user's workstation. They could only recover the most recent user's credentials, and even then only if the machine had not been rebooted. This vulnerability cannot be exploited accidentally; it requires deliberate action on the part of the attacker.
What's the cause of the vulnerability?
The vulnerability results because of a legacy caching mechanism that was developed in Microsoft Windows for Workgroups® 3.11. In Windows for Workgroups, networking commands were performed via command-line utilities like the "NET" command. The first time a networking command was used, the user was prompted for his or her network password, and it was stored in RAM in plaintext. Subsequent networking commands would check to see if the password was available and, if so, use the RAM-based one rather than re-prompting the user for it.
Windows 95 and 98 implemented a far stronger caching mechanism that stores only hashed passwords, never plaintext ones. However, a partial implementation of the Windows for Workgroups legacy mechanism was separately carried forward into the design of Windows 95 and 98. This alternate, less secure mechanism is what causes the vulnerability. It is possible to use certain function calls to query the legacy cache in Windows 95 and 98 and thereby obtain the plaintext password.
The presence of the legacy mechanism was discovered before Windows 98 Second Edition shipped, and it was removed from the product. As a result, Windows 98 Second Edition is not affected by the vulnerability.
Will logging off the workstation purge the cache?
No. The cache is not purged by logging off. The user would need to reboot the machine to purge the cache.
What does the patch do?
The patch removes the vulnerability by eliminating the legacy caching mechanism. Because the legacy mechanism was not fully implemented in Windows 95 and 98, it is not a useful implementation for legitimate purposes, and Microsoft is not aware of any applications that make use of it. The legacy caching mechanism is not present in Windows 98 Second Edition.
Where can I get the patch?
The download location for the tool is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 168115 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
