SUMMARY

Windows 2000 Service Pack 3 (SP3) fixes the following security problems or adds the following updates:

• Default Diffie-Hellman SChannel Certificate Selection on Web Enrollment Page Causes Error: 0x80090008 - NTE_BAD_ALGID
  
  The default Diffie-Hellman (DH) certificate selection of Both on the Certificate Authority (CA) Web enrollment page results in Error: 0x80090008 - NTE_BAD_ALGID. An update is available to change the default certificate selection to Signature on Windows 2000 CAs.
• Set LAN Manager (LM) One-Way Function (OWF) Password Results in Access Denied Error
  
  When you use the UserAllInformation level to set passwords, you are successful if you pass password information in clear text, but if you try to use LM OWF, you receive an Access Denied error (error code 5).
• Invalid Entry in Certificate Store Causes Event ID 1008
  
  An update to the CertOpenStore function allows it to skip an invalid entry.
• Incorrect Key Usage with Encrypting File System (EFS) May Cause Access Violation in LSASS.exe
  
  For EFS to use other certificates in Windows 2000, it is updated to look for the EFS object identifier (also known as OID) in the enhanced key usage (CERT_ENHKEY_USAGE) structure in the certificate store.
• Imported Certificate More Than 512-Bit Is Considered Invalid for Encrypting File System (EFS)
  
  This update imports certificates up to 1024-bit by using Base cryptographic service provider (CSP) instead of Enhanced CSP.
• Roaming User Cannot Delete a User Key Container That Was Created on Different Computer
  
  The code in the DeleteContainerInfo function is updated to allow it to delete a container, by the name it was given, that was created on a different computer.
• New Key Distribution Center (KDC) Certificate Is Not Used After Enrollment
  
  When a new KDC certificate is obtained, after the previous one expires, Windows continues to use the expired certificate until the server is restarted, or the KDC service is restarted.
• Buffer Overrun Vulnerability in the Runas Command
  
  When you supply a program name that is about 600 characters in length in the Runas command line, you may receive a memory access error. This might allow the execution of malicious code, or be used as a denial of service attack.
• File Decryption Following a Password Change May Be Unsuccessful in Domains with Both Windows 2000 and Windows Server 2003 Domain Controllers
  
  After a user account password change, the Data Protection API (DAPI) contacts the domain controller to have the domain controller decrypt the "master key." Because of a change in the encryption scheme in the Windows Server 2003 family, if the master key was encrypted by a Windows Server 2003 domain controller, an attempt to decrypt it by using a Windows 2000 domain controller is unsuccessful.
• Certificate Is Not Removed from the Certification Authority Store After Removing It from the Encrypting File System (EFS)
  
  This update removes a certificate and the certificates in its chain of certificates (if they are not in the chain of other remaining certificates in the EFS store) from the certification authority when the certificate is removed from the EFS store.
• User Credentials Remain in Memory Buffer After Using the Runas Command
  
  After using the Runas command-line utility, a user's credentials are not erased after quitting the program. To exploit this vulnerability, a malicious user must have interactive access to the computer. A program might wait for a RunAs session to quit, and then subsequently search for that user's credentials.
• Malicious Code That Listens on the Same Pipe as the RunAs Service Might Receive User Credentials
  
  This update prevents the Runas command from running if the RunAs service is stopped.
• Possible Denial of Service Vulnerability in the Windows 2000 RunAs Service
  
  If you disable the named pipe on which the RunAs service listens, the secondary logon function (Runas) is effectively disabled. Malicious code that is run with administrative privileges might be used to block activity on this pipe. This update to the RunAs service permits multiple instances of this pipe, and holds state data for each client.
• Buffer Overflow Vulnerability in Telnet.exe
  
  Passing 252 characters as the port parameter in the Telnet.exe command line results in a buffer overflow. This may allow malicious code to run in the context of the currently logged-on user.
• Kerberos Change Password Is Unsuccessful in a MIT Realm When the Principal Requires Pre-authorization
  
  The Kerberos.dll file is updated to make sure that the KerbLookupMitRealm function is always called.
• Links Can Contain Encoded Text That Can Add HTTP Request Headers
  
  This update includes an updated Wininet.dll file that checks host names for invalid characters and returns an error if it finds any.
• Vulnerability in the Unsafe ActiveX Control Dialog Box
  
  The Internet Explorer dialog box that prompts you to confirm the running of an unsafe ActiveX control can be hidden by covering it with a chromeless window. This may trick a user into accepting the installation of an unsafe ActiveX control.
• Renaming a Computer or Joining a Computer to the Domain
  
  This update removes the need for Inheritable Access Control Entries to rename a computer or to join a computer to the domain.
  
  This update also fixes the problem described in the following Microsoft Knowledge Base (KB) article:

  290533 User Permission to Add Workstation to Domain Includes Permission to Rename Computer Account

• Group Policy Object Version Number Changes to 0 (Zero) After 65535 Changes
  
  A Group Policy object (GPO) with a version number of zero is determined to be a newly created blank GPO. The Group Policy engine uses this version number to determine whether to apply the GPO (a version zero GPO is skipped). When you change a GPO with a version number of 65535, it is assigned a version number of zero, causing it to be skipped by the Group Policy engine.
• Denial of Service Vulnerability in the Internet Key Exchange Service
  
  A denial of service attack can be carried out against Windows 2000 computers that run Internet Key Exchange (IKE) by flooding them with User Datagram Protocol (UDP) packets.
• Unsigned Webview Templates
  
  This update includes an updated security policy that prevents unsigned webview templates from running.
• Security-Related Problems in Microsoft Internet Explorer
  
  This update prevents the reading of a user's files by using a script. The update also includes the fixes that are described in the following Microsoft Knowledge Base (KB) articles:

  317745 MS02-005: Patch Is Available for File Download Dialog Box Spoofing Vulnerability

  312461 MS01-055: Internet Explorer Cookie Data Can Be Exposed or Altered Through Script Injection

  282062 IIS Does Not Authenticate for the /_AuthChangeUrl URL

  317727 MS02-005: Patch Is Available for the Application Invocation via Content-Type Field Vulnerability

• Security Audit Is Not Performed When You Add Users from Another Domain to Universal Groups
  
  Auditing is not performed when you add users to, or remove users from a universal group, when those users are from a different domain in the same forest.
• Improved or Updated Security in the Internet Key Exchange Process
  
  This security update prevents a man-in-the-middle attack from being performed in the Internet Key Exchange process. This update causes the Windows 2000 IPSEC initiator and responder to validate the Internet Key Exchange (IKE) Main Mode HASH.
• Unauthorized DHCP Server Message Block Server Collects NTLM Hashes
  
  A Windows 2000 Server Message Block server might be created that sends a null challenge and therefore receives a user's NT LAN Manager hash (challenge/response pairs).
• "Fail Privilege Use" Audit Entry Is Not Generated
  
  An audit entry is not generated when users without proper permissions try to view the security log. This update adds a return code check that meets the Common Criteria Security evaluation (C2) requirement.
• IPSEC Driver Drops Certain Packet Fragments
  
  Fragmented IPSEC packet fragments of a certain size are dropped.
• Nonsecure Communication Is Accepted When the 'Accept Unsecured Communication' Option Is Not Selected
  
  IPSec accepts nonsecure packets when the Accept unsecured communication check box in the IPSec filter is not selected but the Fall back to unsecured communication with non IPSec-aware computer is selected.
• Mounting a Volume to a Folder on the Same Volume Causes Windows Explorer to Stop Responding
  
  When you try to edit the security permission of a volume that is looped to itself (a volume that is mounted to a folder on the same volume), the program from which you try to apply the security permissions stops responding (crashes).
• GetEffectiveRightsFromAcl() Function Returns Incorrect Access Mask
  
  After you install Service Pack 2 (SP2) for Windows 2000, the GetEffectiveRightsFromAcl() function no longer returns the correct 32-bit value that specifies the rights that are permitted or denied in an access control entry (ACE).
• Incorrect Location Checked When Verifying Whether an Audit Category Is Enabled
  
  The LsaIWriteAuditEvent function checks the wrong category when it verifies that auditing is enabled for a category.
• The Close Object Audit Entry Does Not Use a Non-System Account
  
  Before installing this update, the Open Object audit entry runs under the account of the current user but the Close Object audit entry is generated by using the SYSTEM account.
• Flooding Port 464 on a Domain Controller Causes "Spike" in CPU Usage and Memory Leak
  
  Repeatedly running a script or program that floods port 464 with hundreds of connections may cause the Local Security Authority (LSA) to consume about 90 percent CPU usage. Also, LSA memory usage increases by about 10 megabytes (MB). After this attempted denial of service attack, CPU usage remains at the high level for about 45 minutes before it returns to typical levels.
• Strong Password Function Does Not Recognize the Forward Slash Character as a Special Character
  
  This update changes the strong password dynamic link library file (Passfilt.dll) to have it recognize the forward slash (/) character as a "Special Character" in strong password creation.
• Private Key Persists in Memory
  
  Two copies of a user's private key remain in memory and persist even when the user logs off the computer.
• Signing and Encrypting of Messages with NT LAN Manager (NTLM)
  
  This update supports the signing and encrypting of messages with NTLM.
• Remote Procedure Call with Invalid Parameters Causes Error in Netdde.exe
  
  When a remote procedure call (RPC) passes invalid parameters to \pipe\nddeapi, the NETDDE server may incorrectly filter these invalid parameters. As a result, you may receive the following error message:

  NETDDE.EXE has generated errors and will be closed by Windows. You will have to restart the program. An error log is being created.

• Buffer Overrun Vulnerability Exists in the Dynamic Host Configuration Protocol (DHCP) Service
  
  An unchecked buffer exists in the DHCP service that can be remotely accessed through a named pipe that does not provide enough access control. This exploit might permit malicious code to run in the context of the SYSTEM account.
• Incorrect DHCP Security Access Mask
  
  This update changes the Dynamic Host Configuration Protocol (DHCP) security access mask to restrict user permissions to View and Read permissions.
• Access Violation in Terminal Services License Manager
  
  An access violation (AV) occurs in License Manager (Licmgr.exe) when you try to refresh the server settings, and the connection to the target licensing server has been lost.