Article ID: 815021
Article Last Modified on 12/1/2007
APPLIES TO
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition
- Microsoft Windows NT Workstation 4.0 Developer Edition
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
Microsoft originally released this article March 17, 2003. At that time, Microsoft was aware of a publicly available exploit that was being used to attack Windows 2000 Servers running IIS 5.0. The attack vector in this case was WebDAV although the underlying vulnerability was in a core operating system component, Ntdll.dll. Microsoft issued a patch to protect Windows 2000 customers shortly afterwards, but also continued to investigate the underlying vulnerability. Windows NT 4.0 also contains the underlying vulnerability in Ntdll.dll, however it does not support WebDAV and therefore the known exploit was not effective against Windows NT 4.0. Microsoft has now released patches for Windows NT 4.0. Additionally, Microsoft recently learned of this vulnerability in Windows XP. However, like Windows NT 4.0, Windows XP does not install Internet Information Services (IIS) by default. On May 28, 2003, Microsoft released a patch for Windows XP and Windows XP Service Pack 1.
Warning If you are running Windows 2000 Service Pack 2 (SP2), you must check the version of Ntoskrnl.exe on your computer before you install this patch. To do this:
- Open the %Windir%\System32 folder.
- Right-click the Ntoskrnl.exe file, click Properties, and then click the Version tab.
Versions of Ntoskrnl.exe from 5.0.2195.4797 to 5.0.2195.4928 are not compatible with this patch. These versions were distributed only with Microsoft Product Support Services hotfixes. If you install the patch that is described in this article on a computer with an Ntoskrnl.exe version from 5.0.2195.4797 to 5.0.2195.4928, the computer stops responding with a "Stop 0x00000071" message when you restart the computer. If this occurs, you must recover the Windows installation by using Windows 2000 Recovery Console and the backup copy of the Ntdll.dll file that is stored in the Winnt\$NTUninstallQ815021$ folder.
To update a computer that has a version of Ntoskrnl.exe that was distributed by Microsoft Product Support Services, you must first contact Microsoft Product Support Services before you apply this patch. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Or, you can upgrade to Windows 2000 Service Pack 3 (SP3) before you install this patch.
SYMPTOMS
Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, as it is described in RFC 2518, is a set of extensions to Hypertext Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. To view RFC 2518, visit the following RFC Web site:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
A security vulnerability exists in a Windows component that is used by WebDAV. This vulnerability occurs because the component contains an unchecked buffer.
An attacker may exploit the vulnerability by sending a specially formed HTTP request to a computer running Microsoft Internet Information Services (IIS). The request may cause the server to fail or to run code of the attacker's choice. The code would run in the security context of the IIS service. (By default, the IIS service runs in the LocalSystem context).
Although Microsoft has supplied a patch for this vulnerability and recommends that you install it immediately, additional tools and preventive measures have been provided that you can use to block the exploitation of this vulnerability while you assess the impact and compatibility of the patch. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
258868 Slipstream Switch for Windows 2000 Service Pack Update.exe Does Not Work with RIS Server Images
Mitigating factors
- The default configuration of URLScan prevents the vulnerability from being exploited. URLScan is a part of the IIS Lockdown tool. For more information about URLScan, visit the following Microsoft Web site:
For more information about the IIS Lockdown tool, visit the following Web site:
- The vulnerability can only be exploited remotely if an attacker can establish a Web session with an affected server.
RESOLUTION
Service pack information
Windows XP
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Windows 2000
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Security patch information
Windows XP
Download information
The following files are available for download from the Microsoft Download Center:
Windows XP (all languages)
Windows XP 64-Bit Edition
Release Date: May 28, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
Installation information
This patch supports the following Setup switches:
- /?: Display the list of installation switches.
- /u: Use Unattended mode.
- /f: Force other programs to quit when the computer shuts down.
- /n: Do not back up files for removal.
- /o: Overwrite OEM files without prompting.
- /z: Do not restart when installation is complete.
- /q: Use Quiet mode (no user interaction).
- /l: List installed hotfixes.
- /x: Extract the files without running Setup.
For example, to install the patch without any user intervention and to not force the computer to restart, use the following command line:
q815021_wxp_sp2_x86_enu /u /q /z
To verify that the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q815021
Removal information
To remove this update, use the Add/Remove Programs tool in Control Panel.
System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%
\$NTUninstallQ815021$\Spuninst folder, and it supports the following Setup switches:
- /?: Display the list of installation switches.
- /u: Use unattended mode.
- /f: Force other programs to quit when the computer shuts down.
- /z: Do not restart when installation is complete.
- /q: Use Quiet mode (no user interaction).
Restart requirement
You must restart your computer after you apply this patch because Ntdll.dll is a core system binary file that is loaded during system startup. Your computer is vulnerable until you restart it.
File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows XP
Date Time Version Size Path and file name --------------------------------------------------------------------------------- 02-May-2003 15:03 5.1.2600.114 651,264 %Windir%\System32\Ntdll.dll pre-SP1 01-May-2003 20:56 5.1.2600.1217 654,336 %Windir%\System32\Ntdll.dll with SP1
Windows XP 64-Bit Edition
Date Time Version Size Path and file name ------------------------------------------------------------------------------------ 02-May-2003 15:03 5.1.2600.114 1,498,112 %WinDir%\System32\Ntdll.dll pre-SP1 01-May-2003 14:57 5.1.2600.114 654,336 %WinDir%\System32\Wntdll.dll pre-SP1 01-May-2003 20:56 5.1.2600.1217 1,508,864 %WinDir%\System32\Ntdll.dll with SP1 30-Apr-2003 21:43 5.1.2600.1217 657,408 %WinDir%\System32\Wntdll.dll with SP1
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q815021\Filelist
Windows 2000
Download information
The following files are available for download from the Microsoft Download Center:
All Languages Except Japanese NEC
Japanese NEC
Release Date: March 17, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Prerequisites
This patch requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3). To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the Latest Windows 2000 service pack
Note If you are using Windows 2000 Service Pack 2 (SP2), see the warning at the beginning of this article before you apply this patch.
Installation information
This patch supports the following Setup switches:
- /? : Display the list of installation switches.
- /u : Use Unattended mode.
- /f : Force other programs to quit when the computer shuts down.
- /n : Do not back up files for removal.
- /o : Overwrite OEM files without prompting.
- /z : Do not restart when installation is complete.
- /q : Use Quiet mode (no user interaction).
- /l : List installed hotfixes.
- /x : Extract the files without running Setup.
For example, to install the patch without any user intervention, and then to not force the computer to restart, use the following command line:
q815021_w2k_sp4_x86_en /u /q /z
To verify the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q815021
Removal information
You can remove this patch by using the Add/Remove Programs tool in Control Panel to remove "Windows 2000 Hotfix (SP4) Q815021."
System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ815021$\Spuninst folder, and it supports the following Setup switches:
- /? : Display the list of installation switches.
- /u : Use unattended mode.
- /f : Force other programs to quit when the computer shuts down.
- /z : Do not restart when installation is complete.
- /q : Use Quiet mode (no user interaction).
Restart requirement
You must restart your computer after you apply this patch because Ntdll.dll is a core system binary that is loaded during system startup. Your computer is vulnerable until you restart it.
File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size Path and file name ----------------------------------------------------------------------- 15-Mar-2003 01:23 5.0.2195.6685 476,944 %Windir%\System32\Ntdll.dll
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q815021\Filelist
Windows NT 4.0 (all versions)
Microsoft Internet Information Server (IIS) is not intended for use on Windows NT Server 4.0, Terminal Server Edition, and is not supported. Microsoft recommends that customers who run IIS 4.0 on Windows NT Server 4.0, Terminal Server Edition, protect their systems by removing IIS 4.0.
Download information
The following files are available for download from the Microsoft Download Center:
Windows NT 4.0:
All languages except Japanese NEC and Chinese - Hong Kong:
Japanese NEC:
Chinese - Hong Kong:
Windows NT Server 4.0, Terminal Server Edition:
All languages:
Release Date: April 23, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Installation information
This patch supports the following Setup switches:
- /y : Perform removal (only with /m or /q ).
- /f : Force programs to be closed at shutdown.
- /n : Do not create an Uninstall folder.
- /z : Do not restart when update completes.
- /q : Use Quiet or Unattended mode with no user interface. (This switch is a superset of /m .)
- /m : Use Unattended mode with user interface.
- /l : List installed hotfixes.
- /x : Extract the files without running Setup.
To verify the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q815021
For example, to install the patch without any user intervention, and then to not force the computer to restart, use the following command line:
q815021i /q /z
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.
System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ815021$\Spuninst folder, and it supports the following Setup switches:
- /? : Display the list of installation switches.
- /u : Use unattended mode.
- /f : Force other programs to quit when the computer shuts down.
- /z : Do not restart when installation is complete.
- /q : Use Quiet mode (no user interaction).
Restart requirement
You must restart your computer after you apply this patch because Ntdll.dll is a core system binary that is loaded during system startup. Your computer is vulnerable until you restart it.
File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size Path and File name OS ---------------------------------------------------------------------------------------- 24-Mar-2003 10:38 4.0.1381.7212 367,376 %WinDir%\System32\Ntdll.dll Windows NT 4.0 24-Mar-2003 07:12 4.0.1381.33546 369,936 %WinDir%\System32\Ntdll.dll TSE
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.
Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.
Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch Session5_initialization_failed Stop 0x71
Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwin2ksp4fix kbwinxppresp2fix kbwin2000presp4fix kbsecvulnerability kbsecurity kbsecbulletin kbfix kbbug KB815021