Bugtraq mailing list archives
Microsoft Security Bulletin (MS00-032)
From: secnotif () MICROSOFT COM (Microsoft Product Security)
Date: Fri, 2 Jun 2000 10:42:36 -0700
The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-032) - -------------------------------------- Patch and Tool Available for "Protected Store Key Length" Vulnerability Originally Posted: June 01, 2000 Summary ======= Microsoft has released a patch and a tool that eliminate a security vulnerability in Microsoft(r) Windows(r) 2000. The vulnerability could make it easier for a malicious user who had complete control over a Windows 2000 machine to compromise users' sensitive information. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-032.asp Issue ===== A Protected Store is provided as part of CryptoAPI, in order to provide secure storage for sensitive information such as private keys and certificates. By design, the Protected Store should always encrypt the information using the strongest cryptography available on the machine. However, the Windows 2000 implementation uses 40-bit key to encrypt the Protected Store, even if stronger cryptography is installed on the machine. This vulnerability weakens the protection on the Protected Store, but does not eliminate it. An attacker would need to gain complete administrative control over the machine that houses the Protected Store in order to gain access to it, and even then would still need to mount a brute-force cryptographic attack against it. However, customers who follow the recommended remediation for this vulnerability can ensure that such an attack would be significantly more difficult, if not impossible. The patch package to eliminate this vulnerability contains a new version of PBASE.DLL, the module that provides the Protected Store functionality, and a tool named Keymigrt.exe. Installing PBASE.DLL will ensure that all future additions to the Protected Store are encrypted using the strongest cryptography available on the machine. However, the Keymigrt tool also needs to be run, in order to re-encrypt all items currently in the Protected Store. We recommend that system administrators place the Keymigrt tool into users' logon scripts to ensure that the tool is run the next time they log on. Affected Software Versions ========================== - Windows 2000 Professional - Windows 2000 Server - Windows 2000 Advanced Server Patch Availability ================== - http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21703 Note: The patch package contains a patch that needs to be applied to all affected machines, and a tool that should be run on all affected machines. The FAQ and Knowledge Base article provide additional details on their use. Note: Additional security patches are available at the Microsoft Download Center More Information ================ Please see the following references for more information related to this issue. - Frequently Asked Questions: Microsoft Security Bulletin MS00-032, http://www.microsoft.com/technet/security/bulletin/fq00-032.asp - Microsoft Knowledge Base article Q260219 discusses this issue and will be available soon. - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions ========= - June 01, 2000: Bulletin Created. - ----------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Last updated June 01, 2000 (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQEVAwUBOTfyCI0ZSRQxA/UrAQH7dggApDmuI2FFpuzcP93IMzkIfEtQeHP1I8ta SXiNPPCElEPFdea1lt0w2fUzihheUOXG3iajHrDH9FTa4C5KD2Q30JW3VYLguKeN fadyY1/0rju8e7BYNTHcKaOr6du7PKoLaJfhyxcEZ863dnZsY+qGzlI2bY+fZg9M A6Cd3k6RLG7bwSrsEy8Vv9IzCDG42XHbVFJqGCLjjh8krS5KhPBZ2FVpse/hCVf6 bHHaqYCDQp0I+HdpxwT1C8K7Ub1JwLCFH9Vr0a/ktIYE2WmnxDGL6c6qwBSGO9oQ OI2hTofZFas8D2CAzSZwgS7AaxJ5NtL/MH0tS/YjGXnslu7C2+Oi9g== =vhCo -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:
- Re: IBM HTTP SERVER / APACHE typo () INFERNO TUSCULUM EDU (Jun 01)
- <Possible follow-ups>
- Re: IBM HTTP SERVER / APACHE H D Moore (Jun 01)
- Re: IBM HTTP SERVER / APACHE Luke Harless (Jun 01)
- Security Administration comes to LISA 2000 Cat Okita (Jun 01)
- Remote DoS attack in RealServer: USSR-2000043 David Cotter (Jun 01)
- ipx storm Jacek Lipkowski (Jun 02)
- Microsoft Security Bulletin (MS00-032) Microsoft Product Security (Jun 02)
- Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Ussr Labs (Aug 02)
- Piranha password file frostman () SECUREACCESS INTRANETS COM (Jun 02)
- Re: Piranha password file arkth (Jun 08)
- Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Alfred Perlstein (Jun 02)
- New Allaire Security Zone Bulletins Aleph One (Jun 08)
- Re: IBM HTTP SERVER / APACHE . Hecix (Jun 02)
- Re: IBM HTTP SERVER / APACHE Marc Slemko (Jun 03)