Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Windows multiple bugs

  WindowsXP malformed .wmf files DoS

  Microsoft Security Bulletin MS04-019 Vulnerability in Utility Manager Could Allow Code Execution (842526)

  Microsoft Window Utility Manager Local Elevation of Privileges

  [VulnWatch] [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability

From:MICROSOFT <secure_(at)_microsoft.com>
Date:14.04.2004
Subject:Microsoft Security Bulletin MS04-011

 Microsoft Security Bulletin MS04-011
 Security Update for Microsoft Windows (835732)
 
 Issued: April 13, 2004
 Version: 1.0
 
 Summary
 Who should read this document: Customers who use Microsoft® Windows®
 
 Impact of vulnerability: Remote Code Execution
 
 Maximum Severity Rating: Critical
 
 Recommendation: Customers should apply the update immediately.
 
 Security Update Replacement: None
 
 Caveats: The security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires, as a prerequisite, the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To download the SRP, visit the following Web site. You must install the SRP before you install the security update that is provided in this security bulletin. If you are not using Windows NT Server 4.0 Terminal Server Edition Service Pack 6 you do not need to install the SRP.
 
 Tested Software and Security Update Download Locations:
 
 Affected Software:
 
 • Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update
 
 • Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update
 
 • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update
 
 • Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update
 
 • Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update
 
 • Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update
 
 • Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update
 
 • Microsoft Windows Server™ 2003 – Download the update
 
 • Microsoft Windows Server 2003 64-Bit Edition – Download the update
 
 • Microsoft NetMeeting
 
 • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.
 
 
 The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
 
 Top of section
 General Information
  Technical Details
 
 Executive Summary:
 
 This update resolves several newly-discovered vulnerabilities. Each vulnerability is documented in this bulletin in its own section.
 
 An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 Microsoft recommends that customers apply the update immediately.
 
 Severity Ratings and Vulnerability Identifiers:
 
 Vulnerability Identifiers Impact of Vulnerability Windows 98, 98 SE, ME Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003
 LSASS Vulnerability - CAN-2003-0533
  Remote Code Execution
  None
  None
  Critical
  Critical
  Low
 
 LDAP Vulnerability – CAN-2003-0663
  Denial Of Service
  None
  None
  Important
  None
  None
 
 PCT Vulnerability - CAN-2003-0719
  Remote Code Execution
  None
  Critical
  Critical
  Important
  Low
 
 Winlogon Vulnerability - CAN-2003-0806
  Remote Code Execution
  None
  Moderate
  Moderate
  Moderate
  None
 
 Metafile Vulnerability - CAN-2003-0906
  Remote Code Execution
  None
  Critical
  Critical
  Critical
  None
 
 Help and Support Center Vulnerability - CAN-2003-0907
  Remote Code Execution
  None
  None
  None
  Critical
  Critical
 
 Utility Manager Vulnerability - CAN-2003-0908
  Privilege Elevation
  None
  None
  Important
  None
  None
 
 Windows Management Vulnerability - CAN-2003-0909
  Privilege Elevation
  None
  None
  None
  Important
  None
 
 Local Descriptor Table Vulnerability - CAN-2003-0910
  Privilege Elevation
  None
  Important
  Important
  None
  None
 
 H.323 Vulnerability* - CAN-2004-0117
  Remote Code Execution
  Not Critical
  None
  Important
  Important
  Important
 
 Virtual DOS Machine Vulnerability - CAN-2004-0118
  Privilege Elevation
  None
  Important
  Important
  None
  None
 
 Negotiate SSP Vulnerability - CAN-2004-0119
  Remote Code Execution
  None
  None
  Critical
  Critical
  Critical
 
 SSL Vulnerability - CAN-2004-0120
  Denial Of Service
  None
  None
  Important
  Important
  Important
 
 ASN.1 “Double Free” Vulnerability - CAN-2004-0123
  Remote Code Execution
  Not Critical
  Critical
  Critical
  Critical
  Critical
 
 Aggregate Severity of All Vulnerabilities
 
  Not Critical
  Critical
  Critical
  Critical
  Critical
 
 
 *Note The severity rating of H.323 Vulnerability - CAN-2004-0117 is Important for the standalone version of NetMeeting. To download an updated version of NetMeeting that addresses this vulnerability, visit the following Web site. This version of NetMeeting can be installed on all systems that are running Windows 98, Windows 98 Second Edition, Windows Millennium Edition, and Windows NT 4.0. The updated version of NetMeeting that addresses this vulnerability is version 3.01 (4.4.3399).
 
 The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
 
 Top of section
  Frequently asked questions (FAQ) related to this security update
 
 Why does this update address several reported security vulnerabilities?
 This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that contain almost identical files, customers can install only this update.
 
 What updates does this release replace?
 This security update replaces several prior security bulletins. The security bulletin IDs and operating systems that are affected are listed in the table below.
 
 Bulletin ID Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003
 MS99-023
  Replaced
  Not Applicable
  Not Applicable
  Not Applicable
 
 MS00-027
  Not Replaced
  Replaced
  Not Applicable
  Not Applicable
 
 MS00-032
  Not Applicable
  Replaced
  Not Applicable
  Not Applicable
 
 MS00-070
  Not Replaced
  Replaced
  Not Applicable
  Not Applicable
 
 MS02-050
  Replaced
  Not Replaced
  Not Applicable
  Not Applicable
 
 MS02-051
  Not Applicable
  Replaced
  Not Replaced
  Not Applicable
 
 MS02-071
  Replaced
  Replaced
  Not Replaced
  Not Applicable
 
 MS03-007
  Not Replaced
  Replaced
  Not Replaced
  Not Applicable
 
 MS03-013
  Replaced
  Replaced
  Not Replaced
  Not Applicable
 
 MS03-025
  Not Applicable
  Replaced
  Not Applicable
  Not Applicable
 
 MS03-027
  Not Applicable
  Not Applicable
  Not Replaced
  Not Applicable
 
 MS03-041
  Replaced
  Not Replaced
  Not Replaced
  Not Replaced
 
 MS03-045
  Replaced
  Replaced
  Not Replaced
  Not Replaced
 
 MS04-007
  Replaced
  Replaced
  Replaced
  Replaced
 
 
 Is this update a Cumulative Security Update or a Security Update Roll-up?
 Neither. A Cumulative Security Update would typically include support for all prior updates. This update does not include support for all prior updates on all operating systems.
 
 A Security Update Roll-up is typically used to combine previous releases into a single update to allow for easier installation and faster download. Security Update Roll-ups typically do not include modifications to address new vulnerabilities; this update does.
 
 How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
 Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.
 
 For more information about severity ratings, visit the following Web site.
 
 Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
 No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.
 
 Does this update contain any other changes to functionality?
 Yes. In addition to the changes that are listed in each of the vulnerability details sections of this bulletin, this update includes the following change in functionality: files that end with the file name extension “.folder” are no longer associated with a directory. Files that have this extension are still supported by the affected operating system. However, those files will no longer appear as a directory in Windows Explorer and in other programs.
 
 Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
 Yes. MBSA will determine if this update is required, except on Windows NT 4.0. For more information about MBSA, visit the MBSA Web site. However, MBSA cannot detect if the updated stand alone version of NetMeeting is required. See the H.323 Vulnerability - CAN-2004-0117 vulnerability detail section for more information about this update. MBSA does detect if the update for the H.323 Vulnerability - CAN-2004-0117 vulnerability is required for the version of NetMeeting that shipped as part of Windows 2000, Windows XP, or Windows Server 2003. For more information about detection, see Microsoft Knowledge Base Article 306460.
 
 Can I use Systems Management Server (SMS) to determine if this update is required?
 Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site. SMS uses MBSA for detection; therefore it has the same limitation listed in the previous FAQ related to stand alone version of NetMeeting.
 
 Top of section
  Vulnerability Details
 
  LSASS Vulnerability - CAN-2003-0533:
 
 A buffer overrun vulnerability exists in LSASS that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system.
 
  Mitigating Factors for LSASS Vulnerability - CAN-2003-0533:
 
 • Only Windows 2000 and Windows XP can be remotely attacked by an anonymous user. While Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 contain the vulnerability, only a local administrator could exploit it.
 
 • Windows NT 4.0 is not affected by this vulnerability.
 
 • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
 
 
 Top of section
  Workarounds for LSASS Vulnerability - CAN-2003-0533:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.
 
 If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.
 
 To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
 
 1.
  Click Start, and then click Control Panel.
 
 2.
  In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.
 
 
 To configure Internet Connection Firewall manually for a connection, follow these steps:
 
 1.
  Click Start, and then click Control Panel.
 
 2.
  In the default Category View, click Networking and Internet Connections, and then click Network Connections.
 
 3.
  Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
 
 4.
  Click the Advanced tab.
 
 5.
  Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
 
 
 Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services needed.
 
 • Block the following at the firewall:
 
 • UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
 
 • All unsolicited inbound traffic on ports greater than 1024
 
 • Any other specifically configured RPC port
 
 
 These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site.
 
 • Enable advanced TCP/IP filtering on systems that support this feature.
 
 You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
 
 • Block the affected ports by using IPSec on the affected systems.
 
 Use Internet Protocol Security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Articles 313190 and 813878.
 
 
 Top of section
  FAQ for LSASS Vulnerability - CAN-2003-0533:
 
 What is the scope of the vulnerability?
 This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 An unchecked buffer in the LSASS service.
 
 What is LSASS?
 Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
 
 What might an attacker use the vulnerability to do?
 An attacker who successfully exploited this vulnerability could take complete control of the affected system.
 
 Who could exploit the vulnerability?
 On Windows 2000 and Windows XP, any anonymous user who could deliver a specially crafted message to the affected system could attempt to exploit this vulnerability.
 
 How could an attacker exploit this vulnerability?
 An attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system, which could then cause the affected system to execute code.
 
 An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).
 
 What systems are primarily at risk from the vulnerability?
 Windows 2000 and Windows XP are primarily at risk from this vulnerability.
 
 Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 provide additional protection that would require an administrator to log on locally to an affected system to exploit this vulnerability.
 
 What does the update do?
 The update removes the vulnerability by modifying the way that LSASS validates the length of a message before it passes the message to the allocated buffer.
 
 This update also removes the vulnerable code from Windows 2000 Professional and from Windows XP because these operating systems do not require the vulnerable interface. This helps protect against possible future vulnerabilities in this service.
 
 Top of section
 Top of section
  LDAP Vulnerability - CAN-2003-0663:
 
 A denial of service vulnerability exists that could allow an attacker to send a specially crafted LDAP message to a Windows 2000 domain controller. An attacker could cause the service responsible for authenticating users in an Active Directory domain to stop responding.
 
  Mitigating Factors for LDAP Vulnerability - CAN-2003-0663:
 
 • To exploit this vulnerability, an attacker would have to send a specially crafted LDAP message to the domain controller. If the LDAP ports are not blocked by a firewall, an attacker would not require any additional privileges to exploit this vulnerability.
 
 • This vulnerability only affects Windows 2000 Server domain controllers; Windows Server 2003 domain controllers are not affected.
 
 • Windows NT 4.0 and Windows XP are not affected by this vulnerability.
 
 • If an attacker successfully exploited this vulnerability, the affected system might display a warning that it would automatically restart after a 60-second countdown. At the end of this 60-second countdown, the affected system would automatically restart. After restart, the affected system would be restored to normal functionality. However, the affected system could be susceptible to a new denial of service attack unless the update is applied.
 
 • Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
 
 
 Top of section
  Workarounds for LDAP Vulnerability - CAN-2003-0663:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall.
 
 These ports are used to initiate an LDAP connection with a Windows 2000 domain controller. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability that originate outside the enterprise perimeter. While other ports could be used to exploit this vulnerability, the ports listed are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
 
 Impact of workaround: Active Directory domain authentication will not be possible over a network connection where these ports are blocked.
 
 
 Top of section
  FAQ for LDAP Vulnerability - CAN-2003-0663:
 
 What’s the scope of the vulnerability?
 
 This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the server to automatically restart and, during that time, stop the server from responding to authentication requests. This vulnerability exists in Windows 2000 Server systems that perform the role of a domain controller. The only effect on other Windows 2000 systems is that clients may not be able to log on to the domain if their domain controller stops responding.
 
 What causes the vulnerability?
 
 The processing of specially crafted LDAP messages by the Local Security Authority Subsystem Service (LSASS).
 
 What is LDAP?
 
 Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol that enables authorized users to query or modify the data in a metadirectory. For example, in Windows 2000, LDAP is one protocol that is used to access data in Active Directory.
 
 What’s wrong with the way the specially crafted LDAP messages are handled?
 
 An attacker could send a specially crafted LDAP message to the LSASS service and cause it to stop responding.
 
 What is LSASS?
 
 Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who exploited this vulnerability could cause LSASS to stop responding and the affected system to restart. The affected system might display a warning that it would automatically restart after a 60-second countdown. During this 60 second countdown, local authentication at the console of the affected system and user domain authentication with the affected system would not be possible. At the end of this 60-second countdown, the affected system would automatically restart. If users cannot perform domain authentication with the affected system, they might not be able to access domain resources. After restart, the affected system would be restored to normal functionality. However, it could be susceptible to a new denial of service attack unless the update is applied.
 
 Who could exploit the vulnerability?
 
 Any anonymous user who could deliver the specially crafted LDAP message to the affected system could exploit this vulnerability.
 
 How could an attacker exploit the vulnerability?
 
 An attacker could exploit this vulnerability by sending a specially crafted LDAP message to the domain controllers in a single forest or multiple forests, potentially causing a denial of service to domain authentication throughout an enterprise. This could cause LSASS to stop responding and cause the affected system to restart. An attacker does not have to have a valid user account in the domain to send this specially crafted LDAP message. This attack can be performed by using anonymous access.
 
 What systems are primarily at risk from the vulnerability?
 
 Only Windows 2000 domain controllers are vulnerable.
 
 I am running Windows 2000. What systems do I have to update?
 
 The update to address this vulnerability must be installed on systems that are used as Windows 2000 domain controllers. However, the update can be safely installed on Windows 2000 Servers in other roles. Microsoft recommends that you install this update on systems that might be promoted to domain controllers in the future.
 
 What does the update do?
 
 The update removes the vulnerability by modifying the way that LSASS processes the specially crafted LDAP message.
 
 Top of section
 Top of section
  PCT Vulnerability - CAN-2003-0719:
 
 A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
 
  Mitigating Factors for PCT Vulnerability - CAN-2003-0719:
 
 • Only systems that have enabled SSL are affected, typically only server systems. SSL support is not enabled by default on any of the affected systems. However, SSL is generally used on Web servers to support electronic commerce programs, online banking, and other programs that require secure communications.
 
 • Windows Server 2003 is only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).
 
 • In some situations, the Web Publishing features of ISA Server 2000 or Proxy Server 2.0 can successfully block attempts to exploit this vulnerability. Testing has shown that the Web publishing features of ISA Server 2000, with Packet Filtering enabled and all Packet Filtering options selected can successfully block this attack with no noticeable side effects. Proxy Server 2.0 also successfully blocks this attack. However, until the security update is applied on the Proxy Server 2.0 system, this attack causes Proxy Server 2.0 Web services to stop responding and the system must be restarted.
 
 • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
 
 
 Top of section
  Workarounds for PCT Vulnerability - CAN-2003-0719:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Disable PCT support through the registry
 
 This workaround is fully documented in Microsoft Knowledge Base Article 187498. This article is summarized below.
 
 The following steps demonstrate how to disable the PCT 1.0 protocol that prevents the affected system from negotiating its use.
 
 Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
 
 For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
 
 Note It is a good idea to back up the registry before you edit it.
 
 1.
  Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
 
 2.
  In Registry Editor, locate the following registry key:
 
 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
 
 
 3.
  In the Edit menu, click Add Value to create a new REG_BINARY value called "Enabled" in the Server subkey.
 
 4.
  In the Data Type list, click REG_BINARY.
 
 5.
  In the Value Name text box, type "Enabled" (without the quotation marks), and then click OK.
 
 Note If this value is already present, double-click on the value to edit its current value, and then go to step 6.
 
 6.
  In the Binary Editor, set the new keys value to equal 0 by typing the following string: 00000000.
 
 7.
  Click OK, and then restart the system.
 
 Note To enable PCT, change the value of the Enabled registry key to 00000001, and then restart the system.
 
 
 
 Top of section
  FAQ for PCT Vulnerability - CAN-2003-0719:
 
 What’s the scope of the vulnerability?
 
 A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable.
 
 All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections.
 
 Windows Server 2003 and Internet Information Services 6.0 are only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 The process used by the SSL Library to check message inputs.
 
 What is the SSL library?
 
 The Microsoft Secure Sockets Layer (SSL) library contains support for a number of secure communication protocols. These include Transport Layer Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0), and the older and seldom-used Secure Sockets Layer 2.0 (SSL 2.0), and Private Communication Technology 1.0 (PCT 1.0) protocol.
 
 These protocols provide an encrypted connection between a server and a client system. SSL can help protect information when transmitted across public networks such as the Internet. SSL support requires an SSL certificate, which must be installed on a server. For more information about SSL, see Microsoft Knowledge Base Article 245152.
 
 What is PCT?
 
 Private Communication Technology (PCT) is a protocol developed by Microsoft and Visa International for encrypted communication on the Internet. It was developed as an alternative to SSL 2.0. It is similar to SSL. The message formats are similar enough that a server can interact with clients that support SSL as well as clients that support PCT.
 
 PCT is an earlier protocol that has been replaced by SSL 3.0 and is no longer generally used. The Microsoft Secure Sockets Layer (SSL) library supports PCT only for backward compatibility. Most modern programs and servers use SSL 3.0, and PCT is no longer required. For more detailed information, visit the MSDN Library Web site.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 Who could exploit the vulnerability?
 
 Any anonymous attacker who could deliver a specially crafted TCP message to an SSL enabled service on an affected system could attempt to exploit this vulnerability.
 
 How could an attacker exploit this vulnerability?
 
 An attacker could exploit this vulnerability by communicating with an affected system through an SSL enabled service and sending a specially crafted TCP message. Receipt of such a message could cause the affected service on the vulnerable system to fail in such a way that it could execute code.
 
 An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).
 
 What systems are primarily at risk from the vulnerability?
 
 All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections.
 
 Windows Server 2003 and Internet Information Services 6.0 are only vulnerable to this issue if an administrator has manually enabled PCT (even if SSL has been enabled).
 
 Active Directory domains that have an Enterprise Root certification authority installed are also affected by this vulnerability because Windows 2000 domain controllers will automatically listen for SSL connections.
 
 How is Windows Server 2003 affected?
 
 The way that Windows Server 2003 implements PCT contains the same buffer overrun that is found on other platforms. However, PCT is disabled by default. If the PCT protocol were enabled by using a registry key, Windows Server 2003 could then be vulnerable to this issue. Microsoft is therefore releasing a security update for Windows Server 2003 that corrects the buffer overrun while continuing to leave PCT disabled.
 
 What does the update do?
 
 The update removes the vulnerability by altering the way that the PCT implementation validates the information passed to it and also disables the PCT protocol.
 
 Does this update introduce any behavioral changes?
 
 Yes. While the update does address the vulnerability in PCT, it also disables PCT because this protocol is no longer used and has been replaced by SSL 3.0. This behavior is consistent with the default settings of Windows Server 2003. If administrators require the use of PCT, they can enable it by using the registry key that is described in the Workaround section of this bulletin.
 
 Top of section
 Top of section
  Winlogon Vulnerability - CAN-2003-0806:
 
 A buffer overrun vulnerability exists in the Windows logon process (Winlogon). It does not check the size of a value used during the logon process before inserting it into the allocated buffer. The resulting overrun could allow an attacker to remotely execute code on an affected system. Systems that are not members of a domain are not affected by this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
 
  Mitigating Factors for Winlogon Vulnerability - CAN-2003-0806:
 
 • Only Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain are affected by this vulnerability. Windows Server 2003 is not affected by this vulnerability.
 
 • An attacker would require permission to modify user objects in a domain to attempt to exploit this vulnerability. Typically, only members of the Administrators or Account Operators groups would have this permission. However, this permission may have been delegated to other user accounts in the domain.
 
 • Domains typically support auditing of changes to user objects. These audit records could be reviewed to determine which user account may have maliciously modified other user accounts to attempt to exploit this vulnerability.
 
 
 Top of section
  Workarounds for Winlogon Vulnerability - CAN-2003-0806:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Reduce the number of users that have account modification permissions.
 
 To exploit this vulnerability an attacker requires the ability to modify user objects in the domain. Some organizations add user accounts to the Administrators or Account Operators groups unnecessarily. For example, if a Helpdesk representative only requires the ability to reset user passwords, the administrator should directly delegate that permission without adding the representative to the Account Operator group. Reducing the number of user accounts in administrative groups helps block known attack vectors. Only trusted employees should be members of administrative groups. For more information about domain best practices, visit the following Web site.
 
 
 Top of section
  FAQ for Winlogon Vulnerability - CAN-2003-0806:
 
 What is the scope of the vulnerability?
 
 This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 Winlogon reads a value from the domain but does not check the size of this value before inserting it into the allocated buffer.
 
 What is winlogon?
 
 The Windows logon process (Winlogon) is the component of the Windows operating system that provides interactive logon support. Winlogon.exe is the process that manages security-related user interactions in Windows. It handles logon and logoff requests, locking or unlocking the system, changing the password, and other requests. It reads data from the domain during the logon process and uses this data to configure a user’s environment. For more information about Winlogon, visit the MSDN Library Web site.
 
 What is a domain?
 
 A domain can be used to store information about virtually any network object such as printers, file share locations, and personal information. For more information about creating domains using Windows 2000 Server or Windows Server 2003, visit the following Web site.
 
 What could this vulnerability enable an attacker to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 Who could exploit the vulnerability?
 
 An attacker would require permission to modify user objects in a domain to attempt to exploit this vulnerability. Typically, only members of the Administrators or Account Operators groups would have this permission. However, this permission may have been delegated to other user accounts in the domain. User accounts that do not have this permission or anonymous users could not exploit this vulnerability.
 
 How could an attacker exploit this vulnerability?
 
 An attacker could specially modify a value stored in the domain to include malicious data. When this value is passed to an unchecked buffer in Winlogon during the logon process, Winlogon could allow malicious code to be executed.
 
 What systems are primarily at risk from the vulnerability?
 
 Only Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain are affected by this vulnerability.
 
 What does the update do?
 
 This update removes the vulnerability by modifying the way the Winlogon process validates the length of a value before passing it to the allocated buffer.
 
 Top of section
 Top of section
  Metafile Vulnerability - CAN-2003-0906:
 
 A buffer overrun vulnerability exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
 
  Mitigating Factors for Metafile Vulnerability - CAN-2003-0906:
 
 • The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.
 
 • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
 
 • An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
 
 • Windows Server 2003 is not affected by this vulnerability.
 
 
 Top of section
  Workarounds for Metafile Vulnerability - CAN-2003-0906:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector.
 
 Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view all non-digitally signed e-mail messages or non-encrypted e-mail messages in plain text only.
 
 Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.
 
 For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.
 
 Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:
 
 • The changes are applied to the preview pane and open messages.
 
 • Pictures become attachments so they are not lost.
 
 • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
 
 
 
 Top of section
  FAQ for Metafile Vulnerability - CAN-2003-0906:
 
 What is the scope of the vulnerability?
 
 This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 An unchecked buffer in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
 
 What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
 
 A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.
 
 An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format and contains extended features.
 
 For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web Site.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 How could an attacker exploit this vulnerability?
 
 Any program that renders the affected image types could be vulnerable to this attack. Here are some examples:
 
 • An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer 6 and then persuade a user to view the Web site.
 
 • An attacker could also create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Outlook 2002 or Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message.
 
 • An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.
 
 • An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the directory using Windows Explorer in Windows XP.
 
 
 What systems are primarily at risk from the vulnerability?
 
 The vulnerability could only be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.
 
 In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
 
 What does the update do?
 
 The update removes the vulnerability by modifying the way that Windows validates the affected image types.
 
 Top of section
 Top of section
  Help and Support Center Vulnerability - CAN-2003-0907:
 
 A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. An attacker could exploit the vulnerability by constructing a malicious HCP URL that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
 
  Mitigating Factors for Help and Support Center Vulnerability - CAN-2003-0907:
 
 • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
 
 • By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The Restricted sites zone helps reduce attacks that could attempt to exploit this vulnerability.
 
 The risk of attack from the HTML e-mail vector can be significantly reduced if you meet all of the following conditions:
 
 • Apply the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
 
 • Use Internet Explorer 6 or later.
 
 • Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later in its default configuration.
 
 
 • An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
 
 • Windows NT 4.0 and Windows 2000 are not affected by this vulnerability.
 
 
 Top of section
  Workarounds for Help and Support Center Vulnerability - CAN-2003-0907:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Unregister the HCP Protocol.
 
 To help prevent an attack, unregister the HCP Protocol by deleting the following key from the registry: HKEY_CLASSES_ROOT\HCP. To do so, follow these steps:
 
 1.
  Click Start, and then click Run.
 
 2.
  Type regedit, and then click OK.
 
 The registry editor program launches.
 
 3.
  Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
 
 4.
  Right-click on the HCP key, and then click Delete.
 
 
 Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
 
 Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.
 
 • Install Outlook E-mail Security Update if you are using Outlook 2000 SP1 or earlier.
 
 By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed.
 
 Customers who use any of these products could be at a reduced risk from an e-mail-borne attack that tries to exploit this vulnerability unless the user clicks a malicious link in the e-mail message.
 
 • Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector.
 
 Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view all non-digitally signed e-mail messages or non-encrypted e-mail messages in plain text only.
 
 Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.
 
 For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.
 
 Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:
 
 • The changes are applied to the preview pane and open messages.
 
 • Pictures become attachments so they are not lost.
 
 • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
 
 
 
 Top of section
  FAQ for Help and Support Center Vulnerability - CAN-2003-0907:
 
 What is the scope of the vulnerability?
 
 This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 The process used by the Help and Support Center to validate data inputs.
 
 What is the Help and Support Center?
 
 Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For example, HSC can teach users about Windows features, how to download and install software updates, how to determine whether a particular hardware device is compatible with Windows, and how to receive help from Microsoft. Users and programs can use URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of “http://”.
 
 What is the HCP protocol?
 
 Similar to the way that the HTTP protocol can use execute URL links to open a Web browser, the HCP protocol can execute URL links to open the Help and Support Center feature.
 
 What is wrong with the Help and Support Center?
 
 An error in input validation occurs.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 How could an attacker exploit this vulnerability?
 
 To exploit this vulnerability, an attacker would have to host a malicious Web site and then persuade a user to view that Web site. An attacker could also create an HTML e-mail message that has a specially crafted link, and then persuade a user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with an HCP URL of the attacker's choice, which could then allow arbitrary code execution.
 
 What systems are primarily at risk from the vulnerability?
 
 Windows XP and Windows Server 2003 contain the affected version of Help and Support Center. Windows NT 4.0 and Windows 2000 are not affected because they do not contain the Help and Support Center.
 
 I am running Internet Explorer on Windows Server 2003. Does Windows Server 2003 mitigate this vulnerability?
 
 No. By default Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as the Internet Explorer Enhanced Security Configuration. However, the HCP protocol is allowed to access the Help and Support Center by default. Therefore, Windows Server 2003 is vulnerable. For more information about Internet Explorer Enhanced Security Configuration, visit the following Web site.
 
 What does the update do?
 
 This update removes the vulnerability by modifying the validation of data passed to the Help and Support Center.
 
 Top of section
 Top of section
  Utility Manager Vulnerability - CAN-2003-0908:
 
 A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and take complete control of the system.
 
  Mitigating Factors for Utility Manager Vulnerability - CAN-2003-0908:
 
 • An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited by anonymous users.
 
 • Windows NT 4.0, Windows XP, and Windows Server 2003 are not affected by this vulnerability. Windows NT 4.0 does not implement the Utility Manager.
 
 • The Windows 2000 Hardening Guide recommends disabling the Utility Manger service. Environments that comply with these guidelines could be at a reduced risk from this vulnerability.
 
 
 Top of section
  Workarounds for Utility Manager Vulnerability - CAN-2003-0908:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Use software policies to disable the Utility Manager on all affected systems that do not require this feature.
 
 Because the Utility Manager is a possible attack vector, disable it using software restriction policies in Active Directory or in the Local Security Policy. The Utility Manager process name is Utilman.exe. The following guides provide information about how to prevent users from accessing this file:
 
 • Using Software Restriction Policies to Protect Against Unauthorized Software
 
 • Microsoft Knowledge Base Article 324026
 
 • Protect Your System from Viruses (Using Software Restriction Polices)
 
 • To create new software restriction policies
 
 
 Note You may also review the Windows 2000 Hardening Guide. This guide includes information about how to disable the Utility Manager.
 
 Impact of Workaround:
 
 The Utility Manager provides easy access to many of the accessibility features of the operating system. This access would be unavailable until the restrictions are removed. To find information about how to manually start many of the accessibility features, visit this Web site.
 
 
 Top of section
  FAQ for Utility Manager Vulnerability - CAN-2003-0908:
 
 What is the scope of the vulnerability?
 
 This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 The process used by Utility Manager to launch applications. It is possible that Utility Manager could launch applications with system privileges.
 
 What is Utility Manager?
 
 Utility Manager is an accessibility utility that allows users to check the status of accessibility programs such as Microsoft Magnifier, Narrator, or On-Screen Keyboard, and to start or stop them.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 Who could exploit the vulnerability?
 
 An attacker must be able to log on to the system and then, after starting Utility Manager, run a program that sends a specially crafted message to Utility Manager to attempt to exploit the vulnerability.
 
 How could an attacker exploit this vulnerability?
 
 To exploit this vulnerability, an attacker would first have to start Utility Manager on Windows 2000 and then run a specially designed application that could exploit the vulnerability. In default configurations of Window 2000, Utility Manager is installed but is not running. This vulnerability could allow an attacker to gain complete control over a Windows 2000 system.
 
 What systems are primarily at risk from the vulnerability?
 
 Only Windows 2000 is affected by this vulnerability. Workstations and terminal servers that are based on Windows 2000 are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
 
 I am using Windows 2000, but I am not using Utility Manager or any of the accessibility features. Am I still vulnerable?
 
 Yes. By default, Utility Manager is installed and enabled. However, Utility Manager is not running by default.
 
 Could the vulnerability be exploited over the Internet?
 
 No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely using this vulnerability.
 
 What does the update do?
 
 This update removes the vulnerability by modifying the way that Utility Manager launches applications.
 
 Top of section
 Top of section
  Windows Management Vulnerability - CAN-2003-0909
 
 A privilege elevation vulnerability exists in the way that Windows XP allows tasks to be created. Under special conditions, a non-privileged user could create a task that could execute with system permissions and therefore take complete control of the system.
 
  Mitigating Factors for Windows Management Vulnerability - CAN-2003-0909:
 
 • An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited by an anonymous user.
 
 • Windows NT 4.0, Windows 2000, and Windows Server 2003 are not affected by this vulnerability.
 
 
 Top of section
  Workarounds for Windows Management Vulnerability - CAN-2003-0909:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 Delete the affected Windows Management Interface Provider.
 
 An administrator with local administrative permissions can delete the affected Windows Management Interface (WMI) Provider by inserting the following script into a text file that has a ‘.vbs’ file name extension and then running it.
 
 To delete the affected WMI Provider:
 
 set osvc = getobject("winmgmts:root\cimv2")
 set otrigger = osvc.get("__win32provider='cmdtriggerconsumer'")
 otrigger.delete_
 
 The installation of the update automatically re-registers the affected WMI Provider that is referenced above. You do not have to take any additional steps to restore the system to typical functionality after the update has been applied.
 
 Impact of Workaround: Tasks that are created as event-based triggers will not function while this provider is not registered. For more information about event-based triggers, visit the following Web site.
 
 Note In rare cases, Windows XP could re-register this WMI Provider. For example, if Windows XP detects that the WMI repository has become corrupted, it could try to re-register the affected WMI Provider.
 
 Top of section
  FAQ for Windows Management Vulnerability - CAN-2003-0909:
 
 What is the scope of the vulnerability?
 
 This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 Under special conditions, a non-privileged user of Microsoft Windows XP could create a task that could execute with system permissions.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 How could an attacker exploit this vulnerability?
 
 To exploit the vulnerability, an attacker must be able to log on to the system and create a task. Because an attacker must have valid logon credentials to exploit the vulnerability, remote systems are not at risk.
 
 What systems are primarily at risk from the vulnerability?
 
 Only Windows XP is affected by this vulnerability.
 
 What does the update do?
 
 The update removes the vulnerability by preventing users from creating tasks at an elevated level of privilege.
 
 Does this update contain any other behavioral changes?
 
 Yes. This update also includes several changes in functionality, documented below:
 
 • Before this update, a user could sometimes create event-based triggers by using the Eventtriggers.exe command-line tool without having to supply a user name and password. After this update has been installed, a user may have to supply a valid user name and password to create event-based-triggers using Eventttrigers.exe. For detailed information about the Eventtriggers.exe command-line options, visit the following Web site.
 
 • Previously, administrators could create event-based triggers with the Task Scheduler service stopped or disabled. Now, the Task Scheduler service must be running. For more information about Task Scheduler, visit the following Web site.
 
 • A new limit of 1,000 triggers has also been established as part of this update. Existing event-based triggers over this limit will continue to function after the update has been installed. However, no additional event-based triggers may be created.
 
 • Permissions have been strengthened on event-based triggers that are created after the update has been installed.
 
 
 Top of section
 Top of section
  Local Descriptor Table Vulnerability - CAN-2003-0910
 
 A privilege elevation vulnerability exists in a programming interface that is used to create entries in the Local Descriptor Table (LDT). These entries contain information about segments of memory. An attacker who is logged on locally, could create a malicious entry and thereby gain access to protected memory, could take complete control of the system.
 
  Mitigating Factors for Local Descriptor Table Vulnerability - CAN-2003-0910:
 
 • An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. It could not be exploited remotely.
 
 • Windows XP and Windows Server 2003 are not affected by this vulnerability.
 
 
 Top of section
  Workarounds for Local Descriptor Table Vulnerability - CAN-2003-0910:
 
 None.
 
 Top of section
  FAQ for Local Descriptor Table Vulnerability - CAN-2003-0910:
 
 What is the scope of the vulnerability?
 
 This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 The programming interface that is used to create entries in the LDT. These entries contain information about segments of memory. An attacker could create a malicious entry to gain access to protected kernel memory.
 
 What is the Local Descriptor Table?
 
 The Local Descriptor Table (LDT) contains entries called descriptors. These descriptors contain information that defines a particular segment of memory.
 
 What is wrong with the way that a descriptor entry can be created in the LDT?
 
 The programming interface should not allow programs to create descriptor entries in the LDT that point to areas of protected memory.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited the vulnerability could take complete control of the affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts that have full privileges.
 
 Who could exploit the vulnerability?
 
 An attacker must be able to log on locally to the system and run a program to exploit this vulnerability.
 
 How could an attacker exploit this vulnerability?
 
 To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially designed program that could exploit the vulnerability and potentially gain complete control over the affected system.
 
 What systems are primarily at risk from the vulnerability?
 
 Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on and to run programs. However, best practices strongly discourage allowing this.
 
 Could the vulnerability be exploited over the Internet?
 
 No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely using this vulnerability.
 
 What does the update do?
 
 The update removes the vulnerability by modifying the way descriptors entries are created in the LDT.
 
 Top of section
 Top of section
  H.323 Vulnerability - CAN-2004-0117
 
 A remote code execution vulnerability exists in the way the Microsoft H.323 protocol implementation handles malformed requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
 
  Mitigating Factors for H.323 Vulnerability - CAN-2004-0117:
 
 • In the most common scenarios, NetMeeting (which uses H.323) must be running to become vulnerable.
 
 • In the most common scenarios, systems that use Internet Connection Firewall (ICF) and that do not run any H.323-based applications are not vulnerable.
 
 • Windows NT 4.0 is not affected by this vulnerability unless the stand-alone version of NetMeeting has been manually installed by an administrator.
 
 
 Top of section
  Workarounds for H.323 Vulnerability - CAN-2004-0117:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Block ports TCP 1720 and TCP 1503 both inbound and outbound at the firewall.
 
 Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
 
 Impact of Workaround:
 
 If inbound and outbound TCP ports 1503 and 1720 are blocked, users will not be able to connect to the Internet Locator Service (ILS) or to other NetMeeting clients.
 
 
 Top of section
  FAQ for H.323 Vulnerability - CAN-2004-0117:
 
 What is the scope of the vulnerability?
 
 This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 Unchecked buffers in Microsoft’s H.323 implementation.
 
 What is H.323?
 
 H.323 is an ITU standard that specifies how PCs, equipment, and services for multimedia communicate over networks that do not provide a guaranteed level of service, such as the Internet. H.323 terminals and equipment can carry real-time video, voice, data, or any combination of these elements. Products that use H.323 for audio and video let users connect and communicate with other people over the Internet, just as people using different makes and models of telephones can communicate using the telephone.
 
 What affected applications use the H.323 protocol?
 
 The H.323 protocol is implemented in a number of Microsoft applications and operating system components. This issue may affect systems that have one or more of the following services or applications running:
 
 • Telephony Application Programming Interface (TAPI)-based applications
 
 • NetMeeting
 
 • Internet Connection Firewall (ICF)
 
 • Internet Connection Sharing
 
 • The Microsoft Routing and Remote Access service
 
 
 What is TAPI?
 
 Windows Telephony Applications Programming Interface (TAPI) is a part of the Windows Open System Architecture. By using TAPI, developers can create telephony applications. TAPI is an open industry standard, defined with significant and ongoing input from the worldwide telephony and computing community. Because TAPI is hardware-independent, compatible applications can run on a variety of PC and telephony hardware and can support a variety of network services. TAPI implements the H.323 protocol. Applications that use TAPI could be vulnerable to the issue that is described in this bulletin.
 
 Are any TAPI-based H.323 applications installed by default on any of the affected systems?
 
 Microsoft Phone Dialer is the only H.323 TAPI-based application that is installed by default on Windows 2000 and Windows XP. Third-party applications could enable and use the H.323 functionality in TAPI.
 
 Note Microsoft Phone Dialer is not included in Windows Server 2003.
 
 What is NetMeeting?
 
 NetMeeting delivers a complete Internet and enterprise conferencing solution for all users of Windows, with multipoint data conferencing, text chat, whiteboard, and file transfer, and point-to-point audio and video. NetMeeting implements the H.323 protocol and is installed by default, but is not running by default, on all affected systems.
 
 If I am running NetMeeting but I am not running Internet Connection Sharing, ICF, or the Routing and Remote Access service. Am I vulnerable?
 
 Yes. When you are running NetMeeting, you are vulnerable to this issue.
 
 If I am running NetMeeting but I am not connected to an ILS server or in a peer-to-peer NetMeeting session, am I vulnerable?
 
 Yes, unless TCP ports 1720 and 1503 are blocked on the system.
 
 If I have never installed the stand-alone version of NetMeeting, am I vulnerable?
 
 NetMeeting was included as part of Windows 2000, Windows XP, and Windows Server 2003. This update addresses the versions of NetMeeting that were included with these operating systems. NetMeeting is also available as a stand-alone download for other operating systems and as part of other applications, which could also be vulnerable to this issue. If you have installed the stand-alone version of NetMeeting, install an updated version that addresses this vulnerability. To download the updated version, visit the following Web site. The updated version that addresses this vulnerability is Version 3.01 (4.4.3399).
 
 Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?
 
 No. Although these operating systems may contain NetMeeting, the vulnerability is not critical on these operating systems. As a method of addressing this vulnerability, you can download and install the stand-alone version of NetMeeting for these operating systems from the following Web site. For more information about severity ratings, visit the following Web site.
 
 What is Internet Connection Firewall?
 
 Internet Connection Firewall (ICF) provides basic intrusion-prevention functionality to systems that run either Windows XP or Windows Server 2003. It is designed for systems that are directly connected to a public network or systems that are part of a home network when used with Internet Connection Sharing.
 
 If I am running only Internet Connection Firewall on Windows XP or on Windows Server 2003, am I vulnerable?
 
 No, not automatically. However, if you use NetMeeting, even with ICF running, you could be vulnerable to this issue. NetMeeting opens ports in ICF that could expose this vulnerability.
 
 Manually opening TCP ports 1720 and 1503 could also expose this vulnerability. Third-party applications may also cause ICF to open ports in response to H.323 communication.
 
 What is Internet Connection Sharing?
 
 By using Internet Connection Sharing users can connect one system to the Internet and share Internet service with several other systems on a home or small office network. The Network Setup Wizard in Windows XP automatically provides all the network settings that are necessary to share one Internet connection with all the systems in a network. Each system can use programs such as Internet Explorer and Outlook Express as if the system were directly connected to the Internet.
 
 Internet Connection Sharing is a feature of Windows 2000, Windows XP, and Windows Server 2003 but is not enabled by default on any of the affected systems.
 
 If I have enabled Internet Connection Sharing, but I have not enabled Internet Connection Firewall, am I vulnerable?
 
 Yes, Internet Connection Sharing enables the ports that could allow a system to become vulnerable to this issue.
 
 If ICF and Internet Connection Sharing are running, this attack could not occur unless the user was also using NetMeeting, or had manually opened port 1503 or port 1720.
 
 What is the Microsoft Routing and Remote Access service?
 
 The Microsoft Routing and Remote Access service makes it possible for a system that is running Windows 2000 Server or the Windows Server 2003 to function as a network router. Remote access allows users who have remote systems to create a logical connection to an organization’s network or to the Internet. The Microsoft Routing and Remote Access service supports H.323 requests that are routed either to or from a network.
 
 If I am running the Microsoft Routing and Remote Access service on Windows 2000, am I vulnerable?
 
 Yes. By default, Windows 2000 uses the Microsoft Routing and Remote Access service with Network Address Translation (NAT) functionality, which exposes the vulnerability. However, an administrator can disable the H.323 functionality by using the netsh command. Detailed steps are outlined in Microsoft Knowledge Base Article 838834.
 
 Note If a system is configured to run another Microsoft Routing and Remote Access service without NAT (for example, Virtual Private Network, OSPF, or Routing Information Protocol), it would not be affected by this vulnerability.
 
 If I am running the Microsoft Routing and Remote Access service on Windows Server 2003, am I vulnerable?
 
 No. By default, Windows Server 2003 Routing and Remote Access service does not enable the H.323 functionality. However, an administrator could enable the H.323 functionality and then expose the system to this vulnerability.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 Who could exploit the vulnerability?
 
 Any anonymous user who could deliver a specially crafted H.323 request to any of the above affected systems.
 
 How could an attacker exploit this vulnerability?
 
 An attacker could attempt to exploit the vulnerability by locating users running NetMeeting, an H.323-based TAPI program, or both.
 
 An attacker could also attempt to exploit the vulnerability through Internet Connection Sharing by remotely executing code on systems that have Internet Connection Sharing enabled. If ICF and Internet Connection sharing are running, this attack would not be possible unless the user was also using NetMeeting.
 
 What systems are primarily at risk from the vulnerability?
 
 Systems that are running NetMeeting or that are running an H.323-based program.
 
 What does the update do?
 
 The update modifies the way that the affected systems process the specially crafted H.323 requests.
 
 Top of section
 Top of section
  Virtual DOS Machine Vulnerability - CAN-2004-0118:
 
 A privilege elevation vulnerability exists in the operating system component that handles the Virtual DOS Machine (VDM) subsystem. This vulnerability could allow a logged on user to take complete control of the system.
 
  Mitigating Factors for Virtual DOS Machine Vulnerability - CAN-2004-0118:
 
 • An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. It could not be exploited remotely.
 
 • Windows XP and Windows Server 2003 are not affected by this vulnerability.
 
 
 Top of section
  Workarounds for Virtual DOS Machine Vulnerability - CAN-2004-0118:
 
 None.
 
 Top of section
  FAQ for Virtual DOS Machine Vulnerability - CAN-2004-0118:
 
 What is the scope of the vulnerability?
 
 This is a privilege evaluation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. To exploit the vulnerability, an attacker must be able to log on locally to the system and run a program.
 
 What causes the vulnerability?
 
 The operating system component that handles the VDM subsystem could be used to gain access to protected kernel memory. In certain circumstances, some privileged operating system functions might not validate system structures and could allow an attacker to execute malicious code with system privileges.
 
 What is the Virtual DOS Machine subsystem?
 
 A Virtual DOS Machine (VDM) is a environment that emulates MS-DOS and DOS-based Windows in Windows NT-based operating systems. A VDM is created whenever a user starts an MS-DOS application on a Windows NT-based operating system.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 Who could exploit the vulnerability?
 
 To exploit the vulnerability, an attacker must be able to log on locally to a system and run a program.
 
 How could an attacker exploit this vulnerability?
 
 To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed application that could exploit the vulnerability, and thereby gain complete control over the affected system.
 
 What systems are primarily at risk from the vulnerability?
 
 Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
 
 Could the vulnerability be exploited over the Internet?
 
 No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.
 
 What does the update do?
 
 This update modifies the way that Windows validates data when referencing memory locations that are allocated to a VDM.
 
 Top of section
 Top of section
  Negotiate SSP Vulnerability - CAN-2004-0119
 
 A buffer overrun vulnerability exists in the Negotiate Security Software Provider (SSP) interface that could allow remote code execution. This vulnerability exists because of the way the Negotiate SSP interface validates a value that is used during authentication protocol selection. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
 
  Mitigating Factors for Negotiate SSP Vulnerability - CAN-2004-0119:
 
 • In the most common scenarios, this vulnerability is a denial of service vulnerability.
 
 • The Negotiate SSP interface is also enabled by default in Internet Information Services (IIS). However, only Windows 2000 (IIS 5.0) and Windows Server 2003 Web Server Edition (IIS 6.0) install Internet Information Services (IIS) by default.
 
 • Windows NT 4.0 is not affected by this vulnerability.
 
 
 Top of section
  Workarounds for Negotiate SSP Vulnerability - CAN-2004-0119:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Workarounds for the Internet Information Services Attack Vector
 
 • Disable Integrated Windows Authentication
 
 Administrators can help reduce the risk of attack through Internet Information Services by disabling Integrated Windows Authentication. Information about how to enable or disable this option is available at the following Web site.
 
 Impact of Workaround: Any IIS-based applications that require Windows NT Challenge/Response authentication (NTLM) or Kerberos authentication will no longer function correctly.
 
 • Disable the Negotiate SSP
 
 Administrators can disable just the Negotiate SSP (which keeps NTLM enabled) by following the instructions in Microsoft Knowledge Base Article 215383, which is summarized below:
 
 To disable Negotiate (and therefore prevent Kerberos authentication), use the following command . Notice that “NTLM” must be uppercase to avoid any adverse effects):
 
 cscript adsutil.vbs set w3svc/NTAuthenticationProviders “NTLM”
 
 Impact of Workaround: Any IIS-based applications that require Kerberos authentication will no longer function correctly.
 
 
 
 Top of section
  FAQ for Negotiate SSP Vulnerability - CAN-2004-0119:
 
 What is the scope of the vulnerability?
 
 This is a buffer overrun vulnerability. However, it is most likely a denial of service vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 An unchecked buffer in the Negotiate SSP interface.
 
 What is the Negotiate Security Support Provided Interface?
 
 Because Windows supports many different types of authentication, the authentication method used when a client connects to a server must be negotiated. The Negotiate SSP Interface is the operating system component that provides this functionality. It is based on the Simple and Protected GSS-API Negotiate Mechanism (SPNEGO) that is defined in RFC 2478. For more information about Windows authentication methods, visit the following Web site.
 
 Why is Internet Information Services affected?
 
 The Negotiate SSP Interface is also enabled by default in Internet Information Services (IIS) so that IIS can use authentication protocols such as NTLM or Kerberos to provide secure access to resources. For more information about the methods of authentication supported by IIS, visit the following Web site.
 
 What might an attacker use the vulnerability to do?
 
 Although it is most likely that only a denial of service would result, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. If an attacker caused the affected system to become unresponsive, an administrator could restore normal functionality by restarting the affected system. However, the system could remain susceptible to a new denial of service attack until the update was applied.
 
 Who could exploit the vulnerability?
 
 Any anonymous user who could deliver a specially crafted message to an affected system could attempt to exploit this vulnerability. Because this feature is enabled by default on all affected systems, any user who could establish a connection with an affected system could attempt to exploit this vulnerability.
 
 How could an attacker exploit this vulnerability?
 
 An attacker could exploit this vulnerability by creating a specially crafted network message and sending the message to the affected system.
 
 An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).
 
 What systems are primarily at risk from the vulnerability?
 
 All affected systems could be vulnerable to this issue by default. Furthermore, by default, systems that are running Internet Information Services 5.0, Internet Information Services 5.1, and Internet Information Services 6.0 are also vulnerable to this issue through any listening port.
 
 What does the update do?
 
 The update removes the vulnerability by modifying the way that the Negotiate SSP Interface validates the length of a message before passing the message to the allocated buffer.
 
 Top of section
 Top of section
  SSL Vulnerability - CAN-2004-0120:
 
 A denial of service vulnerability exists in the Microsoft Secure Sockets Layer (SSL) library. The vulnerability results from the way that the Microsoft SSL library handles malformed SSL messages. This vulnerability could cause the affected system to stop accepting SSL connections on Windows 2000 and Windows XP. On Windows Server 2003, the vulnerability could cause the affected system to automatically restart.
 
  Mitigating Factors for SSL Vulnerability - CAN-2004-0120:
 
 • Only systems that have enabled SSL are affected, typically only server systems. SSL support is not enabled by default on any of the affected systems. However, SSL is generally used on Web servers to support electronic commerce programs, online banking, and other programs that require secure communications.
 
 • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
 
 • Windows NT 4.0 is not affected by this vulnerability.
 
 
 Top of section
  Workarounds for SSL Vulnerability - CAN-2004-0120:
 
 Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
 
 • Block ports 443 and 636 at the firewall
 
 Port 443 is used to receive SSL traffic. Port 636 is used for LDAP SSL connections (LDAPS). Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Other ports may be found that could be used to exploit this vulnerability. However, the ports listed here are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
 
 Impact of Workaround: If ports 443 or 636 are blocked, the affected systems can no longer accept external connections using SSL or LDAPS.
 
 
 Top of section
  FAQ for SSL Vulnerability - CAN-2004-0120:
 
 What is the scope of the vulnerability?
 
 A denial of service vulnerability in the Microsoft Secure Sockets Layer (SSL) library affects how it handles specially crafted SSL messages. This vulnerability could cause the affected system to stop accepting SSL connections in Windows 2000 and in Windows XP. The vulnerability in Windows Server 2003 could cause the affected system to automatically restart.
 
 Note that the denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected system to stop accepting requests.
 
 What causes the vulnerability?
 
 The process used by the SSL Library to check message inputs.
 
 What is the Microsoft Secure Sockets Layer library?
 
 The Microsoft Secure Sockets Layer library contains support for a number of secure communication protocols. These include Transport Layer Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0), the older and seldom-used Secure Sockets Layer 2.0 (SSL 2.0), and Private Communication Technology 1.0 (PCT 1.0) protocol.
 
 These protocols provide an encrypted connection between a server and a client system. SSL can help protect information when users connect across public networks such as the Internet. SSL support requires an SSL certificate, which must be installed on a server. For more information about SSL, see Microsoft Knowledge Base Article 245152.
 
 What might an attacker use the vulnerability to do?
 
 In Windows 2000 and Windows XP, an attacker who successfully exploited this vulnerability could cause an affected system to stop accepting SSL connections. In Windows Server 2003, an attacker could cause the affected system to automatically restart. During that time, the affected system would not be able to respond to authentication requests. After restart, the affected system would be restored to typical functionality. However, it would still be susceptible to a new denial of service attack unless the update is applied.
 
 If an attacker exploits this vulnerability, a system error event may be recorded. The event ID 5000 may be recorded in the System event log, with the SymbolicName value of "SPMEVENT_PACKAGE_FAULT" and the following description:
 
 "The security package NAME generated an exception", Where NAME contains the value of "Schannel" or "Microsoft Unified Security Protocol Provider."
 
 Who could exploit the vulnerability?
 
 Any anonymous user who could deliver a specially crafted SSL message to an affected system could attempt to exploit this vulnerability.
 
 How could an attacker exploit this vulnerability?
 
 An attacker could exploit this vulnerability by creating a program that could communicate with a vulnerable server through an SSL-enabled service to send a specific kind of specially crafted TCP message. Receipt of such a message could cause the vulnerable system to fail in such a way that it could cause a denial of service.
 
 An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).
 
 What systems are primarily at risk from the vulnerability?
 
 All systems that have SSL enabled are vulnerable. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use SSL.
 
 Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections.
 
 What does the update do?
 
 The update removes the vulnerability by modifying the handling of specially crafted SSL messages.
 
 Top of section
 Top of section
  ASN.1 “Double Free” Vulnerability - CAN-2004-0123
 
 A remote code execution vulnerability exists in the Microsoft ASN.1 Library. The vulnerability is caused by a possible "double-free" condition in the Microsoft ASN.1 Library that could lead to memory corruption on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, under the most likely attack scenario this issue is a denial of service vulnerability.
 
  Mitigating Factors for ASN.1 “Double Free” Vulnerability - CAN-2004-0123:
 
 • Because of the unique layout of the memory structures on each affected system, exploiting this vulnerability on a mass scale could potentially be difficult.
 
 
 Top of section
  Workarounds for ASN.1 “Double Free” Vulnerability - CAN-2004-0123:
 
 None.
 
 Top of section
  FAQ for ASN.1 “Double Free” Vulnerability - CAN-2004-0123:
 
 What is the scope of the vulnerability?
 
 While potentially a remote code execution vulnerability, this is most likely a denial of service vulnerability. However, an attacker who successfully exploited this vulnerability to allow code execution could gain complete control over an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 What causes the vulnerability?
 
 A potential "double-free" condition exists that could lead to memory corruption in the Microsoft ASN.1 Library.
 
 What is a “double free” condition?
 
 An attacker could cause an affected system, while processing a specially crafted message, to try to release or “free” memory that may have been set aside for use multiple times. Releasing memory that has already been freed could lead to memory corruption. An attacker could add arbitrary code to memory that is then executed when the corruption occurs. This code could then be executed at a system level of privilege.
 
 Typically, this vulnerability will cause a denial of service to occur. However, on a limited basis, code execution could occur. Because of the unique layout of the memory on each affected system, exploiting this vulnerability on a mass scale could potentially be difficult.
 
 What is ASN.1?
 
 Abstract Syntax Notation 1 (ASN.1) is a language that is used to define standards. It is used by many applications and devices in the technology industry to allow data exchange across various platforms. ASN.1 has no direct relationship to any specific standard, encoding method, programming language, or hardware platform. For more information about ASN.1, see Microsoft Knowledge Base Article 252648.
 
 What might an attacker use the vulnerability to do?
 
 An attacker who successfully exploited this vulnerability to allow code execution could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
 
 In the most likely scenario, an attacker could cause a denial of service condition. An administrator could restart the affected system to restore typical functionality.
 
 How could an attacker exploit this vulnerability?
 
 Because ASN.1 is a standard for many applications and devices, there are many potential attack vectors. To successfully exploit this vulnerability, an attacker must force a system to decode specially crafted ASN.1 data. For example, by using authentication protocols that are based on ASN.1, an attacker could construct a specially crafted authentication request that could expose this vulnerability.
 
 What systems are primarily at risk from this vulnerability?
 
 Server systems are at greater risk than client systems because they are more likely to have a server process running that decodes ASN.1 data.
 
 Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?
 
 No. Although Windows Millennium Edition does contain the affected component, the vulnerability is not critical. For more information on severity ratings, visit the following Web site.
 
 What does the update do?
 
 The update removes the vulnerability by modifying the handling of specially crafted data by the ASN.1 Library.
 
 How does this vulnerability relate to the vulnerability corrected by MS04-007?
 
 Both vulnerabilities were in the ASN.1 component. However, this update corrects a newly reported vulnerability that was not addressed as part of MS04-007. MS04-007 fully protects against the vulnerabilities discussed in that bulletin, but this update includes all the updates provided in MS04-007 and replaces it. If you install this update, you do not need to install MS04-007.
 
 Top of section
 Top of section
 Top of section
  Security Update Information
 
 Installation Platforms and Prerequisites:
 
 For information about the specific security update for your platform, click the appropriate link:
 
  Windows Server 2003 (all versions)
 
 Prerequisites
 This security update requires a released version of Windows Server 2003.
 
 Inclusion in Future Service Packs:
 The update for this issue will be included in Windows Server 2003 Service Pack 1.
 
 Installation Information
 
 This security update supports the following setup switches:
 
  /help Displays the command line options
 
 Setup Modes
 
  /quiet Use Quiet mode (no user interaction or display)
 
  /passive Unattended mode (progress bar only)
 
  /uninstall Uninstalls the package
 
 Restart Options
 
  /norestart Do not restart when installation is complete
 
  /forcerestart Restart after installation
 
 Special Options
 
  /l Lists installed Windows hotfixes or update packages
 
  /o Overwrite OEM files without prompting
 
  /n Do not backup files needed for uninstall
 
  /f Force other programs to close when the computer shuts down
 
 Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.
 
 Deployment Information
 
 To install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:
 
 Windowsserver2003-kb835732-x86-enu /passive /quiet
 
 To install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:
 
 Windowsserver2003-kb835732-x86-enu /norestart
 
 For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
 
 Restart Requirement
 
 You must restart your system after you apply this security update.
 
 Removal Information
 
 To remove this update, use the Add or Remove Programs tool in Control Panel.
 
 System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:
 
 /?: Show the list of installation switches.
 
 /u: Use unattended mode.
 
 /f: Force other programs to quit when the computer shuts down.
 
 /z: Do not restart when the installation is complete.
 
 /q: Use Quiet mode (no user interaction).
 
 File Information
 
 The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
 
 Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, and Windows Server 2003 Datacenter Edition:
 
  Date Time Version Size File name Platform Folder
  -----------------------------------------------------------------------------
  16-Mar-2004 02:00 5.2.3790.132 364,544 Callcont.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.121 61,440 Eventlog.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 256,000 H323.tsp X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 601,600 H323msp.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.125 783,360 Helpctr.exe X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.142 448,512 Ipnathlp.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.134 799,232 Lsasrv.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.139 60,928 Msasn1.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 253,952 Mst120.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 73,728 Nmcom.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.121 565,760 Rtcdll.dll X86 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 153,088 Schannel.dll X86 RTMGDR
  16-Mar-2004 02:09 5.2.3790.132 364,544 Callcont.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.121 64,000 Eventlog.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 256,000 H323.tsp X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 601,600 H323msp.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.125 783,360 Helpctr.exe X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.142 448,512 Ipnathlp.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.134 801,280 Lsasrv.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.139 60,928 Msasn1.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 253,952 Mst120.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 73,728 Nmcom.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.121 565,760 Rtcdll.dll X86 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 153,088 Schannel.dll X86 RTMQFE
 
 Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 64-Bit Datacenter Edition:
 
  Date Time Version Size File name Platform Folder
  -----------------------------------------------------------------------------
  16-Mar-2004 01:54 5.2.3790.121 160,768 Eventlog.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.132 816,128 H323.tsp IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMGDR
  05-Feb-2004 00:43 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.134 2,034,176 Lsasrv.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.139 160,256 Msasn1.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.132 479,744 Schannel.dll IA64 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 256,000 Wh323.tsp X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.132 601,600 Wh323msp.dll X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.132 153,088 Wschannel.dll X86 RTMGDR\WOW
  16-Mar-2004 02:12 5.2.3790.121 167,424 Eventlog.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.132 816,128 H323.tsp IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMQFE
  05-Feb-2004 00:42 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.134 2,038,272 Lsasrv.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.139 160,256 Msasn1.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.132 479,744 Schannel.dll IA64 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 256,000 Wh323.tsp X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.132 601,600 Wh323msp.dll X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.132 153,088 Wschannel.dll X86 RTMQFE\WOW
 
 Note When you install this security update on Windows Server 2003 or on Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.
 
 Verifying Update Installation
 
 To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
 
 You may also be able to verify the files that this security update has installed by reviewing the following registry key:
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB835732\Filelist
 
 Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.
 
 Top of section
  Windows XP (all versions)
 
 Note For Windows XP 64-Bit Edition Version 2003, this security update is the same as the Windows Server 2003 64-Bit Edition security update.
 
 Prerequisites
 This security update requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge Base Article 322389.
 
 The updates for these issues will be included in Windows XP Service Pack 2.
 
 Installation Information
 
 This security update supports the following setup switches:
 
  /help Displays the command line options
 
 Setup Modes
 
  /quiet Use Quiet mode (no user interaction or display)
 
  /passive Unattended mode (progress bar only)
 
  /uninstall Uninstalls the package
 
 Restart Options
 
  /norestart Do not restart when installation is complete
 
  /forcerestart Restart after installation
 
 Special Options
 
  /l Lists installed Windows hotfixes or update packages
 
  /o Overwrite OEM files without prompting
 
  /n Do not backup files needed for uninstall
 
  /f Force other programs to close when the computer shuts down
 
 Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.
 
 Deployment Information
 
 To install the security update without any user intervention, use the following command at a command prompt for Windows XP:
 
 Windowsxp-kb835732-x86-enu /passive /quiet
 
 To install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:
 
 Windowsxp-kb835732-x86-enu /norestart
 
 For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
 
 Restart Requirement
 
 You must restart your system after you apply this security update.
 
 Removal Information
 
 To remove this update, use the Add or Remove Programs tool in Control Panel.
 
 System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:
 
 /?: Show the list of installation switches.
 
 /u: Use unattended mode.
 
 /f: Force other programs to quit when the computer shuts down.
 
 /z: Do not restart when the installation is complete.
 
 /q: Use Quiet mode (no user interaction).
 
 File Information
 
 The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
 
 Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:
 
  Date Time Version Size File name Folder
  -----------------------------------------------------------------------
  27-Mar-2004 01:01 5.1.2600.105 48,640 Browser.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.133 364,544 Callcont.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.136 40,960 Evtgprov.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.132 241,664 Gdi32.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.134 253,440 H323.tsp (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.134 593,408 H323msp.dll (pre-sp1)
  05-Feb-2004 22:14 5.1.2600.128 727,040 Helpctr.exe (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.137 454,656 Ipnathlp.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.134 648,192 Lsasrv.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.132 36,864 Mf3216.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.137 51,712 Msasn1.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.128 969,216 Msgina.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.133 253,952 Mst120.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.122 301,568 Netapi32.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.133 73,728 Nmcom.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.134 550,400 Rtcdll.dll (pre-sp1)
  27-Mar-2004 01:01 5.1.2600.136 136,704 Schannel.dll (pre-sp1)
  26-Mar-2004 19:43 5.1.2600.1348 364,544 Callcont.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1363 40,960 Evtgprov.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1346 257,536 Gdi32.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1348 253,440 H323.tsp (with sp1)
  26-Mar-2004 19:43 5.1.2600.1348 593,408 H323msp.dll (with sp1)
  26-Mar-2004 19:30 5.1.2600.1340 741,376 Helpctr.exe (with sp1)
  26-Mar-2004 19:43 5.1.2600.1364 439,808 Ipnathlp.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1361 667,648 Lsasrv.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1331 36,864 Mf3216.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1362 51,712 Msasn1.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1343 971,264 Msgina.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1348 253,952 Mst120.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1343 306,176 Netapi32.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1348 73,728 Nmcom.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1351 548,352 Rtcdll.dll (with sp1)
  26-Mar-2004 19:43 5.1.2600.1347 136,704 Schannel.dll (with sp1)
  10-Mar-2004 17:59 5.1.2600.1363 593,408 Xpsp2res.dll (with sp1)
 
 Windows XP 64-Bit Edition Service Pack 1:
 
  Date Time Version Size File name Platform
  --------------------------------------------------------------------------
  26-Mar-2004 19:40 5.1.2600.1363 134,656 Evtgprov.dll IA64
  26-Mar-2004 19:40 5.1.2600.1346 884,736 Gdi32.dll IA64
  26-Mar-2004 19:40 5.1.2600.1348 1,035,264 H323.tsp IA64
  26-Mar-2004 19:40 5.1.2600.1348 2,230,272 H323msp.dll IA64
  05-Feb-2004 21:40 5.1.2600.1340 2,426,368 Helpctr.exe IA64
  26-Mar-2004 19:40 5.1.2600.1364 1,782,784 Ipnathlp.dll IA64
  26-Mar-2004 19:40 5.1.2600.1361 2,069,504 Lsasrv.dll IA64
  26-Mar-2004 19:40 5.1.2600.1331 128,512 Mf3216.dll IA64
  26-Mar-2004 19:40 5.1.2600.1362 179,200 Msasn1.dll IA64
  26-Mar-2004 19:40 5.1.2600.1343 1,272,320 Msgina.dll IA64
  26-Mar-2004 19:40 5.1.2600.1343 903,168 Netapi32.dll IA64
  26-Mar-2004 19:40 5.1.2600.1347 508,416 Schannel.dll IA64
  26-Mar-2004 19:43 5.1.2600.1346 237,568 Wgdi32.dll X86
  26-Mar-2004 19:43 5.1.2600.1348 253,440 Wh323.tsp X86
  26-Mar-2004 19:43 5.1.2600.1348 593,408 Wh323msp.dll X86
  26-Mar-2004 19:43 5.1.2600.1364 439,808 Wipnathlp.dll X86
  26-Mar-2004 19:43 5.1.2600.1331 36,864 Wmf3216.dll X86
  26-Mar-2004 19:43 5.1.2600.1362 51,712 Wmsasn1.dll X86
  26-Mar-2004 19:43 5.1.2600.1343 971,264 Wmsgina.dll X86
  26-Mar-2004 19:43 5.1.2600.1343 306,176 Wnetapi32.dll X86
  26-Mar-2004 19:43 5.1.2600.1347 136,704 Wschannel.dll X86
  10-Mar-2004 17:59 5.1.2600.1363 593,408 Wxpsp2res.dll X86
  10-Mar-2004 17:59 5.1.2600.1363 592,896 Xpsp2res.dll IA64
 
 Windows XP 64-Bit Edition Version 2003:
 
  Date Time Version Size File name Platform Folder
  -----------------------------------------------------------------------------
  16-Mar-2004 01:54 5.2.3790.121 160,768 Eventlog.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.132 816,128 H323.tsp IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMGDR
  05-Feb-2004 00:43 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.134 2,034,176 Lsasrv.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.139 160,256 Msasn1.dll IA64 RTMGDR
  16-Mar-2004 01:54 5.2.3790.132 479,744 Schannel.dll IA64 RTMGDR
  16-Mar-2004 02:00 5.2.3790.132 256,000 Wh323.tsp X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.132 601,600 Wh323msp.dll X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMGDR\WOW
  16-Mar-2004 02:00 5.2.3790.132 153,088 Wschannel.dll X86 RTMGDR\WOW
  16-Mar-2004 02:12 5.2.3790.121 167,424 Eventlog.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.132 816,128 H323.tsp IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.132 1,874,432 H323msp.dll IA64 RTMQFE
  05-Feb-2004 00:42 5.2.3790.125 2,063,360 Helpctr.exe IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.142 1,421,312 Ipnathlp.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.134 2,038,272 Lsasrv.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.139 160,256 Msasn1.dll IA64 RTMQFE
  16-Mar-2004 02:12 5.2.3790.132 479,744 Schannel.dll IA64 RTMQFE
  16-Mar-2004 02:09 5.2.3790.132 256,000 Wh323.tsp X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.132 601,600 Wh323msp.dll X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.142 448,512 Wipnathlp.dll X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.139 60,928 Wmsasn1.dll X86 RTMQFE\WOW
  16-Mar-2004 02:09 5.2.3790.132 153,088 Wschannel.dll X86 RTMQFE\WOW
 
 Note The Windows XP and Windows XP 64-Bit Edition Version 2003 versions of this security update are packaged as dual-mode packages, which contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, see Microsoft Knowledge Base Article 328848.
 
 When you install the Windows XP 64-Bit Edition Version 2003 security update, the installer checks to see if any of the files that are being updated on your system previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.
 
 Verifying Update Installation
 
 To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
 
 You may also be able to verify the files that this security update has installed by reviewing the following registry keys:
 
 For Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist
 
 For Windows XP 64-Bit Edition Version 2003:
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB835732\Filelist
 
 Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.
 
 Top of section
  Windows 2000 (all versions)
 
 Prerequisites
 For Windows 2000, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).
 
 The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.
 
 For more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.
 
 Inclusion in Future Service Packs:
 The update for this issue will be included in Windows 2000 Service Pack 5.
 
 Installation Information
 
 This security update supports the following setup switches:
 
  /help Displays the command line options
 
 Setup Modes
 
  /quiet Use Quiet mode (no user interaction or display)
 
  /passive Unattended mode (progress bar only)
 
  /uninstall Uninstalls the package
 
 Restart Options
 
  /norestart Do not restart when installation is complete
 
  /forcerestart Restart after installation
 
 Special Options
 
  /l Lists installed Windows hotfixes or update packages
 
  /o Overwrite OEM files without prompting
 
  /n Do not backup files needed for uninstall
 
  /f Force other programs to close when the computer shuts down
 
 Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.
 
 Deployment Information
 
 To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:
 
 Windows2000-kb835732-x86-enu /passive /quiet
 
 To install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:
 
 Windows2000-kb835732-x86-enu /norestart
 
 For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
 
 Restart Requirement
 
 You must restart your system after you apply this security update.
 
 Removal Information
 
 To remove this update, use the Add or Remove Programs tool in Control Panel.
 
 System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB835732$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:
 
 /?: Show the list of installation switches.
 
 /u: Use unattended mode.
 
 /f: Force other programs to quit when the computer shuts down.
 
 /z: Do not restart when the installation is complete.
 
 /q: Use Quiet mode (no user interaction).
 
 File Information
 
 The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
 
 Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.
 
 Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:
 
  Date Time Version Size File name Folder
  -----------------------------------------------------------------------
  24-Mar-2004 02:17 5.0.2195.6876 388,368 Advapi32.dll
  24-Mar-2004 02:17 5.0.2195.6824 42,256 Basesrv.dll
  24-Mar-2004 02:17 5.0.2195.6866 69,904 Browser.dll
  24-Mar-2004 02:17 5.0.2195.6901 394,512 Callcont.dll
  21-Sep-2003 00:45 5.0.2195.6824 236,304 Cmd.exe
  24-Mar-2004 02:17 5.131.2195.6824 543,504 Crypt32.dll
  24-Mar-2004 02:17 5.131.2195.6824 61,200 Cryptnet.dll
  24-Mar-2004 02:17 5.0.2195.6868 76,048 Cryptsvc.dll
  24-Mar-2004 02:17 5.0.2195.6824 134,928 Dnsapi.dll
  24-Mar-2004 02:17 5.0.2195.6876 92,432 Dnsrslvr.dll
  24-Mar-2004 02:17 5.0.2195.6883 47,888 Eventlog.dll
  24-Mar-2004 02:17 5.0.2195.6898 242,448 Gdi32.dll
  24-Mar-2004 02:17 5.0.2195.6901 255,248 H323.tsp
  24-Mar-2004 00:46 502 Hfsecper.inf
  17-Mar-2004 21:50 502 Hfsecupd.inf
  24-Mar-2004 02:17 5.0.2195.6902 442,640 Ipnathlp.dll
  24-Mar-2004 02:17 5.0.2195.6890 143,632 Kdcsvc.dll
  11-Mar-2004 02:37 5.0.2195.6903 210,192 Kerberos.dll
  24-Mar-2004 02:17 5.0.2195.6897 742,160 Kernel32.dll
  21-Sep-2003 00:32 5.0.2195.6824 71,888 Ksecdd.sys
  11-Mar-2004 02:37 5.0.2195.6902 520,976 Lsasrv.dll
  25-Feb-2004 23:59 5.0.2195.6902 33,552 Lsass.exe
  24-Mar-2004 02:17 5.0.2195.6898 37,136 Mf3216.dll
  10-Feb-2004 19:47 5.0.2195.6897 30,160 Mountmgr.sys
  24-Mar-2004 02:17 5.0.2195.6824 54,544 Mpr.dll
  24-Mar-2004 02:17 5.0.2195.6905 53,520 Msasn1.dll
  24-Mar-2004 02:17 5.0.2195.6895 335,120 Msgina.dll
  24-Mar-2004 02:17 5.0.2195.6901 249,616 Mst120.dll
  11-Mar-2004 02:37 5.0.2195.6897 123,152 Msv1_0.dll
  24-Mar-2004 02:17 5.0.2195.6897 312,592 Netapi32.dll
  24-Mar-2004 02:17 5.0.2195.6891 371,472 Netlogon.dll
  24-Mar-2004 02:17 5.0.2195.6901 62,224 Nmcom.dll
  24-Mar-2004 02:17 5.0.2195.6899 497,936 Ntdll.dll
  24-Mar-2004 02:17 5.0.2195.6896 1,028,880 Ntdsa.dll
  25-Feb-2004 23:55 5.0.2195.6902 1,699,904 Ntkrnlmp.exe
  25-Feb-2004 23:55 5.0.2195.6902 1,699,264 Ntkrnlpa.exe
  25-Feb-2004 23:55 5.0.2195.6902 1,720,064 Ntkrpamp.exe
  11-Mar-2004 02:37 5.0.2195.6902 1,726,032 Ntoskrnl.exe
  24-Mar-2004 02:17 5.0.2195.6824 115,984 Psbase.dll
  24-Mar-2004 02:17 5.0.2195.6892 90,264 Rdpwd.sys
  24-Mar-2004 02:17 5.0.2195.6897 49,936 Samlib.dll
  24-Mar-2004 02:17 5.0.2195.6897 388,368 Samsrv.dll
  24-Mar-2004 02:17 5.0.2195.6893 111,376 Scecli.dll
  24-Mar-2004 02:17 5.0.2195.6903 253,200 Scesrv.dll
  11-Mar-2004 02:37 5.1.2195.6899 143,120 Schannel.dll
  19-Jun-2003 20:05 5.0.2195.6707 17,168 Seclogon.dll
  24-Mar-2004 02:17 5.0.2195.6894 971,536 Sfcfiles.dll
  05-Feb-2004 20:18 5.0.2195.6896 5,869,056 Sp3res.dll
  24-Mar-2004 02:17 1.0.0.4 27,920 Umandlg.dll
  24-Mar-2004 02:17 5.0.2195.6897 403,216 User32.dll
  05-Aug-2003 22:14 5.0.2195.6794 385,808 Userenv.dll
  24-Mar-2004 02:17 5.0.2195.6824 50,960 W32time.dll
  21-Sep-2003 00:32 5.0.2195.6824 57,104 W32tm.exe
  11-Mar-2004 02:37 5.0.2195.6897 1,720,368 Win32k.sys
  12-Dec-2003 21:38 5.1.2600.1327 311,296 Winhttp.dll
  11-Mar-2004 02:37 5.0.2195.6898 181,520 Winlogon.exe
  25-Sep-2003 18:08 5.0.2195.6826 243,984 Winsrv.dll
  24-Mar-2004 02:17 5.131.2195.6824 167,184 Wintrust.dll
  24-Mar-2004 02:17 5.0.2195.6897 742,160 Kernel32.dll Uniproc
  24-Mar-2004 02:17 5.0.2195.6899 497,936 Ntdll.dll Uniproc
  11-Mar-2004 02:37 5.0.2195.6897 1,720,368 Win32k.sys Uniproc
  25-Sep-2003 18:08 5.0.2195.6826 243,984 Winsrv.dll Uniproc
 
 Verifying Update Installation
 
 To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
 
 You may also be able to verify the files that this security update has installed by reviewing the following registry key:
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB835732\Filelist
 
 Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.
 
 Top of section
  Windows NT 4.0 (all versions)
 
 Prerequisites
 This security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6).
 
 Note The security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires, as a prerequisite, the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To download the SRP, visit the following Web site. You must install the SRP before you install the security update that is provided in this security bulletin. If you are not using Windows NT Server 4.0 Terminal Server Edition Service Pack 6 you do not need to install the SRP.
 
 The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
 
 For more information on obtaining the latest service pack, see Microsoft Knowledge Base Article 152734.
 
 Installation Information
 
 This security update supports the following setup switches:
 
  /y: Perform removal (only with /m or /q )
 
  /f: Force programs to quit during the shutdown process
 
  /n: Do not create an Uninstall folder
 
  /z: Do not restart when the update completes
 
  /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m )
 
  /m: Use Unattended mode with a user interface
 
  /l: List the installed hotfixes
 
  /x: Extract the files without running Setup
 
 Note You can combine these switches into one command. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.
 
 Deployment Information
 
 To install the security update without any user intervention, use the following command at a command prompt for Windows NT 4.0:
 
 Windowsnt4server-kb835732-x86-enu /q
 
 For Windows NT Server 4.0 Terminal Server Edition:
 
 Windowsnt4terminalserver-kb835732-x86-enu /q
 
 For Windows NT Workstation 4.0:
 
 Windowsnt4workstation-kb835732-x86-enu /q
 
 To install the security update without forcing the system to restart, use the following command at a command prompt for Windows NT Server 4.0:
 
 Windowsnt4server-kb835732-x86-enu /z
 
 For Windows NT Server 4.0 Terminal Server Edition:
 
 Windowsnt4terminalserver-kb835732-x86-enu /z
 
 For Windows NT Workstation 4.0:
 
 Windowsnt4workstation-kb835732-x86-enu /z
 
 For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
 
 Restart Requirement
 
 You must restart your system after you apply this security update.
 
 Removal Information
 
 To remove this security update, use the Add/Remove Programs tool in Control Panel.
 
 System administrators can use the Hotfix.exe utility to remove this security update. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB835732$ folder. The Hotfix.exe utility supports the following setup switches:
 
 /y: Perform removal (only with the /m or /q switch)
 
 /f: Force programs to quit during the shutdown process
 
 /n: Do not create an Uninstall folder
 
 /z: Do not restart when the installation is complete
 
 /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch)
 
 /m: Use Unattended mode with a user interface
 
 /l: List the installed hotfixes
 
 File Information
 
 The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
 
 Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.
 
 Windows NT Workstation 4.0
 
  Date Time Version Size File name Folder
  --------------------------------------------------------------------
  24-Jan-2004 00:12 5.131.1880.14 465,680 Crypt32.dll
  25-Sep-2002 21:36 5.0.1558.6072 90,384 Cryptdlg.dll
  12-Dec-2003 00:10 5.131.1878.14 440,080 Cryptui.dll
  27-Feb-2004 16:43 4.0.1381.7263 205,584 Gdi32.dll
  23-Feb-2004 15:13 4.0.1381.7263 40,720 Mf3216.dll
  05-Mar-2004 23:59 5.0.2195.6905 53,520 Msasn1.dll
  28-Feb-2004 01:31 5.131.1880.14 37,136 Mscat32.dll
  09-Jan-2004 15:40 4.0.1381.7255 125,200 Msgina.dll
  07-Jan-2003 02:22 5.131.1878.13 28,432 Mssip32.dll
  18-Mar-2004 10:20 4.0.1381.7265 958,336 Ntkrnlmp.exe
  18-Mar-2004 10:20 4.0.1381.7265 937,984 Ntoskrnl.exe
  25-Oct-2003 01:13 4.86.1964.1880 143,632 Schannel.dll
  12-Dec-2003 22:24 5.131.1880.14 6,928 Softpub.dll
  27-Feb-2004 16:43 4.0.1381.7255 326,928 User32.dll
  07-Jan-2004 10:47 4.0.1381.7255 1,255,152 Win32k.sys
  27-Feb-2004 16:43 4.0.1381.7260 174,864 Winsrv.dll
  19-Feb-2004 17:50 5.131.1880.14 165,648 Wintrust.dll
  25-Oct-2003 01:13 4.87.1964.1880 112,912 Schannel.dll 128bit
 
 Windows NT Server 4.0:
 
  Date Time Version Size File name Folder
  -----------------------------------------------------------------------
  24-Jan-2004 00:12 5.131.1880.14 465,680 Crypt32.dll
  25-Sep-2002 21:36 5.0.1558.6072 90,384 Cryptdlg.dll
  12-Dec-2003 00:10 5.131.1878.14 440,080 Cryptui.dll
  27-Feb-2004 16:43 4.0.1381.7263 205,584 Gdi32.dll
  23-Feb-2004 15:13 4.0.1381.7263 40,720 Mf3216.dll
  05-Mar-2004 23:59 5.0.2195.6905 53,520 Msasn1.dll
  28-Feb-2004 01:31 5.131.1880.14 37,136 Mscat32.dll
  09-Jan-2004 15:40 4.0.1381.7255 125,200 Msgina.dll
  07-Jan-2003 02:22 5.131.1878.13 28,432 Mssip32.dll
  18-Mar-2004 10:20 4.0.1381.7265 958,336 Ntkrnlmp.exe
  18-Mar-2004 10:20 4.0.1381.7265 937,984 Ntoskrnl.exe
  25-Oct-2003 01:13 4.86.1964.1880 143,632 Schannel.dll
  12-Dec-2003 22:24 5.131.1880.14 6,928 Softpub.dll
  27-Feb-2004 16:43 4.0.1381.7255 326,928 User32.dll
  07-Jan-2004 10:47 4.0.1381.7255 1,255,152 Win32k.sys
  27-Feb-2004 16:43 4.0.1381.7260 174,864 Winsrv.dll
  19-Feb-2004 17:50 5.131.1880.14 165,648 Wintrust.dll
  25-Oct-2003 01:13 4.87.1964.1880 112,912 Schannel.dll 128 Bit
 
 Windows NT Server 4.0 Terminal Server Edition:
 
  Date Time Version Size File name Folder
  -----------------------------------------------------------------------
  24-Jan-2004 00:12 5.131.1880.14 465,680 Crypt32.dll
  25-Sep-2002 21:36 5.0.1558.6072 90,384 Cryptdlg.dll
  12-Dec-2003 00:10 5.131.1878.14 440,080 Cryptui.dll
  24-Feb-2004 18:25 4.0.1381.33562 206,096 Gdi32.dll
  24-Feb-2004 18:25 4.0.1381.33562 40,208 Mf3216.dll
  05-Mar-2004 23:59 5.0.2195.6905 53,520 Msasn1.dll
  28-Feb-2004 01:31 5.131.1880.14 37,136 Mscat32.dll
  09-Jan-2004 15:41 4.0.1381.33559 208,656 Msgina.dll
  07-Jan-2003 02:22 5.131.1878.13 28,432 Mssip32.dll
  18-Mar-2004 11:44 4.0.1381.33563 1,004,160 Ntkrnlmp.exe
  18-Mar-2004 11:44 4.0.1381.33563 983,104 Ntoskrnl.exe
  25-Oct-2003 01:13 4.86.1964.1880 143,632 Schannel.dll
  12-Dec-2003 22:24 5.131.1880.14 6,928 Softpub.dll
  19-Aug-2003 13:58 4.0.1381.33552 332,048 User32.dll
  26-Jan-2004 16:59 4.0.1381.33559 1,280,816 Win32k.sys
  16-Dec-2003 17:56 4.0.1381.33559 196,368 Winsrv.dll
  19-Feb-2004 17:50 5.131.1880.14 165,648 Wintrust.dll
  25-Oct-2003 01:13 4.87.1964.1880 112,912 Schannel.dll 128bit
 
 Verifying Update Installation
 
 To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
 
 You may also be able to verify the files that this security update has installed by reviewing the following registry key:
 
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB835732\File 1
 
 Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 835732 security update into the Windows installation source files.
 
 Top of section
 Top of section
 Acknowledgments
 
 Microsoft thanks the following for working with us to help protect customers:
 
 • Carlos Sarraute of Core Security Technologies for reporting the LDAP Vulnerability (CAN-2003-0663).
 
 • Internet Security Systems for reporting the PCT Vulnerability (CAN-2003-0719).
 
 • Ondrej Sevecek for reporting the Winlogon Vulnerability (CAN-2003-0806).
 
 • iDefense and Jouko Pynnönen for reporting the Help and Support Vulnerability (CAN-2003-0907).
 
 • Brett Moore of Security-Assessment.com, Cesar Cerrudo, and Ben Pryor for reporting the Utility Manager Vulnerability (CAN-2003-0908).
 
 • Erik Kamphuis of LogicaCMG working on behalf of the Dutch Tax Office for reporting the Windows Management Vulnerability (CAN-2003-0909).
 
 • NSFOCUS Security Team for reporting the Negotiate SSP Vulnerability (CAN-2004-0119).
 
 • John Lampe of Tenable Network Security for reporting the SSL Vulnerability (CAN-2004-0120)
 
 • Foundstone Labs and Qualys for reporting the ASN.1 “Double Free” Vulnerability (CAN-2004-0123).
 
 • eEye Digital Security for reporting the LSASS Vulnerability (CAN-2003-0533), Metafile Vulnerability (CAN-2003-0906), Local Descriptor Table Vulnerability (CAN-2003-0910), and the Virtual DOS Machine Vulnerability (CAN-2004-0118)
 
 
 Obtaining other security updates:
 
 Updates for other security issues are available from the following locations:
 
 • Security updates are available from the Microsoft Download Center: you can find them most easily by doing a keyword search for “security_patch”.
 
 • Updates for consumer platforms are available from the Windows Update Web site.
 
 
 Support:
 
 • Customers in the U.S. and Canada can get technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
 
 • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. For more information on how to contact Microsoft for support issues, visit the International Support Web site.
 
 
 Security Resources:
 
 • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
 
 • Microsoft Software Update Services
 
 • Microsoft Baseline Security Analyzer (MBSA)
 
 • Windows Update
 
 • Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.
 
 • Office Update
 
 
 Software Update Services (SUS):
 
 Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop systems running Windows 2000 Professional or Windows XP Professional.
 
 For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
 
 Systems Management Server (SMS):
 
 Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer
 
 Note The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.
 
 Disclaimer:
 
 The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
 Revisions:
 
 • V1.0 April 13, 2004: Bulletin published
 
 

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod