TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin (MS00-026)

Patch Available for "Mixed Object Access" Vulnerability

Originally Posted: April 20, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000 that could, under very specific conditions, allow a malicious user to change information in the Active Directory that he should not be able to change.

Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-026.mspx

Top of section

General Information

Issue

Active Directory allows for access control of directory objects on a per-attribute basis. However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a particular way with ones involving attributes that he does have permission to modify.

The vulnerability does not afford the malicious user an opportunity to modify all objects in a class - only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by whom.

Affected Software Versions

•

Windows 2000 Server

•

Windows 2000 Advanced Server

Note The vulnerability only affects the above products when they are used as domain controllers.

Vulnerability Identifier: CVE-2000-0311

Top of section

Patch Availability

•	http://www.microsoft.com/downloads/details.aspx?FamilyId=7237F230-A28B-447B-9034-6654DD7CD05E&displaylang=en Note Additional security patches are available at the Microsoft Download Center

Top of section

More Information

Please see the following references for more information related to this issue.

•	Frequently Asked Questions: Microsoft Security Bulletin MS00-026, http://www.microsoft.com/technet/security/bulletin/fq00-026.mspx
•	Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.mspx

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.

Acknowledgments

Microsoft thanks Sebastien Malbois of Bouygues Construction for reporting this issue to us and working with us to protect customers.

Revisions

•	April 20, 2000: Bulletin Created.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of section

Top of page