Microsoft Security Bulletin (MS00-066): Frequently Asked Questions
The computers at greatest risk from this vulnerability are Windows 2000
servers that are directly exposed on the Internet. Computers that are
protected by a firewall where the security best practice of blocking
incoming and outgoing traffic on ports 135-139 and 445 are protected from
attacks that attempt to exploit this vulnerability.
Microsoft Windows NT 4.0 computers are not affected by this
vulnerability.
For example, RPC is used when a Windows NT or Windows 2000 client logs
into a domain or when an Outlook client connects to an Exchange server.
The client uses RPC to call the server to validate the user login attempt
or to connect to the Exchange server.
Note: This patch will also be included in the next Service Pack
for Windows 2000. The patch can be applied to a computer with or without
Service Pack 1.
What’s this bulletin about?
Microsoft Security Bulletin MS00-066
announces the availability of a patch that eliminates a vulnerability in
Microsoft® Windows 2000. Microsoft is committed to protecting customers'
information, and is providing the bulletin to inform customers of the
vulnerability and what they can do about it.
What’s the scope of the vulnerability?
This is a Denial of Service
vulnerability. A malicious user could exploit the vulnerability to cause
the RPC (Remote Procedure Call) service on a remote Windows 2000 Server to
crash. An affected RPC service will stop responding to client requests.
What causes the vulnerability?
A flaw in the RPC service can cause
the RPC service to crash when sent a particular kind of malformed RPC
client packet. A server that had been subject to a successful attack
exploiting this vulnerability would have to be rebooted in order to
restore RPC service.
What is the RPC service?
Remote Procedure Call (RPC) is a facility
that allows a program on one Windows system (the client) to invoke the
services of another program running on a separate Windows system (the
server) in a distributed network. RPC is an application level protocol
that can use the communications services of any of the Windows networking
protocols including TCP/IP.
What would this vulnerability let a malicious user do?
A malicious
user could exploit this vulnerability to crash the RPC service on a
Windows 2000 server and render it incapable of responding to service
requests. This vulnerability would provide no capability for an attacker
to gain administrative privileges on the server or to gain unauthorized
access to files or other resources on the server. After a successful
attack, the server could be restored to operation by rebooting.
How would this vulnerability be exploited?
In order to exploit
this vulnerability, a malicious RPC client would have to send a malformed
RPC packet to a Windows 2000 server. On receiving the malformed RPC
packet, the server would crash, and could be restarted by rebooting.
Could this vulnerability be exploited accidentally?
No. Exploiting
this vulnerability would require a very specific series of steps that have
no legitimate purpose. Those steps would only be taken by a malicious user
attempting to exploit this vulnerability.
Could this vulnerability be exploited remotely?
Yes. This
vulnerability is present in the Windows 2000 RPC service, which is as
intended to be accessed remotely. However, if best practices were followed
and the server were protected by a firewall that blocked ports 135-139 and
445, only systems behind the firewall would have the potential to launch a
successful attack.
What machines are at greatest risk from this vulnerability?
The
computers at greatest risk are those directly connected to the Internet.
If best practices were followed and a server was protected by a firewall
that blocked ports 135-139 and 445, it would only be subject to attack by
other machines on its local intranet.
Where can I get more information on Port 135-139 and 445?
Please
reference http://www.isi.edu/in-notes/iana/assignments/port-numbers
for more information.
Would it be possible to prevent the attack by disabling the RPC
service?
It is not practical to disable the RPC service on a Windows
2000 server. RPC is an integral part of the Operating System and many
services will not function with RPC disabled.
Does this vulnerability affect Windows NT 4.0?
This vulnerability
does not affect computers running Windows NT 4.0.
Who should use the patch?
Microsoft recommends that customers with
direct Internet exposed Windows 2000 computers should install the patch
and other customers consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by
removing the flaw in the RPC service when sent a malformed RPC packet from
a client.
Where can I get the patch?
The download location for the patch is
provided in the "Patch Availability" section of the security
bulletin .
How do I use the patch?
Knowledge Base article Q272303
contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
The Knowledge
Base article Q272303
provides a manifest of the files in the patch package. The easiest way to
verify that you've installed the patch correctly is to verify that these
files are present on your computer, and have the same sizes and creation
dates as shown in the KB article.
What is Microsoft doing about this issue?
Where can I learn more about best practices for security?
The Microsoft
TechNet Security web site is the best to place to get information
about Microsoft security.
How do I get technical support on this issue?
Microsoft
Product Support Services can provide assistance with this or any other
product support issue.
Last updated
September 11, 2000
© 2000 Microsoft
Corporation. All rights reserved. Terms of use.