Microsoft KB Archive/817606

= MS03-024: Buffer overrun in Windows could lead to data corruption =

Article ID: 817606

Article Last Modified on 9/27/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition

-





SYMPTOMS
Server Message Block (SMB) is the Internet standard protocol that Windows uses to share files, printers, and serial ports. Windows also uses it to communicate between computers that are using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what is described as a client server request-response protocol.

A flaw exists in the way that the server validates the parameters of an SMB packet. When a client computer sends an SMB packet to the server, it includes specific parameters that provide the server with a set of &quot;instructions.&quot; In this case, the server does not correctly validate the buffer length that is established by the packet. If the client specifies a buffer length that is less than what is required, it can cause the buffer to be overrun.

If attackers send a specially crafted SMB packet request, they could cause a buffer overrun to occur. If this flaw is exploited, it could lead to data corruption, system failure, or in the worst case, it could allow attackers to run the code of their choice. The attackers would have to have a valid user account and they would have to be authenticated by the server to exploit this flaw.

Mitigating factors

 * Microsoft Windows Server 2003 is not affected by this vulnerability.
 * By default, it is not possible to exploit this flaw anonymously. The attacker would have to be authenticated by the server before they try to send a SMB packet to it.
 * If you block port 139/445 at the firewall, you can help prevent the possibility of an attack from the Internet.



Windows XP service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Security patch information
For more information about how to resolve this vulnerability, click the appropriate link below:
 * Windows XP (all versions)
 * Windows 2000 (all versions)
 * Windows NT 4.0 Workstation, Windows NT 4.0 Server and Windows NT 4.0 Server, Terminal Server Edition

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP (all 32-Bit versions)

Download the 817606 package now.

Windows XP 64-Bit Edition Version 2002

Download the 817606 package now. Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation information
This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when the installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed patches.
 * /x : Extract the files without running Setup.

To verify that the patch is installed on your computer, confirm that the following registry key exists.

Windows XP

Windows XP with Service Pack 1 (SP1)

Deployment information
To install the patch without any user intervention and without forcing the computer to restart, use the /u, /q, and /z command line switches. For example, to install the Windows XP (all 32-bit versions) of the patch without any user intervention and without forcing the computer to restart, use the following command line:

817606_wxp_sp2_x86_enu /u /q /z For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when the installation is complete.
 * /q : Use Quiet mode (no user interaction).

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version        Size       Path and File name ---  28-Mar-2003  19:02  5.1.2600.112     322,304  %Windir%\System32\Drivers\Srv.sys  pre-SP1   i386 28-Mar-2003 15:54  5.1.2600.1193    322,048  %Windir%\System32\Drivers\Srv.sys  with SP1  i386

28-Mar-2003 19:03  5.1.2600.112   1,142,016  %Windir%\System32\Drivers\Srv.sys  pre-SP1   ia64 28-Mar-2003 15:55  5.1.2600.1193  1,140,480  %Windir%\System32\Drivers\Srv.sys  with SP1  ia64 You can also verify the files that this patch installed by reviewing the following registry keys.

Windows XP

Windows XP with Service Pack 1 (SP1)

Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Download information
The following file is available for download from the Microsoft Download Center:

Download the 817606 package now. Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note Customers who are running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update.

Prerequisites
This patch requires Windows 2000 Service Pack 3 (SP3).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information
This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when the installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed patches.
 * /x : Extract the files without running Setup.

To verify the patch is installed on your computer, confirm that the following registry key exists:

Deployment information
To install the patch without any user intervention, use the following command line:

windows2000-kb817606-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windows2000-kb817606-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when the installation is complete.
 * /q : Use Quiet mode (no user interaction).

Patch replacement information
This patch is replaced by Windows 2000 Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version        Size     Path and File name 01-Apr-2003 16:30  5.0.2195.6699  237,776  %Windir%\System32\Drivers\Srv.sys 01-Apr-2003 16:31  5.0.2195.6697   74,000  %Windir%\System32\Srvsvc.dll You can also verify the files that this patch installed by reviewing the following registry key:

Download information
The following files are available for download from the Microsoft Download Center:

Windows NT 4.0 Workstation and Windows NT 4.0 Server

Download the 817606 package now.

Windows NT 4.0 Server, Terminal Server Edition

Download the 817606 package now. Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation information
This patch supports the following Setup switches:
 * /y : Perform removal (only with /m or /q ).
 * /f : Force programs to be closed at shutdown.
 * /n : Do not create an Uninstall folder.
 * /z : Do not restart when patch completes.
 * /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
 * /m : Use Unattended mode with user interface.
 * /l : List installed patches.
 * /x : Extract the files without running Setup.

Deployment information
To install the patch without any user intervention, use the following command line:

q817606i /q

To install the patch without forcing the computer to restart, use the following command line:

q817606i /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466201.aspx

Restart requirement
You must restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when the installation is complete.
 * /q : Use Quiet mode (no user interaction).

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version         Size     Path and File name -  27-Mar-2003  15:20  4.0.1381.7214   231,312  %Windir%\System32\Drivers\Srv.sys  Windows NT 4.0 27-Mar-2003 15:26  4.0.1381.33547  231,280  %Windir%\System32\Drivers\Srv.sys  Windows NT 4.0, Terminal Server Edition



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-024.mspx

Additional query words: security_patch

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwinnt400presp7fix kbwin2ksp4fix kbwin2000presp4fix kbfix kbbug kbwinxppresp2fix kbsecvulnerability kbsecbulletin kbsecurity KB817606

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.