|
|
Windows 2000 Hotfixes
SecurityFocus
2001-08-23
|
Post-SP2 Hotfixes
NOTE: Information presented on this page is relevant to US-English Intel versions of
Windows 2000
Using Hfnetchk
from Microsoft
Service Pack 2 (all
versions)
Security
Bulletin Search
QChain
Post-Service Pack 2 Hotfixes
After installing Service Pack 2, there are
still other Hotfixes which need to be applied. These Hotfixes are usually called either Post-SP2 Hotfixes or Pre-SP3
Hotfixes. Visit the Microsoft
Security Bulletin Search to determine any other Hotfixes that are required.
The following is a list of current Hotfixes including a link to the relevant download location, a link to the relevant
SecurityFocus Vulnerability Database entry (if applicable), a link to the associated Microsoft Q article, a list of
technologies to which the hotfix applies, details of the updated files, and a short description of the problem the hotfix
addresses.
Microsoft Windows 2000 IrDA Buffer Overflow Denial of Service Vulnerability
|
|
Q252795.exe
|
Windows 2000 Server; Windows 2000 Advanced Server
|
Bugtraq ID
3215
|
|
Q252795
|
Date Time Version Size File name
-------------------------------------------------------
30-Jul-2001 19:39 5.0.2195.3985 57,296 irda.sys
16-Jul-2001 20:05 5.0.2195.3865 10,288 irenum.sys
30-Jul-2001 19:39 79,989 mdmirmdm.inf
16-Jul-2001 20:05 5.0.2195.3865 20,208 msircomm.sys
|
|
IrDA (Infrared Data Association) is the standard protocol for transmitting data using infrared devices.
Microsoft Windows 2000's software which handles IrDA contains an unchecked buffer which could result in an overflow condition
if sent a specifically crafted IrDA packet resulting in a system reboot. This vulnerability could result in a denial of
service condition if the target system was continually sent these malformed packets. |
Microsoft Windows NNTP Denial of Service Vulnerability
|
|
Q303984.exe
|
Windows 2000 Server; Windows 2000 Advanced Server
|
|
|
Q303984
|
Date Time Version Size File name
-------------------------------------------------------
18-Jul-2001 13:28 5.0.2195.3881 610,576 Nntpsvc.dll
|
|
Due to a flaw in the Microsoft Windows NNTP service, it is possible for a host to experience a denial of service condition.
If malformed news postings are repeatedly submitted to a host running the affected service, all available memory resources
could be consumed.
A remote attacker may be able to cause a denial of service affecting the NNTP service and other applications running on the
affected host.
|
Microsoft Remote Procedure Call Service DoS Vulnerability
|
|
Q298012.exe
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q298012
|
Date Time Version Size File name
-------------------------------------------------------------
5/17/2001 02:33p 2000.2.3479.0 166,160 Catsrv.dll
6/28/2001 05:31p 2000.2.3479.0 575,760 Catsrvut.dll
5/17/2001 02:33p 2000.2.3479.0 96,016 Clbcatex.dll
5/17/2001 02:33p 2000.2.3479.0 508,688 Clbcatq.dll
5/17/2001 02:33p 2000.2.3479.0 37,648 Colbact.dll
5/17/2001 02:33p 2000.2.3479.0 201,488 Comadmin.dll
6/28/2001 05:31p 2000.2.3479.0 1,417,488 Comsvcs.dll
5/17/2001 02:33p 2000.2.3479.0 625,936 Comuid.dll
6/28/2001 05:31p 5.131.2195.3789 442,640 Cryptui.dll
6/21/2001 12:31a 5.0.2195.3759 270,608 Dhcpssvc.dll
5/4/2001 05:00p - 9679 Dtcsetup.cat
5/4/2001 05:00p 2000.2.3479.0 822,600 Dtcsetup.exe
5/17/2001 02:33p 2000.2.3479.0 234,256 Es.dll
7/9/2001 06:38p 5.0.2195.3831 48,912 Llsrpc.dll
7/9/2001 01:40p 5.0.2195.3831 82,192 Llssrv.exe
5/17/2001 02:33p 5.0.0.720 278,800 Mq1repl.dll
2/28/2001 06:47p 5.0.0.720 14,096 Mq1sync.exe
5/29/2001 03:22p 5.0.0.735 71,120 Mqac.sys
5/17/2001 02:33p 5.0.0.721 21,4288 Mqads.dll
2/28/2001 06:47p 5.0.0.720 21,776 Mqbkup.exe
5/17/2001 02:33p 5.0.0.720 29,456 Mqcertui.dll
5/17/2001 02:33p 5.0.0.720 49,424 Mqclus.dll
5/17/2001 02:33p 5.0.0.720 29,968 Mqdbodbc.dll
5/17/2001 02:33p 5.0.0.720 75,536 Mqdscli.dll
5/17/2001 02:33p 5.0.0.720 41,744 Mqdssrv.dll
2/28/2001 06:47p 5.0.0.720 98,064 Mqmig.exe
5/17/2001 02:33p 5.0.0.720 263,952 Mqmigrat.dll
5/17/2001 02:33p 5.0.0.720 223,504 Mqoa.dll
5/17/2001 02:33p 5.0.0.720 7952 Mqperf.dll
5/30/2001 05:16p 5.0.0.735 414,992 Mqqm.dll
5/17/2001 02:33p 5.0.0.720 8464 Mqrperf.dll
5/30/2001 05:16p 5.0.0.735 91,920 Mqrt.dll
5/17/2001 02:33p 5.0.0.720 70,416 Mqsec.dll
5/17/2001 02:33p 5.0.0.720 400,144 Mqsnap.dll
12/28/2001 06:48p 5.0.0.720 14,096 Mqsvc.exe
5/17/2001 02:33p 5.0.0.720 24,336 Mqupgrd.dll
5/17/2001 02:33p 5.0.0.720 107,792 Mqutil.dll
6/28/2001 05:31p 2000.2.3479.0 681,744 Msdtcprx.dll
6/28/2001 05:31p 2000.2.3479.0 1,121,040 Msdtctm.dll
5/17/2001 02:33p 2000.2.3479.0 145,680 Msdtcui.dll
5/17/2001 02:33p 5.0.0.720 64,784 Msmq.cpl
5/17/2001 02:33p 5.0.0.720 159,504 Msmqocm.dll
5/4/2001 05:04p 2000.2.3479.0 151,312 Mtstocom.exe
5/17/2001 02:33p 2000.2.3479.0 52,496 Mtxclu.dll
5/17/2001 02:33p 2000.2.3479.0 23,824 Mtxdm.dll
6/28/2001 05:31p 2000.2.3479.0 104,208 Mtxoci.dll
6/2/2001 12:23p 5.0.2195.3669 17,168 Nddeapi.dll
5/30/2001 04:31p 5.0.2195.3655 4880 Nddeapir.exe
6/2/2001 12:22p 5.0.2195.3669 108,816 Netdde.exe
5/4/2001 12:05p 5.0.2195.2951 1,684,928 Ntkrnlmp.exe
5/4/2001 12:05p 5.0.2195.2951 1,684,672 Ntkrnlpa.exe
5/4/2001 12:05p 5.0.2195.2951 1,705,280 Ntkrpamp.exe
6/13/2001 11:13a 5.0.2195.3728 6928 Ntlsapi.dll
5/4/2001 12:05p 5.0.2195.2951 1,713,232 Ntoskrnl.exe
5/17/2001 02:33p 5.0.2195.3506 138,000 Nwprovau.dll
5/17/2001 02:33p 5.0.2195.3448 60,688 Nwwks.dll
7/9/2001 06:38p 5.0.2195.3761 940,304 Ole32.dll
5/4/2001 12:05p 5.0.2195.2780 56,080 Rasman.dll
5/4/2001 12:05p 5.0.2195.2728 150,800 Rasmans.dll
5/4/2001 12:05p 5.0.2195.2671 54,032 Rastapi.dll
7/9/2001 06:38p 5.0.2195.3831 427,792 Rpcrt4.dll
7/9/2001 06:38p 5.0.2195.3761 185,104 Rpcss.dll
5/4/2001 12:05p 5.0.2195.2896 94,320 Sfc.dll
5/22/2001 02:05p - 1,038,823 Sp2.cat
5/17/2001 02:33p 5.0.2195.3555 62,736 Spoolss.dll
4/30/2001 07:46p 5.0.2195.3555 45,840 Spoolsv.exe
5/4/2001 12:05p 5.0.2195.2780 240,208 Srv.sys
5/4/2001 12:05p 5.0.2195.2904 81,168 Srvsvc.dll
12/20/2000 11:43a 5.0.2195.3091 3856 Svcpack1.dll
6/28/2001 05:31p 5.0.2195.3753 53,520 Trksvr.dll
6/28/2001 05:31p 2000.2.3479.0 383,248 Txfaux.dll
5/4/2001 12:05p 5.0.2195.2780 97,552 Wkssvc.dll
|
|
There is an inconsistency between the interface definitions in certain RPC server stubs and the remote server's input
validation code.
If certain input is validated by the interface definition, there is a chance that the target server will not properly validate
the input. Thus, possibly impacting the server's performance and other applications running on the affected host.
The RPC servers associated with system services in Exchange, SQL, Windows NT 4.0 and Windows 2000 are subject to this issue.
|
Microsoft Windows Terminal Server Service DoS Vulnerability
|
|
Q292435.exe
|
Windows 2000 Server; Windows 2000 Advanced Server
|
|
|
Q292435
|
Date Time Version Size File name
-----------------------------------------------------
6/27/2001 10:10a 5.0.2195.3356 19,928 Tdipx.sys
6/27/2001 10:10a 5.0.2195.3356 17,496 Tdnetb.sys
6/27/2001 10:10a 5.0.2195.3356 18,168 Tdtcp.sys
|
|
Due to a flaw in the Microsoft Terminal Server service, it is possible for a host to experience a denial of service condition.
If malformed data packets are repeatedly submitted to a host running the affected service, all available memory resources
could be consumed.
A remote attacker may be able to cause a denial of service affecting the Terminal service and other applications running on
the affected host.
|
Microsoft Windows 2000 SMTP Improper Authentication Vulnerability
|
|
Q302755
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q302755
|
Date Time Version Size File name
--------------------------------------------------------
6/25/2001 08:13p 5.0.2195.3712 320,784 Aqueue.dll
6/25/2001 08:13p 5.0.2195.3712 66,832 Mailmsg.dll
6/25/2001 08:13p 5.0.2195.3649 38,160 Ntfsdrv.dll
6/25/2001 08:13p 5.0.2195.3779 434,448 Smtpsvc.dll
|
|
Due to a flaw in the authentication process of the SMTP service in Windows 2000, it is possible for remote host to
successfully authenticate and use the SMTP services as an authenticated user.
This may lead to abuse of SMTP services, such as mass e-mail relaying.
|
Microsoft Windows 2000 LDAP SSL Password Modification Vulnerability
|
|
Q299687.exe
|
Windows 2000 Server; Windows 2000 Advanced Server
|
|
|
Q299687
|
Date Time Version Size File name
-------------------------------------------------------------------------
6/13/2001 05:32p 5.0.2195.3738 501,520 Lsasrv.dll(56-bit)
6/21/2001 12:23a 5.0.2195.3737 355,088 Advapi32.dll
6/21/2001 12:19a 5.0.2195.3738 519,440 Instlsa5.dll
6/21/2001 12:23a 5.0.2195.3738 142,608 Kdcsvc.dll
6/13/2001 05:43p 5.0.2195.3738 209,008 Kerberos.dll
5/29/2001 09:26a 5.0.2195.3649 69,456 Ksecdd.sys
6/13/2001 05:32p 5.0.2195.3738 501,520 Lsasrv.dll
6/13/2001 05:32p 5.0.2195.3738 33,552 Lsass.exe
6/21/2001 12:23a 5.0.2195.3758 909,072 Ntdsa.dll
6/21/2001 12:23a 5.0.2195.3762 382,224 Samsrv.dll
5/29/2001 09:53a 5.0.2195.3649 128,784 Scecli.dll
5/30/2001 02:19a 5.0.2195.3649 299,792 Scesrv.dll
|
|
Due to improper permissions verification when submitting a password modify request, a normal user can successfully change any
user's Windows 2000 domain login password. This is accomplished if LDAP requests are being made over a SSL session.
|
MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
|
|
Q300972.exe
|
Windows 2000 Server; Windows 2000 Advanced Server
|
|
|
Q300972
|
Date Time Version Size File name
-----------------------------------------------------
24-May-2001 16:29 5.0.2195.3645 121,104 Idq.dll
|
|
Windows Index Server ships with Windows NT 4.0 Option Pack and Windows Indexing Service ships with Windows 2000. An unchecked
buffer exists in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow the
execution of arbitrary code on the host in the Local System context.
It should be noted that Index Server and Indexing Service do not need to be running in order for an attacker to exploit this
issue. 'idq.dll' is installed by default when IIS is installed, subsequently IIS would need to be the only service running.
It should be noted that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that
run affected versions of Microsoft IIS are subject to this issue. Please see the reference section for further information
regarding this worm.
|
Multiple Windows 2000 Telnet Vulnerabilities
|
|
Q299553.exe
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
2843
2844
2846
2847
2849
|
|
Q299553
|
Date Time Version Size File name
-----------------------------------------------------
05/24/2001 04:14p 5.0.33667.1 186,128 Tlntsvr.exe
|
|
This update fixes several vulnerabilities in the Windows 2000 implementation of Telnet.
These vulnerabilities include two privelege elevations, four denial of services, and one which could allow a login without
specifying a domain.
|
Microsoft Index Server Buffer Overflow Vulnerability
|
|
Q296185.exe
|
Windows 2000 Server; Windows 2000 Advanced Server
|
|
|
Q296185
|
Date Time Version Size File name
------------------------------------------------------
04/12/2001 03:40p 5.0.2195.3498 42,768 Webhits.dll
|
|
Microsoft Indexing Services contains an unchecked buffer in the handling of user search
requests. A maliciously crafted search request could allow the execution of arbitrary code on the host.
|
Microsoft Windows WebDAV Scripted Request Vulnerability
|
|
rbupdate.exe
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q296441
|
Date Time Version Size File name
------------------------------------------------------
04/05/2001 12:45p 8.102.4004.0 561,152 Msdaipp.10
04/04/2001 05:59p 8.103.4004.0 573,440 Msdaipp.15
04/08/2001 01:10p 45,056 Rb_inst.exe
|
|
Microsoft Data Access Component Internet Publishing Provider fails to properly determine the origin of WebDAV requests. An
attacker could compose a web page or HTML email containing a malicious script. The script could be devised to launch WebDAV
requests for resources in the user's domain. If a user accessed the hostile script it would run locally on the user's system.
Due to the inability to properly handle WebDAV requests, the requested resources may be revealed to the attacker depending on
the permissions the user has within his domain. If the user has permissions to add, delete, change, etc. these files the
attacker could take such actions on a target host.
|
Microsoft Windows 2000 Event Viewer Buffer Overflow Vulnerability
|
|
Q285156.exe
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q285156
|
Date Time Version Size File name
-----------------------------------------------------
02/14/2001 03:57p 5.0.2195.3256 157,456 Els.dll
|
|
Event Viewer is a 2000 troubleshooting tool used to view events recorded in the three logs recorded by the Event Log service.
It is vulnerable to a buffer overflow attack caused by malformed system log entries.
Upon opening the corrupted log and viewing the details of the event, the invalid data in the entry can trigger a buffer
overflow condition.
This will normally result in the termination of the Event Viewer, permitting a denial of service attack to be carried out on
the Event Viewer tool.
If the attacker has constructed a payload containing special "exploit code", it may be possible for arbitrary code to be
executed. This code would run within the security context of the user running the Event Viewer.
|
Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
|
|
Q285851.exe
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q285851
|
Date Time Version Size File name
--------------------------------------------------------
5/29/2001 09:41a 5.0.2195.3649 178,960 Winlogon.exe
|
|
Network DDE (Dynamic Data Exchange) allows processes to communicate information across a network via a trusted share. An IPC
window (Network DDE Agent) enables communication between processes. Using a command function such as WM_COPYDATA, it is
possible for a message to be sent through the Net DDE Agent to a trusted share with a process associated with that share.
Unfortunately NetDDE Agent runs in the LOCAL SYSTEM context, therefore a local user can specify arbitrary code to be run at
SYSTEM privileges.
|
Hilgraeve HyperTerminal Telnet Buffer Overflow Vulnerability
|
|
Q276471
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q276471
|
Date Time Version Size File name
--------------------------------------------------------
04/17/2001 11:53a 5.0.2195.3511 21,776 Hticons.dll
04/17/2001 11:53a 5.0.2195.3511 11,536 Htrn_jis.dll
04/17/2001 11:53a 5.0.2195.3511 575,248 Hypertrm.dll
04/17/2001 11:49a 5.0.2195.3511 6,416 Hypertrm.exe
|
|
Hilgraeve HyperTerminal is a communications/telnet application shipped and installed with every copy of Microsoft Windows 98,
ME, NT 4.0, and 2000. It is the default telnet client in Microsoft 98 and ME but not in Windows NT 4.0 / 2000.
A buffer overflow condition exists when a user attempts to access a telnet address over 153 characters long. Depending on the
data entered, a denial of service attack or arbitrary code could be launched by a malicious third party. A specially malformed
telnet address could be launched on a remote system if it were embedded in a HTML page or email message.
Although HyperTerminal is also shipped with NT 4.0, it is not susceptible to this vulnerability because it cannot be
configured to be the default telnet client. |
Microsoft Windows 2000 Default 40-bit Encrypted Protected Store Vulnerability
|
|
Q260219.exe
|
Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Professional
|
|
|
Q260219
|
|
|
Windows 2000 Protected Store uses a default 40-bit encryption instead of utilizing the stronger 56-bit DES encryption that it
is shipped with, or 168-bit Triple DES (if Windows 2000 has been upgraded using the High Encryption Pack). A remote or local
user who posesses full administrative rights can use decryption utilities against the weakly encrypted Protected Store in
order to obtain user private keys.
|
|
|
SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html.
|
|
