Microsoft KB Archive/822679

= MS03-025: Flaw in Windows message handling through Utility Manager could enable privilege elevation =

Article ID: 822679

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3

-



Technical updates

 * July 10, 2003: Changed the registry key references from &quot;Q822679&quot; to &quot;KB22679.&quot;
 * August 4, 2003: Changed the registry key references from &quot;KB22679&quot; to &quot;KB822679.&quot;



SYMPTOMS
Microsoft Windows 2000 includes support for Accessibility options. Accessibility options are a set of assistive technologies in Windows that permits users with disabilities to access the full functionality of the operating system. You can turn on or turn off the Accessibility options by using shortcuts that are built into the operating system or by using Utility Manager. Utility Manager is an accessibility utility that permits users to check the status of accessibility programs (for example, Microsoft Magnifier, Windows Narrator, and On–Screen Keyboard) and to turn them on or off.

There is a flaw in the way that Utility Manager handles Windows messages. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability occurs because the control that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. Therefore, it is possible for one process in the interactive desktop to use a specific Windows message to cause the Utility Manager process to run a callback function at the address of its choice. Because the Utility Manager process runs at a higher level of permissions than the first process, this provides the first process with a method of exercising that higher level of permissions.

By default, Utility Manager contains controls that run in the interactive desktop with LocalSystem permissions. As a result, an attacker who had the ability to log on to a system interactively could potentially run a program that could send a specially crafted Windows message upon the Utility Manager process, causing Utility Manager to take any action that the attacker specifies. This would give the attacker complete control over the system.

Note The attack cannot be carried out remotely, and the attacker would have to have the ability to interactively log on to the system.

Mitigating factors

 * An attacker must have valid logon credentials to exploit this vulnerability. This vulnerability cannot be exploited remotely.
 * Correctly secured servers are at little risk from this vulnerability. Standard best practices recommend that you permit only trusted administrators to log on to such systems interactively. Without these permissions, an attacker cannot exploit this vulnerability.



Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Download information
The following file is available for download from the Microsoft Download Center:

Download the 822679 package now.

Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note If you are running Windows 2000 Service Pack 2, visit the following Microsoft Web site to obtain this additional security update:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Prerequisites
This security patch requires Windows 2000 Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Installation information
This security patch supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List installed hotfixes.
 * /x: Extract the files without running Setup.

To verify that the security patch is installed on your computer, confirm that the following registry key exists:

Deployment information
To install this security patch without any user intervention, run the following command line:

Windows2000-KB822679-x86-ENU /u /q

To install this security patch without restarting the computer, run the following command line:

Windows2000-KB822679-x86-ENU /z

Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this patch.

Removal information
To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this security patch. Spuninst.exe is located in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size    File name --  21-May-2003  18:55  5.0.2195.6713   4,010,496  Sp3res.dll 12-Jun-2003 20:55  1.0.0.3            27,920  Umandlg.dll You can also verify the files that this security patch installs by reviewing the following registry key:



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-025.mspx

Additional query words: security_patch

Keywords: kbhotfixserver kbsecvulnerability kbsecbulletin kbsecurity kbqfe KB822679

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.