Windows NT 4.0 Service Pack 6a (SP6a) resolves the SP6 issue with Lotus Notes and other Winsock based applications and provides the latest updates to Microsoft Windows NT Workstation 4.0 and Windows NT Server 4.0 (including Enterprise Edition). Windows NT 4.0 SP6a contains known Year 2000 updates for Windows NT 4.0. Microsoft has released a Security Rollup Package (SRP) for Windows NT 4.0 that includes the functionality from all security patches released for Windows NT 4.0 since the release of Windows NT 4.0 Service Pack 6a (SP6a). This small, comprehensive rollup of post-SP6a fixes provides an easier mechanism for managing the rollout of security fixes.
The updated version is named Windows NT 4.0 Service Pack 6a. In addition to the problems resolved in Service Pack 6, Service Pack 6a includes: A resolution to the Winsock problem that prevents Lotus Notes and other Winsock-based programs from connecting to the server when a user does not have local administrator rights. For additional information, click the article number below to view the article in the Microsoft Knowledge Base.
Prerequisites This security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6). Replied on September 3, 2011. Hi, Service Pack 6 (SP6) is the latest service pack for Windows NT Server 4.0, Terminal Server Edition. To download this service pack, click the link below: Windows NT Server 4.0, Terminal Server Edition Service Pack 6 is out of support lifecycle, for more details, visit See: http://www.microsoft.com/technet/archive/downloads/winnt.mspx?mfr=true.
Introduction:
Occasionally Microsoft issue a series of corrections and / or additions to an operating system after it's commercial release. The purpose of these additional patches is to:- Remove a security exploit or vulnerability.
- Correct bugs or oversights in the original design of the Operating System.
- Enhance support for existing hardware or add support for new hardware produced after the OS release.
- Change the way hardware is supported to allow for unexpected behaviour.
- To change the way in which information in the OS is presented to ease operation, configuration or setup.
For a more detailed summary of the terminology used by Microsoft to describe the types of patches and their ranking of importance see Knowledgebase article 824684 - Description of the Standard Terminology That is Used to Describe Microsoft Software Updates.
Service Packs are ALWAYS cumulative - that is, it is only necessary that you apply the most recently released one for your Operating System - all revisions which existed in previous Service Packs are included in the latest release. Hotfixes and Rollups are NOT cumulative and must be individually applied to a system - the order in which they are applied is also important.
A Service Pack, Hotfix or Rollup will automatically update all necessary files on the system - it is not necessary for you to manually copy, rename or delete any system files during their application. After the update completes, a shutdown and restart will occur to finalise the file replacements. This is required to allow NT to replace files that were in use or otherwise locked whilst the system is running.
NT 4.0 and Service Pack Status:
The table below outlines the history of Windows NT 4.0. The dates apply to all 'flavours' including Server, Workstation, Terminal Server Edition and Enterprise Edition unless otherwise noted.Title | Date Released | Support Ceased |
---|---|---|
Windows NT 4.0 OS (Build 1381) | 29 July 1996 | 31 December 2004 - See Note Below |
Service Pack 1 | 16 October 1996 | 14 March 1997 |
Service Pack 2 | 14 December 1996 | 15 August 1997 |
Service Pack 3 | 15 May 1997 | 25 January 1999 |
Service Pack 4 | 25 October 1998 | 4 August 1999 |
Service Pack 5 | 4 May 1999 | 30 February 2000 |
Service Pack 6a | 30 November 1999 | 30 June 2004 - See Note Below |
Post SP6a Security Rollup (SRP) | 26 July 2001 | 30 June 2004 - See Note Below |
Note: SECURITY ONLY hotfix support extended to 31 December 2004 for all versions EXCEPT Workstation. All support for Workstation ended on 30 Jun 2004. For further information, see these notes.
The current revision level for Windows NT 4.0 Workstation and Server is Service Pack 6a. To see what problems have been addressed in this and previous service packs, look at the following Knowledgebase articles:
- 241211 - List of Bugs Fixed in Windows NT 4.0 Service Pack 6/6a (Part 1)
- 244690 - List of Bugs Fixed in Windows NT 4.0 Service Pack 6/6a (Part 2)
- 225037 - List of Bugs Fixed in Windows NT 4.0 Service Pack 5 (Part 1)
- 244974 - List of Bugs Fixed in Windows NT 4.0 Service Pack 5 (Part 2)
- 150734 - List of Bugs Fixed in Windows NT 4.0 and Terminal Server Edition Service Pack 4 (Part 1)
- 194834 - List of Bugs Fixed in Windows NT 4.0 and Terminal Server Edition Service Pack 4 (Part 2)
- 224793 - List of Bugs Fixed in Windows NT 4.0 and Terminal Server Edition Service Pack 4 (Part 3)
- 224792 - List of Bugs Fixed in Windows NT 4.0 Service Pack 1, 2 and 3
- 152734 - How to Obtain the Latest Windows NT 4.0 Service Pack
Service Pack | Issues Addressed |
---|---|
Service Pack 1 | 9 |
Service Pack 2 | 142 |
Service Pack 3 | 181 |
Service Pack 4 | 713 |
Service Pack 5 | 239 |
Service Pack 6/6a | 278 |
Post SP6a SRP | 53 |
Total: | 1615 |
To verify your current Service Pack level do the following:
- Start
- Run
- Type winver in the box
- Press Enter
After Service Pack 6a is applied, you can then make your way through the list of hotfixes presented in the table below. My suggestion is to stick to the order presented unless you have good reasons for changing it. Most of the hotfixes are SECURITY related. If you have doubts about a vulnerability consult the relevant Security Bulletin from Microsoft (also a 'clickable' link in the table) for details.
WARNING: If you add software to your system:
- by using Control Panel > Add/Remove Programs > Windows NT Setup (that results in copying files from the original NT 4.0 install CD)
- or through normal software 'updating' system .dll files
Failure to follow correct procedure may result in STOP errors. To avoid this situation reapply the required Service Pack, Hotfixes and / or Rollups immediately after the original files have been copied from the NT 4.0 master CD and BEFORE the system is rebooted. If in doubt, ask for guidance.
A good file tracking application like FileImg from the Windows NT 4.0 Resource kit can simplify matters by making it clear whether anything on the base OS install has been modified or regressed.
If you want to check which hotfixes are installed on a system I recommend 'PSInfo', part of the PSTools package from SysInternals.
Check Security Status:
Bear Windows has written an excellent article on how to use MBSA (Microsoft Baseline Security Analyser) on NT4.0 systems. MBSA checks the security and patch status of many Windows components, not just the Operating System itself. It is located at: 'Problem 12: How to control security patches and critical updates installed in Windows NT/2K/XP/2003'Secunia run an excellent web site that tracks known vulnerbilities in computer software (including Operating Systems), their seriousness, and patches to correct the problems. Here are the links for Windows NT4.0:
Recommended Reading:
I suggest you consult the following Knowledgebase articles for a more detailed explanation of what problems you may encounter when applying Service Packs or Hotfixes (items in Bold are important):- 146887 - Repairing Windows NT After the Application of Service Pack 3
- 165418 - Before Installing a Windows NT Service Pack
- 166160 - Stop C000021a after Applying Windows NT 4.0 Service Pack
- 168132 - After Applying Service Pack NT Reports Single Processor
- 175960 - Err Msg: Service Pack Setup Could Not Find the Setup.log File in Your Repair Directory
- 196269 - When to Reinstall a Service Pack
- 196603 - Repair Windows NT After Installation of Service Pack 4 or Later
- 222507 - Incorrect Service Pack Level Displayed After Applying Hotfix
- 226798 - Desktop Icons Are Rearranged After You Install Windows NT Service Pack 4
- 236387 - Unable to Start Windows Explorer After Applying Service Pack 5
- 236954 - Error Message Repairing Windows NT After Installing Service Pack
- 248113 - Files That Are Not Removed When You Uninstall Service Pack 6 or 6a
- 249799 - Slow Network Performance with Service Pack 4, 5, 6, or 6a
- 255987 - Windows NT Service Pack Requires Logon with Local Administrator Permissions After Reboot
- 264450 - Reduced Working Set Size After Installing Windows NT Service Pack 6a
- 829302 - You Cannot Install a Service Pack, a Hotfix or Security Fix in Windows NT 4.0
How to Use This List:
The numbers of the Knowledgebase articles presented are 'clickable' links that will open the full text of the item (by going to the Support site at Microsoft.com) in a NEW browser window. Close the window to return to this site.Colour coding is used to signify the level of danger an unpatched system may encounter as follows:
RED | DANGER | NO PATCH EXISTS FOR THIS ISSUE. Notes may detail means by which the vulnerability can be lessened or negated. |
Pink | CRITICAL | It is VITAL that this patch be installed to ensure system safety. |
Light Grey | Required | Patch is STRONGLY recommended. |
Light Yellow | Optional | This patch may be important, but is only required in specific circumstances as detailed in the Notes. |
You can download the required patch from the Microsoft servers using the supplied link on the relevant Knowledgebase page. Hotfixes that have been obsoleted by more recent patches are NOT mentioned in this list, and do not have to be applied.
Please read the notes relating to the Service Pack or Hotfix before applying it to your system. In some cases, failure to follow the correct procedure when applying a patch may lead to an unbootable system.
Article Number | Title | Security Bulletin | Notes |
---|---|---|---|
242294 | MS99-041: Security Descriptor Allows Priviledge Elevation on Remote Computers | MS99-041 | None |
244599 | Fixes Required in TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6a | None | Apply Service Pack 6a First |
246009 | Windows NT 4.0 Service Pack 6a Available | None | None |
258437 | FIX: GetEffectiveRightsFromAcl() Fails in Service Pack 6 | None | Apply Service Pack 6a First |
272386 | Upgrade Prompt for Windows Media Player Appears Continually | None | Only Required if Media Player V6.4 Installed - Manual Registry Patch |
299444 | Post Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP) | Additional Information Below | Requires Service Pack 6a First - Caution: See KB Articles 305462, 305929, 307866, 318420 and 326248 Before Applying |
300987 | Windows NT 4.0 Winbond Super I/O Floppy Disk Controller May Not Report Data Underrun or Overrun Condition Correctly | None | Only Required for Hardware Specified |
304158 | Patch for 'HyperTerminal Buffer Overflow' Vulnerability in Windows NT 4.0 | MS00-079 | Only Required if HyperTerminal Accessory is Installed |
307866 | You Cannot Log On to the Computer After You Run a Repair Process if SRP is Installed | None | Caution: Ensure This Hotfix Applied After Security Rollup 299444 |
314147 | MS02-006: An Unchecked Buffer in the SNMP Service May Allow Code to Run | MS02-006 | Only Required if SNMP Service is Installed |
318138 | MS02-029: Unchecked Buffer in Remote Access Service Phonebook Allows Code to Run | MS02-029 | None |
320206 | MS02-024: Authentication Flaw in Windows Debugger Can Cause Elevated Privileges | MS02-024 | None |
320920 | MS02-032: Windows Media Player Rollup Available | MS02-032 | Only Required if Media Player V6.4 Installed - This Patch Supersedes and Totally Replaces 308567, 320944, 321678 Manual Registry Patches Required - See KB Articles 272386 and 320944 for further details |
323172 | Flaw in Certificate Enrolment Control May Cause Digital Certificates to be Deleted | MS02-048 | None |
323255 | MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code | MS02-055 | Only Required if Hypertext Help Facility Installed |
326830 | MS02-045: Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service | MS02-045 | None |
331953 | MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks | MS03-010 | Caution: No Available Patch for NT 4.0 - Ensure Port 135 is blocked by Firewall |
810833 | Unchecked Buffer in the Locator Service Might Permit Code to Run | MS03-001 | None |
814078 | MS03-008: Flaw in Windows Script Engine May Allow Code to Run | MS03-008 | Only Required if Microsoft Java Virtual Machine Installed |
815021 | MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise (ntdll.dll) | MS03-007 | None |
817606 | MS03-024: Buffer Overrun in Windows Could Lead to Data Corruption | MS03-024 | None |
819696 | MS03-030: Unchecked Buffer in DirectX Could Enable System Compromise | MS03-030 | Only Required if Media Player V6.4 or Internet Explorer V6.0 (SP1) Installed |
823559 | MS03-023: Buffer Overrun in the HTML Converter Could Allow Code Execution | MS03-023 | Only Required if HTML Authoring Software (eg: Office) Installed |
823803 | MS03-029: A Flaw in a Windows Function Might Allow Denial of Service | MS03-029 | Caution: See KB Article 825501 Before Applying - This Patch Refuses to Apply on a Workstation System (See Note 1) |
824105 | MS03-034: Flaw in NetBIOS Could Lead to Information Disclosure | MS03-034 | This Patch Refuses to Apply on a Workstation System (See Note 1) |
828035 | MS03-043: Buffer Overrun in Messenger Service Could Allow Code Execution | MS03-043 | Caution: See KB Article 831579 Before Applying |
828741 | MS04-012: Cumulative Update for Microsoft RPC/DCOM | MS04-012 | Danger: Known Security Exploit - Ensure this Hotfix is Applied. This Patch Supersedes and Totally Replaces 823980 (MS03-026) and 824146 (MS03-039) |
832353 | FIX: Some URL Script Commands Do Not Work After You Apply Windows Media Update From Knowledgebase Article 828026 | None | Only Required if Media Player V6.4 Installed. This Patch Supersedes and Totally Replaces 828026 See 828026 for Important Information on Setting Registry Controls |
835732 | MS04-011: Security Update for Microsoft Windows | MS04-011 | Danger: Critical Security Status - Ensure this Hotfix is Applied. This Patch Supersedes and Totally Replaces 329115 (MS02-050), 328310 (MS02-071), 811493 (MS03-013), 823182 (MS03-041), 824141 (MS03-045) and 828028 (MS04-007) Caution: See KB Article 841180 and 841384 Before Applying |
840987 | MS04-032: Security Update for Microsoft Windows | MS04-032 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
841356 | MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution | MS04-037 | This Patch Supersedes and Totally Replaces 839645 (MS04-024) |
841533 | MS04-031: Vulnerability in NetDDE Could Allow Remote Code Execution | MS04-031 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
841872 | MS04-020: A Vulnerability in POSIX Could Allow Code Execution | MS04-020 | None |
870763 | MS04-045: Vulnerability in WINS Could Allow Remote Code Execution | MS04-045 | Only Required for Server System Providing WINS |
873339 | MS04-043: Vulnerability in HyperTerminal Could Allow Code Execution | MS04-043 | Only Required if HyperTerminal Accessory is Installed - This Patch Refuses to Apply on a Workstation System (See Note 2) |
873350 | MS04-029: Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service | MS04-029 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
883935 | MS04-036: Vulnerability in NNTP Could Allow Code Execution | MS04-036 | Only Required for Server System Providing NNTP Service |
885249 | MS04-042: A Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service | MS04-042 | Only Required for Server System Providing DHCP Service |
885250 | MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution | MS05-011 | Caution: No Available Patch for NT 4.0 - Primary Threat would be from SMB traffic within the LAN |
885834 | MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution | MS05-010 | Only Required on a Server System Running Licensing Service |
885835 | MS04-044: Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege | MS04-044 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
885836 | MS04-041: A Vulnerability in WordPad Could Allow Code Execution | MS04-041 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
890175 | MS05-001: Vulnerability in HTML Help Could Allow Code Execution | MS05-001 | Only Required if Internet Explorer V6.0 or above is Installed Caution: See KB Articles 892641 and 892675 Before Applying |
891711 | MS05-002: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution | MS05-002 | This Patch Refuses to Apply on a Workstation System (See Note 2) |
912919 | MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution | MS06-001 | Caution: No Available Patch for NT 4.0 - Files of Type .wmf should be handled with care |
921883 | MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution | MS06-040 | Caution: No Available Patch for NT 4.0 - Ensure TCP Ports 139 and 445 are blocked by Firewall |
Notes:
- Microsoft offer a patch for Workstation by making a request by phone or email to customer support. Alternately, see the procedure described here.
- These patches are officially 'unsupported' by Microsoft for use on a Workstation system. This is merely a commercial decision. The hotfix.inf can be adjusted to override this - see the procedure described here.
Additional Information Regarding the 'Post Service Pack 6a Security Rollup' (SRP - Hotfix Q299444):
The Security Rollup (SRP) is a single package which contains the following 53 hotfixes which had been previously released:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Making the Latest Hotfixes Work on Workstation:
<Short political rant follows>Microsoft have taken the extraordinary position of ending security hotfix support for Workstation 6 months prior to Server. I'm afraid I am left with no option but to conclude that this is a grubby commercial decision in the ongoing campaign of trying to kill NT4 off. If you check the 'Product Lifecycle' page at the Microsoft website, you will discover the NT4 (and specifically Workstation) has a remarkably SHORTER OS product lifecycle as compared to the latest releases. (Windows 2000, Windows XP and Windows Server 2003)
To attempt to shorten it's life still further, by denying users access to essential security patches, is unconscionable. It could be argued that it is essential that these hotfixes be applied if at all possible, to lessen any security risks exposed by the 'holes' in the OS. It could be further argued that Microsoft, in taking the deliberate step of refusing to offer these patches for Workstation, is attempting to convince customers that the OS is now 'unsafe' and should be upgraded. I also believe the timing of these hotfixes is extremely questionable. How convenient it is that such a major raft of serious security flaws are found only 3 months after support has ended.
I consider this further compelling evidence of a deliberate campaign to end Windows NT 4.0 whilst it is still a useful and active participant in general computing.
<EOR>
The reality is that the security hotfixes released after 30 June 2004, and that are supposedly 'NT4 Server only', are able to be used on Workstation equally as well. To adjust the patches for use, expand the contents of the downloaded .exe file (using a programme like WinZip) into a convenient folder. Make sure that all the content of the patch is grouped together in this one place. Manually edit the included hotfix.inf file in the package as described here:
Save the amended hotfix.inf in place of the original expanded from the supplied package. Apply the hotfix by simply double-clicking 'hotfix.exe'. The patch should now execute and apply normally.
ACKNOWLEDGMENT: This technique was first announced in October 2004 by Reed Darsey at www.networksecurityarchive.org. I have since independently verified it's accuracy, using Microsoft supplied 'Workstation enabled' patches for the items referred to in Knowledgebase articles 823803 and 824105.
Cleaning Up a System After Hotfixes / Service Packs:
When Hotfix.exe or Update.sys replace files on a machine it builds a series of 'back out' folders with names in the form $NTUninstallxxxxxx$ (the xxxxxx section is unique for each patch applied and based on the Hotfix number) in the %systemroot% (usually this is WinNT). When you apply a Service Pack the creation of this 'back out' folder is optional, determined by a button you press at the EULA screen of the Service Pack.WARNING: Microsoft are inconsistent in their creation of 'back out' folders. In some instances, uninstall information is placed in a folder in 'Program FilesUninstall Information' instead.
If you are satisfied that the changes made to your system by Hotfixes and/or Service Packs are stable, and you no longer require the ability to be able to 'back out' of the changes, you can remove this uninstall information. This will often free considerable amounts of space in the boot partition. You may simply delete the corresponding $NTUninstall --- $ folder and all it's contents.
The Hotfix / Service Pack also adds an entry in the 'Add/Remove Programs' applet of Control Panel. In the interests of not causing future confusion, it is advisable that the uninstall entry be removed from the list, since deletion of the $NTUninstall --- $ folder has rendered the uninstall from Control Panel impossible.
To remove the redundant entries (they take the form of Qxxxxxx or KBxxxxxx) from the 'Add/Remove Programs' section of Control Panel, manual editing of the Registry is required. If you unfamiliar with this process, or unsure of what you are doing, seek out experienced assistance. Incorrectly editing the Registry can irreparably damage an NT installation.
Procedure:
Open the registry with RegEdit.exe. Navigate to the key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
Under this key you will find a subkey in the form Qxxxxxx or KBxxxxxx for each Hotfix / Service Pack applied. Delete the appropriate subkey for the hotfix that had it's 'back out' folder deleted.
WARNING: Service Packs / Hotfixes / Rollups also add an entry to the registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotfix
DO NOT alter this entry in any fashion. These keys list what Hotfixes have been applied. (Programmes like Systems Internals 'PSInfo' use this information)
For more information on how a patch is applied using Hotfix.exe and Update.exe see the following Microsoft Knowledgebase articles:
- 184305 - How to Install and Remove Hotfixes with HOTFIX.EXE
- 262841 - Command-Line Switches for Windows Software Update Packages
- 824687 - Command-Line Switches for Microsoft Software Update Packages
Acknowledgements:
Thanks to Bear Windows, Petros Zimourtopoulos, Taed Wynnell and Roderick Thompson for additions and corrections on this page.Back to Index
All promotional photographs and advertising material, corporate names and logos, product names, trade names, trademarks and registered trademarks are the property of their respective owners, and are acknowledged as such.
This list is maintained by ZCM Services, Australia. Whilst every care is taken in the preparation of this information, I accept no responsibility for errors or omissions. Use the information presented on this site AT YOUR OWN RISK.Last Update April 7, 2010 at 9:13 PMAEST.
-->Security Bulletin
Vulnerability in POSIX Could Allow Code Execution (841872)
Published: July 13, 2004 | Updated: August 10, 2004
Version: 2.0
Issued: July 13, 2004
Updated: August 10, 2004
Version: 2.0
Summary
Who should read this document: Customers who use Microsoft® Windows® 2000 or Windows NT 4.0
Impact of Vulnerability: Local Elevation of Privilege
Maximum Severity Rating: Important
Recommendation: Customers should install the update at the earliest opportunity.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software:
Microsoft INTERIX® 2.2 – Download the update
Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update
Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4 – Download the update
Non-Affected Software:
- Microsoft Windows XP and Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server™ 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)
The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
General Information
Executive Summary
Executive Summary:
This update resolves a newly-discovered, privately reported vulnerability. A privilege elevation vulnerability exists in the POSIX operating system component (subsystem). The vulnerability is documented in the Vulnerability Details section of this bulletin.
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
We recommend that customers install the update at the earliest opportunity.
Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers | Impact of Vulnerability | Windows NT 4.0 | Windows 2000 |
---|---|---|---|
POSIX Vulnerability - CAN-2004-0210 | Privilege Elevation | Important | Important |
This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Frequently asked questions (FAQ) related to this security update
Why has Microsoft re-issued this bulletin?
Microsoft re-issued this bulletin on August 10, 2004 to advise on the availability of a security update for Microsoft INTERIX 2.2. Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects this product. Microsoft has updated the bulletin with additional information about Microsoft INTERIX 2.2 and also to direct users to a security update for this product. Customers who are not using Microsoft INTERIX 2.2 and have previously installed the security updates provided as part of the original release of this bulletin do not need to install the new security update.
I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or Windows 2000 Service Pack 2, but extended security update support ended on June 30, 2004. However, this bulletin has a security update for these operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 have reached the end of their life cycles as previously documented, and Microsoft extended this support to June 30, 2004. However, the end-of-life for the extended support period occurred very recently. In this case, the majority of the steps that are required to address this vulnerability were completed before June 30, 2004. Therefore, we have decided to release security updates for these operating system versions as part of this security bulletin. We do not anticipate doing this for future vulnerabilities affecting these operating system versions, but we reserve the right to produce updates and to make these updates available when necessary.
It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to future vulnerabilities. For more information about the Windows Product Life Cycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the following Microsoft Product Support Services Web site.
Customers who require additional support for Windows NT Workstation 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of phone numbers. When you call, ask to speak with the local Premier Support sales manager.
For more information, see the Windows Operating System FAQ.
Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
Yes. MBSA will determine if this update is required. For more information about MBSA, visit the MBSA Web site.
Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 1.1.1 and earlier versions is no longer being updated with new security bulletin data. Therefore, scans that are performed after that date with MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 1.2 because it provides more accurate security update detection and supports additional products. Users can download MBSA 1.2 from the MBSA Web site. For more information about MBSA support, visit the following Microsoft Baseline Security Analyzer1.2 Q&A Web site.
Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.
Vulnerability Details
POSIX Vulnerability - CAN-2004-0210
A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system.
Mitigating Factors for POSIX Vulnerability - CAN-2004-0210:
- An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
- Windows XP and Windows Server 2003 are not affected by this vulnerability.
Workarounds for POSIX Vulnerability - CAN-2004-0210:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
Disable the POSIX subsystem through the registry
This workaround is fully documented in Microsoft Knowledge Base Article 101270. This article is summarized in the following paragraphs.
The following steps demonstrate how to disable the POSIX subsystem.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the 'Changing Keys And Values' Help topic in Registry Editor (Regedit.exe) or view the 'Add and Delete Information in the Registry' and 'Edit Registry Data' Help topics in Regedt32.exe.
Note We recommend backing up the registry before you edit it.
Click Start, click Run, type 'regedt32' (without the quotation marks), and then click OK.
In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubsystemsPosix
Click the POSIX data value, click Edit, and then click Delete.
Click OK to confirm the delete, and then restart the system.
Note To enable the POSIX subsystem, re-create the registry key. The name if the registry key is Posix, the type of registry key is REG_EXPAND_SZ, and the registry key value is %SystemRoot%system32psxss.exe. After you have done this, restart the system.
Impact of Workaround: POSIX programs are disabled until the POSIX subsystem is enabled.
FAQ for POSIX Vulnerability - CAN-2004-0210:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
An unchecked buffer in the POSIX subsystem.
What is the POSIX subsystem?
You can run applications that are created for the Portable Operating System Interface for UNIX (POSIX) standard under Windows NT 4.0 and Windows 2000. The operating systems provide support for nonnative applications by emulating the environments in which they are designed to be processed. This support is provided through environment subsystems. Except for the Microsoft Win32 subsystem, which is the native environment of Windows, each environment is optional and is used only when a client application requires its services. For more information about POSIX support, visit the following MSDN Library Web Site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally to a system that has the POSIX subsystem enabled.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed program that could attempt to exploit the vulnerability, and thereby gain complete control over the affected system.
An attacker could also access the affected component through another vector. For example, an attacker could use another program that passes parameters to the vulnerable component (locally or remotely).
What systems are primarily at risk from the vulnerability?
Windows NT 4.0 and Windows 2000 systems are at risk from this vulnerability. Windows XP and Windows Server 2003 do not contain the POSIX subsystem. For more information about the support of POSIX in Windows XP and in Windows Server 2003, see Microsoft Knowledge Base Article 308259.
Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is targeted for attack. An attacker cannot load and run a program remotely by exploiting this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that the POSIX subsystem validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Security Update Information
Installation Platforms and Prerequisites:
For information about the specific security update for your platform, click the appropriate link:
Windows 2000 (all versions)
PrerequisitesFor Windows 2000, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).
The software that is listed has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.
For more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.
Inclusion in Future Service Packs:The update for this issue will be included in Windows 2000 Service Pack 5.
Installation Information
This security update supports the following setup switches:
/help Displays the command line options
Setup Modes
/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
/uninstall Uninstalls the package
Restart Options
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options
/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down
/extract Extracts files without starting setup
Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.
Deployment Information
To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:
Windows2000-kb841872-x86-enu /passive /quiet
To install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:
Windows2000-kb841872-x86-enu /norestart
For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
Restart Requirement
In some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.
Removal Information
To remove this security update, use the Add or Remove Programs tool in Control Panel.
System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%$NTUninstallKB841872$Spuninst folder. The Spuninst.exe utility supports the following setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Note Date, time, file name, or size information could change during installation. Refer to the Verifying Update Installation section for details on verifying an installation.
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:
Verifying Update Installation
Microsoft Baseline Security Analyzer
To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
File Version Verification
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
Click Start, and then click Search.
In the Search Results pane, click All files and folders under Search Companion.
In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.
On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.
Note Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesWindows 2000SP5KB841872Filelist
Note This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly when an administrator or an OEM integrates or slipstreams the 841872 security update into the Windows installation source files.
Windows NT 4.0 (all versions)
PrerequisitesThis security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6).
The software that is listed has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
For more information about obtaining the latest service pack, see Microsoft Knowledge Base Article 152734.
Installation Information
This security update supports the following setup switches:
/y: Perform removal (only with /m or /q )
/f: Force programs to quit during the shutdown process
/n: Do not create an Uninstall folder
/z: Do not restart when the update completes
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m )
/m: Use Unattended mode with a user interface
/l: List the installed hotfixes
/x: Extract the files without running Setup
Note You can combine these switches into one command. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.
Deployment Information
To install the security update without any user intervention, use the following command at a command prompt for Windows NT Server 4.0:
Windowsnt4server-kb841872-x86-enu /q
For Windows NT Server 4.0 Terminal Server Edition:
Windowsnt4terminalserver-kb841872-x86-enu /q
For Windows NT Workstation 4.0:
Windowsnt4workstation-kb841872-x86-enu /q
To install the security update without forcing the system to restart, use the following command at a command prompt for Windows NT Server 4.0:
Windowsnt4server-kb841872-x86-enu /z
For Windows NT Server 4.0 Terminal Server Edition:
Windowsnt4terminalserver-kb841872-x86-enu /z
For Windows NT Workstation 4.0:
Windowsnt4workstation-kb841872-x86-enu /z
For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
Restart Requirement
In some cases, this update does not require a restart. The installer stops the needed services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.
Removal Information
To remove this security update, use the Add/Remove Programs tool in Control Panel.
System administrators can also use the Hotfix.exe utility to remove this security update. The Hotfix.exe utility is located in the %Windir%$NTUninstallKB841872$ folder. The Hotfix.exe utility supports the following setup switches:
/y: Perform removal (only with the /m or /q switch)
/f: Force programs to quit during the shutdown process
/n: Do not create an Uninstall folder
/z: Do not restart when the installation is complete
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch)
/m: Use Unattended mode with a user interface
/l: List the installed hotfixes
File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Note Date, time, filename, or size information could change during installation. Refer to the Verifying Update Installation section for details on verifying an installation.
Windows NT Workstation 4.0 and Windows NT Server 4.0:
Windows NT Server 4.0 Terminal Server Edition:
Verifying Update Installation
Microsoft Baseline Security Analyzer
To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
File Version Verification
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
Click Start, and then click Search.
In the Search Results pane, click All files and folders under Search Companion.
In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.
On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.
Note Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotfixKB841872File 1
Note This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly when an administrator or an OEM integrates or slipstreams the 841872 security update into the Windows installation source files.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
- Rafal Wojtczuk working with McAfee for reporting the POSIX Vulnerability (CAN-2004-0210).
Windows Nt 4.0 Sp6 Download
Obtaining Other Security Updates:
Updates for other security issues are available from the following locations:
- Security updates are available from the Microsoft Download Center: You can find them most easily by doing a keyword search for 'security_patch'.
- Updates for consumer platforms are available from the Windows Update Web site.
Support:
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
- International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Security Resources:
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
- Microsoft Baseline Security Analyzer (MBSA)
- Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.
Software Update Services:
By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.
For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
Systems Management Server:
Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, see the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.
Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided 'as is' without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
Service Pack 6a
- V1.0 (July 13, 2004): Bulletin published
- V2.0 (August 10, 2004): Updated to reflect an additional affected product - Microsoft INTERIX 2.2
Windows Nt Service Pack 6 Download
Built at 2014-04-18T13:49:36Z-07:00