Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5252
HistoryOct 16, 2003 - 12:00 a.m.

Microsoft Security Bulletin MS03-045

2003-10-1600:00:00
vulners.com
13

Microsoft Security Bulletin MS03-045

Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
Issued: October 15, 2003
Version Number: 1.0

Summary
Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install this security patch at the earliest opportunity

Patch Replacement: None

Caveats: None

Tested Software and Patch Download Locations:

Affected Software:
Microsoft Windows NT Workstation 4.0, Service Pack 6a – Download the patch
Microsoft Windows NT Server 4.0, Service Pack 6a – Download the patch
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 – Download the patch
Microsoft Windows 2000, Service Pack 2 – Download the patch
Microsoft Windows 2000 Service Pack 3, Service Pack 4 – Download the patch
Microsoft Windows XP Gold, Service Pack 1 – Download the patch
Microsoft Windows XP 64 bit Edition – Download the patch
Microsoft Windows XP 64 bit Edition Version 2003 – Download the patch
Microsoft Windows Server 2003 – Download the patch
Microsoft Windows Server 2003 64 bit Edition – Download the Patch
Non Affected Software:
Microsoft Windows Millennium Edition
The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.

Technical Details
Technical Description:

A vulnerability exists because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent from a specially-crafted Windows message. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability exists because the function that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. One process in the interactive desktop could use a specific Windows message to cause the ListBox control or the ComboBox control to execute arbitrary code. Any program that implements the ListBox control or the ComboBox control could allow code to be executed at an elevated level of administrative credentials, as long as the program is running at an elevated level of privileges (for example, Utility Manager in Windows 2000). This could include third-party applications.

An attacker who had the ability to log on to a system interactively could run a program that could send a specially-crafted Windows message to any applications that have implemented the ListBox control or the ComboBox control, causing the application to take any action an attacker specified. This could give an attacker complete control over the system by using Utility Manager in Windows 2000.

Mitigating factors:

An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited remotely.
Properly-secured systems are at little risk from this vulnerability. Standard best practices recommend only allowing trusted users to log on to systems interactively.
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this vulnerability in the ListBox control and in the ComboBox control. However, in Windows XP and in Windows Server 2003, Utility Manager runs under the context of the logged-on user and does not allow for elevation of privileges. Windows NT 4.0 does not implement Utility Manager.

Severity Rating:

Microsoft Windows NT 4.0 Low
Microsoft Windows NT Server 4.0, Terminal Server Edition Low
Microsoft Windows 2000 Important
Microsoft Windows XP Low
Microsoft Windows Server 2003 Low

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0659

Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

Disable the Utility Manager on all affected systems that do not need this feature through software polices
Since the Utility Manager Service is a possible attack vector this can be disabled using software restriction polices within Active Directory or within the Local Security Policy. The Utility Manager process name is utilman.exe. You may use the following software restriction policy guides to help prevent users from accessing this file:

Using Software Restriction Policies to Protect Against Unauthorized Software
HOW TO: Use Software Restriction Policies in Windows Server 2003 (324036)
Protect Your System from Viruses (Using Software Restriction Polices)
To create new software restriction policies
Impact of Vulnerability:
The Utility Manager Service provides many of the accessibility features of the operating system. These would be unavailable until the restrictions are removed.

Frequently Asked Questions
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability on Windows 2000 could gain complete control over a system. This would give the attacker the ability to take any action that they want on a system such as adding, deleting, or modifying data. It could also give the attacker the ability to create or to delete user accounts, or to add accounts to the local administrators group.

The vulnerability could only be exploited by an attacker who has credentials to log on to the computer interactively. Since restricted users are not normally permitted to logon to mission critical server this vulnerability primarily of concern on workstations and terminal servers.

Any application that has implemented the ListBox control or the ComboBox control, which is in the User32.dll file, could allow code to be executed at an elevated level of privileges, as long as the program is running at an elevated level of privileges (for example, the Utility Manager utility in Windows 2000). This could include third-party applications.

What causes the vulnerability?
A vulnerability results because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent from a specially-crafted Windows message.

What is Utility Manager?
Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (for example, Microsoft Magnifier, Narrator, or On-Screen Keyboard) and to start or to stop them.

What are Windows messages?
Processes that run on Windows interact with the system and other processes by using messages. For example, each time the user presses a key on the keyboard, moves the mouse, or clicks a control such as a scroll bar, Windows generates a message. The purpose of this message is to alert the program that a user event has occurred and to deliver the data from that event to the program. Similarly, a program can generate messages to allow the various windows that it controls to communicate with each other.

What is wrong with the way that Windows messages are handled by the List Box control?
The vulnerability lies in the way that the function that both the ListBox control and the ComboBox control use to handle messages when the controls present the list of available accessibility functions to the user. The function that is called does not correctly validate Windows messages that are sent to it. When Utility Manager is running on Windows 2000, another process could run on the system and could send a specially-crafted message to Utility Manager. In Windows 2000, Utility Manager runs under the context of the Local System. This context has a higher level of administrative credentials than a logged-on user and could allow arbitrary code to be executed.

Why does this pose a security vulnerability?
The vulnerability in the ListBox control and in the ComboBox control could provide a way for a process to cause Utility Manager to run arbitrary code on Windows 2000. Although it is against best practice guidelines, a third-party application could use the ListBox control or in the ComboBox control under the context of the Local System.

What might an attacker use the vulnerability to do?
To exploit this vulnerability an attacker would first have to start Utility Manager on Windows 2000 and then could run a specially-designed application that could exploit the vulnerability in the ListBox control and the ComboBox control. In default configurations of Window 2000, Utility Manager is installed but is not running. This vulnerability could allow an attacker to gain complete control over the system on Windows 2000.

Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on to the system, start Utility Manager, and execute a program that sends a specially-crafted message to Utility Manager that exploits the vulnerability.

What versions of the ListBox control or of the ComboBox control are vulnerable to this attack?
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this vulnerability. However, the Windows XP and Windows Server 2003 versions of Utility Manager do not allow elevation of permissions because Utility Manager runs under the context of the logged-on user. Windows NT 4.0 does not implement Utility Manager however the vulnerable function is still present within User32.dll.

I'm using Windows 2000, but I'm not using Utility Manager or any of the accessibility features, am I still vulnerable?
Yes - Utility Manager is installed and enabled by default.

Which systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
No. The attacker must be able to log on to the specific system that they want to attack. The attacker cannot load and run a program remotely.

What does the patch do?
The patch addresses the vulnerability by changing way that the function used by the ListBox control and the ComboBox control use to handle Windows messages so that the parameters that are passed are correctly validated.

Security Patch Information
Installation platforms and Prerequisites:

For information about the specific security patch for your platform, click the appropriate link:

Windows Server 2003 (all versions)
Prerequisites:

This security patch requires a released version of Windows Server 2003.

Installation Information:

This security patch supports the following Setup switches:

/?: Display the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windowsserver2003-kb824141-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:

Windowsserver2003-kb824141-x86-enu /z
Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824141$\Spuninst folder, and it supports the following Setup switches:

/?: Display the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition

Date Time Version Size File Name Folder
06-Aug-2003 21:44 5.2.3790.73 575,488 User32.dll RTMGDR

06-Aug-2003 21:41 5.2.3790.73 575,488 User32.dll RTMQFE

Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:

Date Time Version Size File Name Platform Folder
06-Aug-2003 21:44 5.2.3790.73 1,372,672 User32.dll IA64 RTMGDR

06-Aug-2003 21:44 5.2.3790.73 567,296 Wuser32.dll x86 RTMGDR\WOW

06-Aug-2003 21:43 5.2.3790.73 1,372,672 User32.dll IA64 RTMQFE

06-Aug-2003 21:41 5.2.3790.73 567,296 Wuser32.dll x86 RTMQFE\WOW

Note: When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package
Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824141\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.

Windows XP (all versions)
Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites:

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack
Installation Information:

This security patch supports the following Setup switches:

/?: Display the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windowsxp-kb824141-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:

Windowsxp-kb824141-x86-enu /z
Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824141$\Spuninst folder, and it supports the following Setup switches:

/?: Display the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:

Date Time Version Size File Name Folder
02-Oct-2003 21:59 5.1.2600.120 32,256 Msgsvc.dll (pre-SP1)

02-Oct-2003 21:59 5.1.2600.120 120,320 Wkssvc.dll (pre-SP1)

03-Oct-2003 23:18 5.1.2600.1301 32,256 Msgsvc.dll (with SP1)

03-Oct-2003 23:18 5.1.2600.1301 119,808 Wkssvc.dll (with SP1)

Windows XP 64-Bit Edition Version 2002:

Date Time Version Size File Name Platform
02-Oct-2003 21:59 5.1.2600.120 93,184 Msgsvc.dll IA64 (pre-SP1)

02-Oct-2003 21:59 5.1.2600.120 327,168 Wkssvc.dll IA64 (pre-SP1)

03-Oct-2003 23:21 5.1.2600.1301 94,720 Msgsvc.dll IA64 (with SP1)

03-Oct-2003 23:21 5.1.2600.1301 325,120 Wkssvc.dll IA64 (with SP1)

Windows XP 64-Bit Edition Version 2003:

Date Time Version Size File Name Platform Folder
06-Aug-2003 21:44 5.2.3790.73 1,372,672 User32.dll IA64 RTMGDR

06-Aug-2003 21:44 5.2.3790.73 567,296 Wuser32.dll x86 RTMGDR\WOW

06-Aug-2003 21:43 5.2.3790.73 1,372,672 User32.dll IA64 RTMQFE

06-Aug-2003 21:41 5.2.3790.73 567,296 Wuser32.dll x86 RTMQFE\WOW

Notes

When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package

The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

328848 Description of Dual-Mode Hotfix Packages for Windows XP

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824141\Filelist
For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824141\Filelist
For Windows XP 64-Bit Edition, Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824141\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.

Windows 2000 (all versions)
Prerequisites:

For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Installation Information:

This security patch supports the following Setup switches:

/?: Display the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb824141-x86-enu /u /q
For Windows 2000 Service Pack 2:

Windows2000-kb824141-x86-enu-customservicepacksupport /u /q
To install the security patch without forcing the computer to restart, use the following command line:

For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb824141-x86-enu /z
For Windows 2000 Service Pack 2:

Windows2000-kb824141-x86-enu-customservicepacksupport /z
Note: These switches can be combined in one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB824141$ folder. The utility supports the following Setup switches:

/?: Display the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Date Time Version Size File Name
05-Aug-2003 22:14 5.00.2195.6738 42,256 Basesrv.dll

17-Jan-2003 16:06 5.00.2195.6656 236,304 Cmd.exe

05-Aug-2003 22:14 5.00.2195.6762 222,992 Gdi32.dll

05-Aug-2003 22:14 5.00.2195.6794 711,440 Kernel32.dll

05-Aug-2003 22:14 5.00.2195.6789 333,072 Msgina.dll

08-Apr-2003 05:54 5.00.2195.6701 90,232 Rdpwd.sys

15-Jul-2003 22:08 5.00.2195.6776 4,858,368 Sp3res.dll

05-Aug-2003 22:14 5.00.2195.6799 380,176 User32.dll

05-Aug-2003 22:14 5.00.2195.6794 385,808 Userenv.dll

22-Jul-2003 23:32 5.00.2195.6790 1,628,912 Win32k.sys

17-Jul-2003 17:20 5.00.2195.6785 182,032 Winlogon.exe

05-Aug-2003 22:14 5.00.2195.6775 243,984 Winsrv.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB824141\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.

Windows NT 4.0 (all versions)
Prerequisites:

This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Installation Information:

This security patch supports the following Setup switches:

/y: Perform removal (only with /m or /q).
/f: Force programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the security patch without any user intervention, use the following command line:

For Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition:

Windowsnt4server-kb824141-x86-enu /q
For Windows NT Workstation 4.0:

Windowsnt4workstation-kb824141-x86-enu /q
To install the security patch without forcing the computer to restart, use the following command line:

For Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition:

Windowsnt4server-kb824141-x86-enu /z
For Windows NT 4.0 Workstation:

Windowsnt4workstation-kb824141-x86-enu /z
Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB824141$ folder. The utility supports the following Setup switches:

/y: Perform removal (only with /m or /q).
/f: Force programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Security Patch Replacement Information:

This patch does not replace any other patches.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT Workstation 4.0, Windows NT Server 4.0:

Date Time Version Size File Name
06-Aug-2003 09:04 4.00 169,744 Gdi32.dll

06-Aug-2003 09:04 4.00/td> 326,928/td> User32.dll

21-Jul-2003 13:50 4.00 1,255,152 Win32k.sys

06-Aug-2003 09:04 4.00 175,888 Winsrv.dll

Windows NT Server 4.0, Terminal Server Edition:

Date Time Version Size File Name
06-Apr-2002 01:38 4.00 170,256 Gdi32.dll

06-Aug-2003 10:19 4.00 332,048 User32.dll

01-Jul-2003 13:45 4.00 1,280,432 Win32k.sys

12-Nov-2002 00:09 4.00 196,368 Winsrv.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824141\File 1
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824141 security patch into the Windows installation source files.

Acknowledgments

Microsoft thanks the following for working with us to protect customers:

Brett Moore of Security-Assessment.com for reporting the issue in MS03-045.
Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
Security Resources:

The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Microsoft Software Update Services: http://www.microsoft.com/sus/
Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.
Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
Windows Update: http://windowsupdate.microsoft.com
Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:

V1.0 (October 15, 2003): Bulletin published.

Related for SECURITYVULNS:DOC:5252