Microsoft Security Bulletin (MS99-055):Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT. The vulnerability could be used to cause a Windows NT machine to stop responding to requests for service. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability poses a threat in two ways. The most straightforward use of this vulnerability would be in a denial of service vulnerability attack. A malicious user could use this vulnerability to cause a Windows NT machine to become unresponsive to requests for various services, effectively removing it from service.
The vulnerability also could be used as one step in a more advanced attack. For example, there are scenarios in which a malicious user with sufficient access to a machine could configure diagnostic services to run selected software in the event of a crash, then use this vulnerability to induce such a crash. One such scenario has been publicized and will be the subject of an upcoming security bulletin.
Customers who already are following recommended security practices are much less likely to be affected by this vulnerability. Remote attacks via this vulnerability can be prevented by blocking NetBios at the firewall. Local attacks can be significantly reduced by disabling the ability of null sessions to submit enumeration requests.
What causes the vulnerability?
The Windows NT Service Control Manager (services.exe) does not handle a particular type of malformed request correctly, and such a request would cause the SCM to fail. This would have a broad impact on other services as well, because the SCM provides the ability for processes to communicate with each other through so-called named pipes. The loss of named pipes would cause many other services on the machine to stop responding to service requests.
What are named pipes?
Pipes allow processes to communicate with each other. A pipe is an area of memory that two or more processes share. When Process A wants to communicate with Process B, it puts data into the shared memory and sets a semaphore telling Process B to read it. There are two types of pipes:
| • | Anonymous pipes, which allow one-way communication from a parent process to a child process. They can only exist locally. |
| • | Named pipes, which allow bi-directional communication between multiple processes. The processes can reside on different machines. |
Because this vulnerability causes the SCM to fail, and with it named pipes, an attack via this vulnerability would prevent processes from communicating with each other, and thus prevent the affected machine from receiving and servicing requests.
Could an attack via this vulnerability be mounted remotely?
It's possible for the enumeration request to be made remotely. However, the request must be made via NetBios. As a general security practice, we recommend that NetBios be blocked at the firewall; if this has been done, an attack could not be mounted remotely.
How else can I prevent attacks via this vulnerability?
If you allow anonymous logons to your system, you can prevent them from mounting attacks via this vulnerability by removing their ability to submit enumeration requests. Microsoft Knowledge Base article 143474 discusses how to do this.
Could an affected machine be put back into service?
Yes. The machine could be rebooted and put back into service. However, any work that was in progress when the attack occurred would be lost.
How could I tell that the machine had been attacked?
Because the vulnerability wouldn't cause the machine to crash, it might not be obvious that it was no longer providing any services. From the console, the machine would appear to be running normal. The only indication that the machine was not providing service would come from external sources.
Will Windows 2000 be affected by this vulnerability?
No.
Where can I get the patch?
The download location for the tool is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 246045 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
