Microsoft Security Bulletin (MS99-057): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS99-057 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0. The vulnerability could allow a malicious user to cause a Windows NT machine to crash. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
Why was the patch for this vulnerability included in the "Syskey Keystream Reuse" patch?
Both vulnerabilities affect the same operating system component, the Local Security Authority (LSA). We combined the two patches so that customers could eliminate both vulnerabilities with a single patch.
If the patches are combined, why did you release two bulletins?
Normally, if a patch corrects multiple vulnerabilities, we issue a single security bulletin that discusses all of them. However, the "Syskey Keystream Reuse" vulnerability and the "Malformed Security Identifier Request" vulnerability are both relatively complicated, and we decided to discuss them separately for clarity.
What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use this vulnerability to cause a Windows NT machine to crash, but it would not allow him or her to compromise any data on the machine or usurp administrative control over it. It's extremely unlikely that the specific invalid request would be made accidentally. An affected machine could be put back into service by rebooting it.
What causes the vulnerability?
The vulnerability results because a function in the LSA does not correctly handle a particular type of invalid argument. This function, LsaLookupSids(), will cause the LSA to crash when it receives such an argument.
What is the LSA, and what does it do?
The LSA provides security services for Windows NT. Among other tasks, it authenticates all logon requests, adjudicates users' privileges and determines whether they can access requested resources, and oversees the security auditing functions. The loss of the LSA through this vulnerability essentially renders the machine unable to perform any useful work, because all requests for services are denied by default.
What is LsaLookupSids()?
LsaLookupSids() is a function provided by the LSA. Using this function, a user with sufficient privileges can provide the names of users or security groups, and receive the Security Identifier (SID) associated with them. (The SID is a number that uniquely identifies every user or group on the machine).
When a user calls LsaLookupSids(), Windows NT verifies that he or she has sufficient privileges before fulfilling the request. This vulnerability does not change this in any way; there is no capability through this vulnerability to bypass the security check. However, the crash occurs before the check is made, so any user, regardless of privilege, could levy the request and cause the LSA to crash.
Could this vulnerability by exploited remotely?
It's possible to call LSA functions remotely. However, doing so requires NetBios; if normal recommended security practices are followed, NetBios will be filtered at the firewall, preventing the request from reaching the machine.
Does this vulnerability affect Windows 2000?
No.
What does the patch do?
The patch provides logic to LsaLookupSids() that allows it to correctly handle the invalid argument at issue here.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 248185 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
