Microsoft KB Archive/824105

= MS03-034: Flaw in NetBIOS could lead to information disclosure =

Article ID: 824105

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Small Business Server 2000 Standard Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft BackOffice Small Business Server 4.5
 * Microsoft BackOffice Small Business Server 4.0a
 * Microsoft BackOffice Small Business Server 4.0
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Standard Edition

-





SYMPTOMS
Network basic input/output system (NetBIOS) is an API that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services that the programs must have to manage names, conduct sessions, and send datagrams between nodes on a network.

A security issue has been identified in Microsoft Windows that could allow an attacker to see information in your computer’s memory over a network. This vulnerability involves one of the NetBIOS over TCP/IP (NetBT) services, the NetBIOS Name Server (NBNS). With this service, you can find a computer's IP address by using its NetBIOS name, and vice versa.

Under certain conditions, the response to a NetBT name service query may, in addition to the usual reply, contain random data from the destination computer's memory. This data may be a piece of HTML if the user on the destination computer is using an Internet browser, or it may contain other types of data that existed in memory at the time when the destination computer responded to a NetBT name service query.

An attacker could seek to exploit this vulnerability by sending the destination computer a NetBT name service query and then looking carefully at the response to determine whether any random data from that computer's memory is included.

Note If typical security practices are followed and if port 137 User Datagram Protocol (UDP) is blocked at the firewall, Internet-based attacks are not possible.

Mitigating Factors
 * Any information disclosure would be completely random in nature.
 * By default, Internet Connection Firewall (ICF) blocks those ports. ICF is available with Windows XP and Windows Server 2003.
 * To exploit this vulnerability, an attacker must be able to send a specially crafted NetBT request to port 137 on the destination computer and then examine the response to see whether any random data from that computer's memory is included. For intranet environments, these ports are typically accessible, but for Internet-connected computers, these ports are typically blocked by a firewall.



Security Patch Information
For more information about how to resolve this vulnerability, click the appropriate link in the following list.


 * Windows Server 2003
 * Windows XP
 * Windows 2000
 * Windows NT Workstation 4.0 and Windows NT Server 4.0

Download Information
The following files are available for download from the Microsoft Download Center:

Windows Server 2003 (32-bit Editions)

Download the 824105 package now.

Windows Server 2003 (64-bit Editions)

Download the 824105 package now.

Release Date: September 3, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This security patch requires the released version of Windows Server 2003.

Installation Information
This security patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

Deployment Information
To install the security patch without any user intervention, use the following command:

WindowsServer2003-KB824105-x86-ENU /u /q

To install the security patch without forcing the computer to restart, use the following command:

WindowsServer2003-KB824105-x86-ENU /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart Requirement
You must restart your computer after you apply this security patch.

Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824105$\Spuninst folder. The utility supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Security Patch Replacement Information
This security patch does not replace any other security patches.

File Information
The English version of this security patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version            Size    File name   Folder   Platform ---  18-Jul-2003  15:15  5.2.3790.69       534,016  Netbt.sys   Rtmgdr   Ia64 18-Jul-2003 15:15  5.2.3790.69       534,016  Netbt.sys   Rtmqfe   Ia64

18-Jul-2003 15:16  5.2.3790.69       195,072  Netbt.sys   Rtmgdr   X86 18-Jul-2003 15:15  5.2.3790.69       195,072  Netbt.sys   Rtmqfe   X86 Note When you install this security patch on a computer that is running Windows Server 2003, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you previously installed a hotfix to update one of these files, the installer copies the hotfix files to your computer. Otherwise, the installer copies the General Distribution Releases (GDR) files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the contents of a Windows Server 2003 product update package

You can verify the files that this security patch installs by reviewing the following registry key:

To verify the individual files, use the date/time and version information that is provided in the file information table to make sure that the correct files are present on the computer.

Download Information
The following files are available for download from the Microsoft Download Center:

Windows XP Home Edition, Windows XP Professional, Windows XP Media Center Edition, and Windows XP Tablet PC Edition

Download the 824105 package now.

Windows XP 64-bit Edition Version 2002

Download the 824105 package now.

Windows XP 64-bit Edition Version 2003

Download the 824105 package now.

Release Date: September 3, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation Information
This security patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

Deployment Information
To install the security patch without any user intervention, use the following command:

WindowsXP-KB824105-x86-ENU /u /q

To install the security patch without forcing the computer to restart, use the following command:

WindowsXP-KB824105-x86-ENU /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart Requirement
You must restart your computer after you apply this security patch.

Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

Security Patch Replacement Information
This security patch does not replace any other security patches.

File Information
The English version of this security patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Media Center Edition, and Windows XP Tablet PC Edition

     Date         Time   Version            Size    File name   Platform ---     23-Jul-2003  16:15  5.1.2600.117      149,120  Netbt.sys   X86       (pre-SP1) 08-Jul-2003 21:48  5.1.2600.1243     149,248  Netbt.sys   X86       (with SP1) Windows XP 64-bit Edition Version 2002      Date         Time   Version            Size    File name   Platform ---     23-Jul-2003  16:15  5.1.2600.117      553,088  Netbt.sys   Ia64      (pre-SP1) 08-Jul-2003 21:49  5.1.2600.1243     553,728  Netbt.sys   Ia64      (with SP1)

Windows XP 64-bit Edition Version 2003   Date         Time   Version            Size    File name   Folder   Platform ---  18-Jul-2003  15:15  5.2.3790.69       534,016  Netbt.sys   Rtmgdr   Ia64 18-Jul-2003 15:15  5.2.3790.69       534,016  Netbt.sys   Rtmqfe   Ia64 Note The Windows XP Home Edition, Windows XP Professional, Windows XP Media Center Edition, Windows XP Tablet PC Edition, and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

328848 Description of dual-mode update packages for Windows XP

Note When you install the Windows XP 64-bit Edition Version 2003 security patch on a computer that is running Windows XP 64-bit Edition Version 2003, the installer checks to see whether any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you previously installed a hotfix to update one of these files, the installer copies the hotfix files to your computer. Otherwise, the installer copies the General Distribution Releases (GDR) files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the contents of a Windows Server 2003 product update package

You can verify the files that this security patch installs by reviewing the following registry key.

Windows XP:

Windows XP with Service Pack 1 (SP1):

To verify individual files, use the date/time and version information that is provided in the file information table to make sure that the correct file is present on the computer.

Download Information
The following file is available for download from the Microsoft Download Center:

Download the 824105 package now.

Release Date: September 3, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note This security patch will not install on Windows 2000 Datacenter Server. For information about how to obtain a security patch for Windows 2000 Datacenter Server, contact your participating OEM vendor. For additional information about Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:

265173 The Datacenter program and Windows 2000 Datacenter Server product

Prerequisites
This security patch requires Windows 2000 Service Pack 3 (SP3) or Windows 2000 Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation Information
This security patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

You can verify that the security patch is installed on your computer by confirming that the following registry key exists:

Deployment Information
To install the security patch without any user intervention, use the following command:

Windows2000-KB824105-x86-ENU /u /q

To install the security patch without forcing the computer to restart, use the following command:

Windows2000-KB824105-x86-ENU /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart Requirement
You must restart your computer after you apply this security patch.

Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB824105$\Spuninst folder. The utility supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Security Patch Replacement Information
This security patch does not replace any other security patches.

File Information
The English version of this security patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version            Size    File name --  16-Jul-2003  17:44  5.0.2195.6783     163,600  Netbt.sys You can verify the files that this security patch installs by reviewing the following registry key:

To verify individual files, use the date/time and version information that is provided in the file information table to make sure that the correct files are present on the computer.

Download Information
The following files are available for download from the Microsoft Download Center:

Windows NT Workstation 4.0 and Windows NT Server 4.0 Server:

Download the 824105 package now.

Windows NT 4.0 Server, Terminal Server Edition:

Download the 824105 package now.

Release Date: September 3, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation Information
This security patch supports the following Setup switches:
 * /y : Perform removal (only with /m or /q ).
 * /f : Force programs to be closed at shutdown.
 * /n : Do not create an Uninstall folder.
 * /z : Do not restart when update completes.
 * /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
 * /m : Use Unattended mode with user interface.
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

Deployment Information
To install the security patch without any user intervention on a Windows NT 4.0-based computer, use the following command:

WindowsNT4Server-KB824105-x86-ENU.EXE /q

To install the security patch without any user intervention on a Windows NT 4.0 Server, Terminal Server Edition-based computer, use the following command:

WindowsNT4TerminalServer-KB824105-x86-ENU.EXE /q

To install the security patch on a Windows NT 4.0-based computer without forcing the computer to restart, use the following command:

WindowsNT4Server-KB824105-x86-ENU.EXE /z

To install the security patch on a Windows NT 4.0 Server, Terminal Server Edition-based computer without forcing the computer to restart, use the following command:

WindowsNT4TerminalServer-KB824105-x86-ENU.EXE /z

Note You can combine these switches in one command.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart Requirement
You must restart your computer after you apply this security patch.

Removal Information
To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB824105$ folder. The utility supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Security Patch Replacement Information
This security patch does not replace any other security patches.

File Information
The English version of this security patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT 4.0 Server:   Date         Time   Version            Size    File name --  16-Jul-2003  13:44  4.0.1381.7224     125,296  Netbt.sys Windows NT 4.0 Server, Terminal Server Edition:   Date         Time   Version            Size    File name --  16-Jul-2003  13:44  4.0.1381.7224     125,296  Netbt.sys To verify that the security patch has been installed on your computer, confirm that all files that are listed in the file information table are present on the computer.



WORKAROUND
Although Microsoft urges all customers to apply the security patch at the earliest possible opportunity, there are several workarounds that you can use in the interim that may help to prevent the vector that is used to exploit this vulnerability.

These workarounds are temporary measures. They may only help to block the paths of attack. They do not correct the underlying vulnerability.

The following sections provide information that you can use that may help to protect your computer from attack. Each section describes the workarounds that you can use, depending on your computer’s configuration and depending on the level of functionality that you require.  Block TCP and UDP on port 137 at your firewall on the affected computers.

Port 137 is used by the NetBT name service. Blocking TCP and UDP at the firewall may help to prevent computers behind that firewall from being attacked by attempts to exploit these vulnerabilities. Use ICF (only available in Windows XP and Windows Server 2003). If you are using the ICF in Windows XP or Windows Server 2003 to help to protect your Internet connection, it will by default block inbound NetBT traffic from the Internet. For more information about how to enable ICF and about other options that are available, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/28d7c0c4-539e-4510-9431-9e52d24e0a021033.mspx?mfr=true

 Block the affected port by using an Internet Protocol security (IPSec) filter on the affected computer.

You may help to secure network communications on Windows 2000-based computers if you use IPSec. For additional information about IPSec and about how to apply filters, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313190 How to use IPSec IP filter lists in Windows 2000

813878 How to block specific network protocols and ports by using IPSec

 Disable NetBIOS over TCP/IP (NetBT).

You can also disable NetBT on computers that are running Windows 2000, Windows XP, or Windows Server 2003. For more information about how to do this and what might be affected by doing this, see the &quot;NetBIOS over TCP/IP (NetBT) concepts&quot; section in the Windows 2000 documentation:

http://msdn2.microsoft.com/en-us/library/ms143696.aspx

</li></ul>

For more information about how you may help to protect your computer online, see the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/28d7c0c4-539e-4510-9431-9e52d24e0a021033.mspx?mfr=true

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies To&quot; section..

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-034.mspx

Additional query words: security_patch

Keywords: kbhotfixserver kbwin2000presp5fix kbsecvulnerability kbsecurity kbsecbulletin kbqfe kbfix kbbug KB824105

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.