Why has Microsoft issued new security update for Windows 2000 Service Pack 2?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain this additional security update.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could gain unwarranted privileges on a system. In this case, the attacker could gain full administrative privileges, thereby gaining the ability to take any action they want on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group. The vulnerability could only be exploited by an attacker who had credentials to log on to the computer interactively. Best practices suggest that unprivileged users not be allowed to interactively log on to business-critical servers; if this guidance has been followed, such servers would not be at risk from this vulnerability. Instead, the systems primarily at risk would be workstations and terminal servers.
What causes the vulnerability?
The vulnerability results because it is possible for an unprivileged user to cause code to be executed by a highly privileged process on the interactive desktop using Utility Manager in combination with a specially crafted Windows message.
What are Accessibility utilities?
Microsoft recognizes its responsibility to develop technology that is accessible and usable to everyone, including those with disabilities. Therefore all Microsoft products are designed with functionality and utilities to assist in enabling those with disabilities to use the features of the products. These utilities are known as Accessibility utilities. Windows 2000 contains several utilities and technologies to provide accessibility within the product. A detailed list of these utilities can be found at:
http://www.microsoft.com/enable/products/windows2000/features.aspx
Where does Microsoft document the available Accessibility options in its products?
More information on accessibility options within Microsoft Products can be found at the Microsoft Accessibility Web site at:
http://www.microsoft.com/enable/
What is the Utility Manager?
Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (Microsoft Magnifier, Narrator, On-Screen Keyboard) and to start or stop them.
What do you mean by a "desktop"?
Normally, when we refer to a "desktop" we mean the Windows desktop created by Explorer that you see on your screen during a Windows session. However, in the Windows security architecture, the term "desktop" actually has a different meaning. Desktops are used to encapsulate windows and related objects in Windows in order to ensure that a process is properly restricted to only authorized activities. It's easier to explain what a desktop is and how it works if we start with the layer of granularity above the desktop, the windowsstation.
What's a windowstation?
A windowstation is a container that contains a clipboard, some global information, and a set of one or more desktops. The interactive windowstation assigned to the logon session of the interactive user also contains the keyboard, mouse, and display device. The interactive windowstation is visible to the user and can receive input from the user. All other windowstations are noninteractive, which means that they can't be made visible to the user and can't receive user input. A process can be associated with only one desktop at a time.
What's an interactive desktop?
A desktop is a container object that is contained within a window station. There may be many desktops contained within a windowsstation.
A desktop has a logical display surface and contains windows, menus, and hooks. Only the desktops of the interactive window station can be visible and receive user input. On the interactive windowstation, only one desktop at a time is active. This active desktop, also referred to as the interactive desktop or input desktop, is the one that is currently visible to the user and that receives user input.
What are Windows messages?
Processes running on Windows interact with the system and other processes using messages. For instance, each time the user hits a key on the keyboard, moves the mouse, or clicks a control such as a scroll bar, Windows generates a message, the purpose of which is to alert the program that a user event has occurred, and deliver the data from that event to the program. Similarly, a program can generate messages as a way of allowing the various windows it controls to communicate with and task each other.
What's wrong with the way Windows messages are handled by the Windows 2000 Utility Manager?
The flaw actually lies in the way Utility Manager handles messages when presenting the list of available accessibility functions to the user. Utility Manager does not properly validate Windows messages sent to it. If Utility Manager is running on the system, it's possible for another process running on the system to send a specially crafted message to the Utility Manager process in the interactive desktop. The first process could set the address of the callback function, with the result being that the second process would execute the callback function specified by the first.
Why does this pose a security vulnerability?
Essentially, the flaw in Utility Manager would provide a way for one process on the interactive desktop to cause the Utility Manager to do its bidding. If the second process had higher privileges, this would provide a way for the first to exercise them.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could first start Utility Manager, then could create a process that would levy requests upon the Utility Manager once it was running. In default configurations of Windows 2000, Utility Manager is installed but not running. Exploiting the vulnerability in such a case would enable the attacker to gain complete control over the system.
Who could exploit the vulnerability?
To exploit the vulnerability, the attacker would need the ability to log on to the system, start Utility Manager, load a program of his or her choice (one that sent a message to Utility Manager and specified a callback function that would perform some desired task), and run it.
What versions of the Utility Manager are vulnerable to this attack?
Only the Windows 2000 version of Utility Manager contains the vulnerability. Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows XP, and Windows Server 2003 are not affected.
What systems are primarily at risk from the vulnerability?
In general, workstations and terminal servers would be mainly at risk. Servers would only be at risk if unprivileged users had been given the ability to log on to them and run programs, but best practices strongly discourage allowing this. Could the vulnerability be exploited from the Internet? No. The attacker would need the ability to log on to the specific system he or she wished to attack. There is no capability to load and run a program in the interactive desktop remotely. What does the patch do? The patch addresses the vulnerability by changing the handling of Windows messages by the Utility Manager so that messages are properly validated and that an unregistered callback function cannot be called.
