Knowledge Base

MS03-013: Buffer overrun in Windows kernel message handling could lead to elevated privileges

Article ID: 811493

Article Last Modified on 5/17/2007

APPLIES TO

Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows NT Workstation 4.0 Developer Edition

May 28, 2003: Microsoft released an updated patch for Windows XP Service Pack 1 (SP1). This revised patch corrects the performance issues that some customers experienced with the original Windows XP Service Pack 1 patch.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

819634 You may experience performance issues after you install the 811493 (MS03-013) security update

SYMPTOMS

The Windows kernel is the core of the operating system. It provides system level services such as device and memory management, allocates processor time to processes, and manages error handling. There is a flaw in the way the kernel passes error messages to a debugger. This flaw causes a vulnerability. An attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.

For an attack to be successful, an attacker would have to be able to log on interactively to the system, either at the console or through a terminal session. Also, a successful attack would require the introduction of code to exploit this vulnerability. Security Best Practices resources recommend that you restrict the ability to log on interactively on servers. As a result, this issue most directly affects client systems and terminal servers. For more information about Security Best Practices resources, visit the following Microsoft Web site:

http://www.microsoft.com/security/guidance/default.mspx

Mitigating Factors

A successful attack requires the ability to log on interactively to the target computer, either directly at the console or through a terminal session.
Properly secured servers are at little risk from this vulnerability. Standard best practices resources recommend that you only allow trusted administrators to log on to these kinds of systems interactively. Without these privileges, an attacker could not exploit the vulnerability.

RESOLUTION

Service Pack Information

Windows XP

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows 2000

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Security Patch Information

For more information about how to resolve this vulnerability, click the appropriate link below:

Windows XP (all versions)
Windows 2000 (all versions)
Windows NT 4.0 (all versions)

Windows XP (All Versions)

Download Information

The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition (all languages)

Download the 811493 package now.

Windows XP 64-bit Edition (all languages)

Download the 811493 package now.

Release Date: April 16, 2003 (Windows XP SP1 patch re-released May 28, 2003)

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Installation Information

This patch supports the following Setup switches:

/? : Display the list of installation switches.
/u : Use Unattended mode.
/f : Force other programs to quit when the computer shuts down.
/n : Do not back up files for removal.
/o : Overwrite OEM files without prompting.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).
/l : List installed hotfixes.
/x : Extract the files without running Setup.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q811493

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811493

Deployment Information

To install the patch without any user intervention, use the following command line:

q811493_wxp_sp2_x86_enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

q811493_wxp_sp2_x86_enu /z

Note These switches can be combined into one command line.

Restart Requirement

You must restart your computer after you apply this patch because this patch replaces core system binaries that are loaded during system startup.

Removal Information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811493$\Spuninst folder, and it supports the following Setup switches:

/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).

Hotfix Replacement Information

This patch does not replace any other patches.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
May 28, 2003 release of the Windows XP patch (contents of Setup package):

   Date         Time   Version        Size       File name
   --------------------------------------------------------------------
   12-Dec-2002  21:08  5.1.2600.108   1,848,320  Ntkrnlmp.exe  pre-SP1
   12-Dec-2002  21:09  5.1.2600.108   1,902,080  Ntkrnlpa.exe  pre-SP1
   12-Dec-2002  21:09  5.1.2600.108   1,874,944  Ntkrpamp.exe  pre-SP1
   12-Dec-2002  21:08  5.1.2600.108   1,879,936  Ntoskrnl.exe  pre-SP1
   24-Apr-2003  12:57  5.1.2600.1151  1,892,864  Ntkrnlmp.exe  with SP1
   24-Apr-2003  12:57  5.1.2600.1151  1,949,440  Ntkrnlpa.exe  with SP1
   24-Apr-2003  12:57  5.1.2600.1151  1,921,536  Ntkrpamp.exe  with SP1
   24-Apr-2003  12:57  5.1.2600.1151  1,925,760  Ntoskrnl.exe  with SP1

May 28, 2003 release of the Windows XP patch (installed files, depending on the service pack level and the number of processors):

   Date         Time   Version        Size       Path and File name              SP Level  Processor
   ------------------------------------------------------------------------------------------------------
   12-Dec-2002  21:08  5.1.2600.108   1,848,320  %Windir%\System32\Ntoskrnl.exe  pre-SP1   multiprocessor
   12-Dec-2002  21:09  5.1.2600.108   1,874,944  %Windir%\System32\Ntkrnlpa.exe  pre-SP1   multiprocessor
   12-Dec-2002  21:08  5.1.2600.108   1,879,936  %Windir%\System32\Ntoskrnl.exe  pre-SP1   uniprocessor  
   12-Dec-2002  21:09  5.1.2600.108   1,902,080  %Windir%\System32\Ntkrnlpa.exe  pre-SP1   uniprocessor
   24-Apr-2003  12:57  5.1.2600.1151  1,892,864  %Windir%\System32\Ntoskrnl.exe  with SP1  multiprocessor
   24-Apr-2003  12:57  5.1.2600.1151  1,921,536  %Windir%\System32\Ntkrnlpa.exe  with SP1  multiprocessor
   24-Apr-2003  12:57  5.1.2600.1151  1,925,760  %Windir%\System32\Ntoskrnl.exe  with SP1  uniprocessor
   24-Apr-2003  12:57  5.1.2600.1151  1,949,440  %Windir%\System32\Ntkrnlpa.exe  with SP1  uniprocessor

May 28, 2003 release of the Windows XP 64-bit Edition patch (contents of Setup package):

   Date         Time   Version        Size       File name     SP Level
   --------------------------------------------------------------------
   12-Dec-2002  21:09  5.1.2600.108   5,734,400  Ntkrnlmp.exe  pre-SP1
   12-Dec-2002  21:09  5.1.2600.108   5,677,568  Ntoskrnl.exe  pre-SP1
   24-Apr-2003  12:57  5.1.2600.1151  5,793,536  Ntkrnlmp.exe  with SP1
   24-Apr-2003  12:57  5.1.2600.1151  5,736,832  Ntoskrnl.exe  with SP1

May 28, 2003 release of the Windows XP 64-bit Edition patch (installed files, depending on the service pack level and the number of processors):

   Date         Time   Version        Size       Path and File name              SP Level  Processor
   ------------------------------------------------------------------------------------------------------
   12-Dec-2002  21:09  5.1.2600.108   5,734,400  %Windir%\System32\Ntoskrnl.exe  pre-SP1   multiprocessor
   12-Dec-2002  21:09  5.1.2600.108   5,677,568  %Windir%\System32\Ntoskrnl.exe  pre-SP1   uniprocessor
   24-Apr-2003  12:57  5.1.2600.1151  5,793,536  %Windir%\System32\Ntoskrnl.exe  with SP1  multiprocessor
   24-Apr-2002  12:57  5.1.2600.1151  5,736,832  %Windir%\System32\Ntoskrnl.exe  with SP1  uniprocessor

April 16, 2003 release of the Windows XP patch (contents of Setup package):

   Date         Time   Version        Size       File name     SP Level
   --------------------------------------------------------------------
   12-Dec-2002  21:08  5.1.2600.108   1,848,320  Ntkrnlmp.exe  pre-SP1
   12-Dec-2002  21:09  5.1.2600.108   1,902,080  Ntkrnlpa.exe  pre-SP1
   12-Dec-2002  21:09  5.1.2600.108   1,874,944  Ntkrpamp.exe  pre-SP1
   12-Dec-2002  21:08  5.1.2600.108   1,879,936  Ntoskrnl.exe  pre-SP1
   12-Dec-2002  20:38  5.1.2600.1150  1,892,352  Ntkrnlmp.exe  with SP1
   12-Dec-2002  20:38  5.1.2600.1150  1,948,288  Ntkrnlpa.exe  with SP1
   12-Dec-2002  20:38  5.1.2600.1150  1,921,024  Ntkrpamp.exe  with SP1
   12-Dec-2002  20:38  5.1.2600.1150  1,924,480  Ntoskrnl.exe  with SP1

April 16, 2003 release of the Windows XP patch (installed files, depending on the service pack level and the number of processors):

   Date         Time   Version        Size       Path and File name              SP Level  Processor
   ------------------------------------------------------------------------------------------------------
   12-Dec-2002  21:08  5.1.2600.108   1,848,320  %Windir%\System32\Ntoskrnl.exe  pre-SP1   multiprocessor
   12-Dec-2002  21:09  5.1.2600.108   1,874,944  %Windir%\System32\Ntkrnlpa.exe  pre-SP1   multiprocessor
   12-Dec-2002  21:08  5.1.2600.108   1,879,936  %Windir%\System32\Ntoskrnl.exe  pre-SP1   uniprocessor  
   12-Dec-2002  21:09  5.1.2600.108   1,902,080  %Windir%\System32\Ntkrnlpa.exe  pre-SP1   uniprocessor
   12-Dec-2002  20:38  5.1.2600.1150  1,892,352  %Windir%\System32\Ntoskrnl.exe  with SP1  multiprocessor
   12-Dec-2002  20:38  5.1.2600.1150  1,921,024  %Windir%\System32\Ntkrnlpa.exe  with SP1  multiprocessor
   12-Dec-2002  20:38  5.1.2600.1150  1,924,480  %Windir%\System32\Ntoskrnl.exe  with SP1  uniprocessor
   12-Dec-2002  20:38  5.1.2600.1150  1,948,288  %Windir%\System32\Ntkrnlpa.exe  with SP1  uniprocessor

April 16, 2003 release of the Windows XP 64-bit Edition patch (contents of Setup package):

   Date         Time   Version        Size       File name     SP Level
   --------------------------------------------------------------------
   12-Dec-2002  21:09  5.1.2600.108   5,734,400  Ntkrnlmp.exe  pre-SP1
   12-Dec-2002  21:09  5.1.2600.108   5,677,568  Ntoskrnl.exe  pre-SP1
   12-Dec-2002  20:38  5.1.2600.1150  5,791,744  Ntkrnlmp.exe  with SP1
   12-Dec-2002  20:38  5.1.2600.1150  5,734,912  Ntoskrnl.exe  with SP1

April 16, 2003 release of the Windows XP 64-bit Edition patch (installed files, depending on the service pack level and the number of processors):

   Date         Time   Version        Size       Path and File name              SP Level  Processor
   ------------------------------------------------------------------------------------------------------
   12-Dec-2002  21:09  5.1.2600.108   5,734,400  %Windir%\System32\Ntoskrnl.exe  pre-SP1   multiprocessor
   12-Dec-2002  21:09  5.1.2600.108   5,677,568  %Windir%\System32\Ntoskrnl.exe  pre-SP1   uniprocessor
   12-Dec-2002  20:38  5.1.2600.1150  5,791,744  %Windir%\System32\Ntoskrnl.exe  with SP1  multiprocessor
   12-Dec-2002  20:38  5.1.2600.1150  5,734,912  %Windir%\System32\Ntoskrnl.exe  with SP1  uniprocessor

You can also verify the files that this patch installed by reviewing the following registry key:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q811493\Filelist

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811493\Filelist

Windows 2000

Download Information

The following files are available for download from the Microsoft Download Center:

All languages except Japanese NEC

Download the 811493 package now.

Japanese NEC

Download the 811493 package now.

Release Date: April 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Installation Information

This patch supports the following Setup switches:

/? : Display the list of installation switches.
/u : Use Unattended mode.
/f : Force other programs to quit when the computer shuts down.
/n : Do not back up files for removal.
/o : Overwrite OEM files without prompting.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).
/l : List installed hotfixes.
/x : Extract the files without running Setup.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811493

Deployment Information

To install the patch without any user intervention, use the following command line:

q811493_w2k_sp4_x86_en /u /q

To install the patch without forcing the computer to restart, use the following command line:

q811493_w2k_sp4_x86_en /z

Note These switches can be combined into one command line.

Restart Requirement

You must restart your computer after you apply this patch because this patch replaces core system binaries that are loaded during system startup.

Removal Information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811493$\Spuninst folder, and it supports the following Setup switches:

/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).

Hotfix Replacement Information

This patch replaces the patch discussed in the following Microsoft Knowledge Base article:

815021 MS03-007: Unchecked Buffer in Windows Component May Cause Web Server

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

NOTE: Unless specifically noted, files will be targeted to systems independent of service pack level, encryption level, or number of processors.

Windows 2000 (contents of Setup package):

   Date         Time   Version        Size       File name     Processor
   -------------------------------------------------------------------------
   15-Aug-2002  11:34  5.0.2195.5265     42,256  Basesrv.dll
   17-Jan-2003  12:06  5.0.2195.6656    236,304  Cmd.exe
   15-Aug-2002  11:34  5.0.2195.5907    222,992  Gdi32.dll
   15-Aug-2002  11:34  5.0.2195.6011    708,880  Kernel32.dll  uniprocessor
   04-Feb-2003  16:15  5.0.2195.6661     29,264  Mountmgr.sys
   15-Aug-2002  11:34  5.0.2195.4733    332,560  Msgina.dll       
   27-Mar-2003  16:13  5.0.2195.6685    476,944  Ntdll.dll     uniprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,689,216  Ntkrnlmp.exe  multiprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,688,832  Ntkrnlpa.exe  uniprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,709,440  Ntkrpamp.exe  multiprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,666,944  Ntoskrnl.exe  uniprocessor   
   21-Mar-2003  17:43  5.0.2195.6692     90,232  Rdpwd.sys     128-bit
   15-Aug-2002  11:34  5.0.2195.6000    379,664  User32.dll
   15-Aug-2002  11:34  5.0.2195.5968    369,936  Userenv.dll
   08-Aug-2002  18:23  5.0.2195.6003  1,642,416  Win32k.sys    uniprocessor
   15-Aug-2002  11:30  5.0.2195.6013    179,472  Winlogon.exe
   15-Aug-2002  11:34  5.0.2195.5935    243,472  Winsrv.dll    uniprocessor
   27-Mar-2003  16:14  5.0.2195.6692     90,200  Rdpwd.sys     56-bit
   15-Aug-2002  11:34  5.0.2195.6011    708,880  Kernel32.dll  multiprocessor
   02-Apr-2003  15:56  5.0.2195.6685    476,944  Ntdll.dll     multiprocessor
   15-Aug-2002  11:34  5.0.2195.6003  1,642,416  Win32k.sys    multiprocessor
   15-Aug-2002  11:34  5.0.2195.5935    243,472  Winsrv.dll    multiprocessor

Windows 2000 (installed files, depending on the encryption level and the number of processors):

   Date         Time   Version        Size       Path and File name                     Processor/Encryption Level
   ---------------------------------------------------------------------------------------------------------------
   15-Aug-2002  11:34  5.0.2195.5265     42,256  %Windir%\System32\Basesrv.dll
   17-Jan-2003  12:06  5.0.2195.6656    236,304  %Windir%\System32\Cmd.exe
   15-Aug-2002  11:34  5.0.2195.5907    222,992  %Windir%\System32\Gdi32.dll
   04-Feb-2003  16:15  5.0.2195.6661     29,264  %Windir%\System32\Drivers\Mountmgr.sys
   15-Aug-2002  11:34  5.0.2195.4733    332,560  %Windir%\System32\Msgina.dll
   21-Mar-2003  17:43  5.0.2195.6692     90,232  %Windir%\System32\Drivers\Rdpwd.sys    128-bit
   15-Aug-2002  11:34  5.0.2195.6000    379,664  %Windir%\System32\User32.dll
   15-Aug-2002  11:34  5.0.2195.5968    369,936  %Windir%\System32\Userenv.dll
   15-Aug-2002  11:30  5.0.2195.6013    179,472  %Windir%\System32\Winlogon.exe
   27-Mar-2003  16:14  5.0.2195.6692     90,200  %Windir%\System32\drivers\Rdpwd.sys    56-bit
   15-Aug-2002  11:34  5.0.2195.6011    708,880  %Windir%\System32\Kernel32.dll         multiprocessor
   27-Mar-2003  16:13  5.0.2195.6685    476,944  %Windir%\System32\Ntdll.dll            multiprocessor
   08-Aug-2002  18:23  5.0.2195.6003  1,642,416  %Windir%\System32\Win32k.sys           multiprocessor
   15-Aug-2002  11:34  5.0.2195.5935    243,472  %Windir%\System32\Winsrv.dll           multiprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,709,440  %Windir%\System32\Ntkrnlpa.exe         multiprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,689,216  %Windir%\System32\Ntoskrnl.exe         multiprocessor
   15-Aug-2002  11:34  5.0.2195.6011    708,880  %Windir%\System32\Kernel32.dll         uniprocessor
   02-Apr-2003  15:56  5.0.2195.6685    476,944  %Windir%\System32\Ntdll.dll            uniprocessor
   15-Aug-2002  11:34  5.0.2195.6003  1,642,416  %Windir%\System32\Win32k.sys           uniprocessor
   15-Aug-2002  11:34  5.0.2195.5935    243,472  %Windir%\System32\Winsrv.dll           uniprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,688,832  %Windir%\System32\Ntkrnlpa.exe         uniprocessor
   12-Dec-2002  18:22  5.0.2195.6159  1,666,944  %Windir%\System32\Ntoskrnl.exe         uniprocessor

You can also verify the files that this patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q811493\Filelist

Windows NT 4.0 (all versions)

Download Information

The following files are available for download from the Microsoft Download Center:

Windows NT 4.0 Server and Windows NT 4.0 Workstation (all languages except Japanese NEC and Chinese - Hong Kong)

Download the 811493 package now.

Windows NT 4.0 Server and Windows NT 4.0 Workstation (Japanese NEC)

Download the 811493 package now.

Windows NT 4.0 Server and Windows NT 4.0 Workstation (Chinese - Hong Kong)

Download the 811493 package now.

Windows NT 4.0 Server, Terminal Server Edition (all languages)

Paket 811493 jetzt downloaden.

Release Date: April 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Installation Information

This patch supports the following Setup switches:

/y : Perform removal (only with /m or /q ).
/f : Force programs to be closed at shutdown.
/n : Do not create an Uninstall folder.
/z : Do not restart when update completes.
/q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
/m : Use Unattended mode with user interface.
/l : List installed hotfixes.
/x : Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

q811493i /q

To install the patch without forcing the computer to restart, use the following command line:

q811493i /z

Note These switches can be combined into one command line.

Restart Requirement

You must restart your computer after you apply this patch because this patch replaces core system binaries that are loaded during system startup.

Removal Information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ811493$\Spuninst folder, and it supports the following Setup switches:

/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when installation is complete.
/q : Use Quiet mode (no user interaction).

Hotfix Replacement Information

This patch does not replace any other patches.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

NOTE: Unless specifically noted, files will be targeted to systems independent of service pack level, encryption level, or number of processors.

Windows NT 4.0 (contents of Setup package):

   Date         Time   Version        Size     File name
   --------------------------------------------------------
   12-Dec-2002  18:16  4.0.1381.7203  957,504  Ntkrnlmp.exe
   12-Dec-2002  18:16  4.0.1381.7203  937,280  Ntoskrnl.exe

Windows NT 4.0 (installed files, depending on the encryption level and the number of processors):

   Date         Time   Version        Size     Path and File name              Processor
   ------------------------------------------------------------------------------------------
   12-Dec-2002  18:16  4.0.1381.7203  957,504  %Windir%\System32\Ntoskrnl.exe  multiprocessor
   12-Dec-2002  18:16  4.0.1381.7203  937,280  %Windir%\System32\Ntoskrnl.exe  uniprocessor

Windows NT Server 4.0, Terminal Server Edition (contents of Setup package):

   Date         Time   Version         Size       File name
   -----------------------------------------------------------
   12-Dec-2002  18:29  4.0.1381.33545  1,004,160  Ntkrnlmp.exe
   12-Dec-2002  18:29  4.0.1381.33545    983,168  Ntoskrnl.exe

Windows NT Server 4.0, Terminal Server Edition (installed files, depending on the encryption level and the number of processors):

   Date         Time   Version         Size       Path and File name              Processor
   ---------------------------------------------------------------------------------------------
   12-Dec-2002  18:29  4.0.1381.33545  1,004,160  %Windir%\System32\Ntoskrnl.exe  multiprocessor
   12-Dec-2002  18:29  4.0.1381.33545    983,168  %Windir%\System32\Ntoskrnl.exe  uniprocessor

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows 2000 Only

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Windows XP Only

This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-013.mspx

Additional query words: security_patch

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwin2ksp4fix kbwin2000presp4fix kbfix kbbug kbwinxppresp2fix kbsecvulnerability kbsecbulletin kbsecurity KB811493

Microsoft KB Archive/811493

Contents

MS03-013: Buffer overrun in Windows kernel message handling could lead to elevated privileges

SYMPTOMS

RESOLUTION

Service Pack Information

Windows XP

Windows 2000

Security Patch Information

Windows XP (All Versions)

Windows 2000

Windows NT 4.0 (all versions)

STATUS

Windows 2000 Only

Windows XP Only

MORE INFORMATION