Deciding which hotfixes you need

Determining which hotfixes you need to correct a particular security problem can be a tedious task. If you've ever visited Microsoft's FTP site looking for hotfixes, you've noticed the numerous patches available. In fact, as of October 1, 1998, I counted 45 post-Service Pack 3 (SP3) hotfix subdirectories at the site. A few hotfixes are obsolete, and their respective directories contain only a readme.txt file with a pointer to a current patch location.

You don't have to download every hotfix Microsoft publishes. Some hotfixes might not apply to software running on your system, and others might fix minor problems you're not interested in fixing, such as problems in assigning a drive letter to an Iomega Zip drive. But you need to download security-related hotfixes to keep your system safe.

To save you some time, I've undertaken the task of helping you decide which security hotfixes you need. I've discovered 16 Windows NT 4.0 post-SP3 hotfixes that correct particular security-related problems. This article briefly discusses each hotfix and directs you to Microsoft articles for more information on each hotfix. I've arranged the hotfixes categorically by major application to simplify your choice of appropriate hotfixes.

It is important to note that when you are considering which hotfixes will help protect your NT 4.0 system, you must consider what Microsoft-supported applications and hardware are running on that system. If you can't determine what hotfixes are on your NT systems, download a copy of SPQuery from MTE Software at http://www.mtesoft.com. SPQuery itemizes installed hotfixes for you and helps you download the hotfixes from within the SPQuery software. SPQuery can save a lot of time when it comes to patching NT systems. It costs about $195 for the network-enabled edition.

Locating Hotfixes
Microsoft stores US versions of NT hotfixes online at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp3. You can get international versions of most Microsoft hotfixes by selecting your country's directory at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes. If you have trouble accessing Microsoft's main FTP site due to routing problems or high traffic loads, try the alternative FTP site at ftp://198.105.232.37/fixes.

Unless otherwise noted below, you can find all the hotfixes in this article at the sites I've listed above. I've used the hotfix directory name to reference each hotfix so you know where to find each one on the FTP site.

Hotfixes for NT 4.0
The Snk-fix hotfix corrects a denial-of-service problem with the Rpcss.exe routine of the Remote Procedure Call Subsystem (RPCSS). Spoofing UDP packets directed at port 135--­where they initiate a loop of rejection packets between systems--­causes the denial-of-service (DoS) attack. The loop will not break until one of the servers drops the package. The loop causes high processor loads and unnecessary bandwidth usage. The Microsoft article "Rpcss.exe Consumes 100% CPU Due to RPC Spoofing Attack" at http://support.microsoft.com/support/kb/articles/q193/2/33.asp discusses this scenario.

The priv-fix hotfix corrects an OS problem in which, via the utility sechole .exe, any user can gain membership to the local Administrators group and gain local administrative privileges. The priv-fix hotfix ensures that the server, not the client, checks access rights. The Microsoft article "SecHole Lets Non-administrative Users Gain Debug Level Access" at http://support.microsoft.com/support/kb/articles/q190/2/88.asp describes the details.

The getadmin-fix hotfix corrects a problem in the low-level kernel routine, in which a global flag lets calls to NtOpenProcessToken succeed regardless of the user's permissions. Using the getadmin.exe utility, a user can attach to a process such as WinLogon and start a thread in the security context. The user can then add a user account to the Administrators group. The getadmin-fix hotfix prevents getadmin.exe from attaching to any process the user doesn't own, and denies the user administrative rights. Refer to the Microsoft article "GetAdmin Utility Grants Users Administrative Rights" at http://support.microsoft.com/support/kb/articles/q146/9/65.asp for more information.

The teardrop2-fix hotfix corrects a problem with Microsoft's TCP/IP stack implementation in which a bug-exploiting program known as TearDrop launches DoS attacks. Different TearDrop attack programs also exist. TearDrop sends pairs of IP fragments that a receiving system reassembles into an invalid UDP datagram. Due to the overlapping offset in the datagram, the second packet overwrites data in the middle of the UDP header contained in the first packet. As a result, the datagram appears incomplete to the system. This type of attack results in NT crashing. The Microsoft article "STOP 0x0000000A or 0x00000019 Due to Modified Teardrop Attack" at http://support.microsoft.com/support/kb/articles/q179/1/29.asp discusses this problem in detail.

The srv-fix hotfix corrects a problem with malformed Server Message Block (SMB) packs that cause NT systems to crash. The crash occurs when the specified size in the logon request packets doesn't match the actual data size. This inconsistency causes memory corruption, which locks up or reboots the system. The problem is documented in the Microsoft article "Denial of Service Attack Causes Windows NT Systems to Restart" at http://support.microsoft.com/support/kb/articles/q180/9/63.asp.

The pent-fix hotfix, discussed in the Microsoft article "Invalid Operand with Locked CMPXCHG8B Instruction" at http://support.microsoft.com/support/kb/articles/q163/8/52.asp, corrects an error in the Pentium processor architecture. The problem occurs when invalid instructions sent to the processor cause the system to lock up. Although no known OS or application sends invalid instructions, a program written with malicious intent could send such an instruction. The pent-fix hotfix helps the OS trap invalid instructions and block them from the processor.

The y2k-fix hotfix corrects problems associated with certain NT components that can stop functioning properly as of January 1, 2000, due to the century change. Many software application designers did not take into account four-digit-year numbers when they originally developed their software. For example, if the year is set to 2001, the year's two-digit abbreviation appears as :1 rather that 01 on the Date Modified tab of the Find Files or Folders dialog box. Also, if the User Manager does not recognize February 2000 as a leap year, NT may skip a day on the calendar after the user sets the Date/Time applet. Refer to the Microsoft article "Find Files Displays Garbled Date if Year is 2000 or Greater" at http://support.microsoft.com/support/kb/articles/q183/1/23.asp for specifics.

Microsoft has also released a patch for the company's TCP/IP implementation when dealing with Token-Ring networks. On these networks, storing a hop count greater than 7 in the Route Information Field (RIF) causes all NT systems on the ring to crash.

Hotfixes for IIS
The iis-fix hotfix keeps Microsoft Internet Information Server (IIS) 2.0 and IIS 3.0 from stopping when the software receives a Common Gateway Interface (CGI) request from a Web browser with between 4KB and 8KB of data in the URL. The exact length of the URL causing the crash varies among systems, but a malicious user can write a program that makes simple attacks against a system to easily determine the appropriate size. The Microsoft article "IIS Services Stop with Large Client Requests" at http://support.microsoft.com/support/kb/articles/q143/4/84.asp documents this problem.

The asp-fix hotfix corrects a memory leak in early versions of the asp.dll file. IIS 3.0 running Active Server Pages (ASP) version 1.0b is susceptible to this problem. The memory leak leads to performance problems, such as slow response times, as described in the Microsoft article "Active Server Pages: Progressive Memory Leak" at http://support.microsoft.com/support/kb/articles/q165/3/35.asp.

The ssl-fix hotfix corrects several problems in the Secure Sockets Layer (SSL) implementation. This hotfix corrects a security problem in which a malicious user can decode a transaction encryption with SSL by using mathematical analysis and trial and error. The ssl-fix hotfix eliminates the need for separate Server Gated Cryptography (SGC) and non-SGC versions of schannel.dll, corrects a "bad password" error message, and provides a new version of sgcinst.exe. Users of NT 4.0, IIS 3.0 and 4.0, Site Server 3.0 Commerce Edition, Site Server 3.0 Enterprise Edition, and Exchange Server 5.0 and 5.5 need to carefully review the Microsoft article "Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products" at http://support.microsoft.com/support/kb/articles/q148/4/27.asp for information pertaining to those software packages.

The iis4-datafix hotfix corrects a problem with IIS that displays ASP code instead of the processed results of the file. If you append ::$DATA to the end of a URL, IIS displays ASP code. This problem is similar to a previous problem in which an appended period at the end of the URL displayed code instead of processing it. The hotfix places ASP files in an execute-only directory so IIS displays the processed file. The Microsoft article " '::$DATA' Data Stream Name of a File May Return Source" at http://support.microsoft.com/support/kb/articles/q188/8/06.asp provides details. The hotfix is available at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security.

The sfn-fix hotfix corrects a problem with both IIS 4.0 and Microsoft Personal Web Server (PWS) 4.0, in which the software doesn't apply certain configuration settings when a user requests a URL with short filename equivalents. Short filenames are truncated long filenames converted to eight characters with a three-character extension. For example, the long filename this web document.htm would abbreviate to thiswe~1.htm. The software does not apply the following configuration settings when a user requests a URL with a truncated name: restricted access by IP address, Platform for Internet Content Selection (PICS) ratings, and the SSL encryption requirement. Refer to the Microsoft article "Settings May Not Be Applied with URL with Short Filename" at http://support.microsoft.com/support/kb/articles/q179/1/48.asp for complete details. You can find the sfn-fix hotfix at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security.

Additional Hotfixes
The rras30-fix hotfix supersedes the rras20-fix hotfix (the Microsoft article refers to this hotfix as the pptp-fix hotfix), and corrects problems in Microsoft's Point-to-Point Tunneling Protocol (PPTP) implementation in conjunction with both Routing and Remote Access Service (RRAS) and Remote Access Service (RAS) protocols. The problems let intruders remove data from the network link and thus jeopardize the entire network. Intruders can download programs such as L0phtCrack to compromise PPTP connections by gathering certain information off the network. Microsoft produced four articles on the matter. Refer to the Microsoft article "PPTP Performance & Security Upgrade for WinNT 4.0 Release Notes" at http://support.microsoft.com/support/kb/articles/q189/5/95.asp.

The dns-fix hotfix corrects several problems with the Domain Name System (DNS) service that can lead to a compromised system. Among the concerns are failed DNS lookup attempts, a zone change from secondary to primary, DNS cache corruption and spoofing attacks, and a DoS attack caused by flooding DNS port 53 with meaningless data. The Microsoft article "Predictable Query IDs Pose Security Risks for DNS Servers" at http://support.microsoft.com/support/kb/articles/q167/6/29.asp discusses aspects of the DNS problem. The dna-fix hotfix makes the DNS server use random query IDs. This patch minimizes the effect of the cache pollution attack.

The winsupd-fix hotfix corrects a problem in the Windows Internet Naming Service (WINS), in which invalid UDP frames directed to any computer running that service cause a WINS exception error resulting in service termination. After WINS crashes, several problems can occur if systems depend on WINS for location information. These problems affect domain synchronization, browsing, or connectivity, as discussed in the Microsoft article "Invalid UDP Frames May Cause WINS to Terminate" at http://support.microsoft.com/support/kb/articles/q155/7/01.asp. The hotfix makes WINS log problematic events and keeps the service from terminating unexpectedly.

The simptcp-fix hotfix corrects problems involving the chargen service. The Simple TCP/IP Service includes the chargen, time of day, echo, and quote of the day services. Attacks against these services send a flood of UDP datagrams to the subnet broadcast address with destination port set at 19 and a spoofed source IP address. The Microsoft article "Denial of Service Attack Against WinNT Simple TCP/IP Services" at http://support.microsoft.com/support/kb/articles/q154/4/60.asp provides further information.

Band-Aid, Anyone?
As you see, you need to consider several hotfixes to further secure your NT systems. Service Pack 4 (SP4) includes many of these hotfixes, but you'll need to download post-SP4 hotfixes to maintain system security.