MS06-040: Vulnerability in Server service could allow remote code execution.

[Neil Jackson]

Hi,

I haven't posted to a newsgroup for a long long time, I've searched high and
low and cannot see an answer to this one but sorry if this has already been
asked before.

MS06-040: Vulnerability in Server service could allow remote code execution.

We have about 100 Windows 2000 Servers running Service Pack 4 for various
roles and about 1600 Windows 2000 Professional desktops. MS06-040 concerns
me and we have been advised by our peers to patch immediately to prevent
something terrible happening.

On the Technet at
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx it says:

Affected Software:

.. Microsoft Windows 2000 Service Pack 4
.. Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack
2
.. Microsoft Windows XP Professional x64 Edition
.. Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
.. Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
.. Microsoft Windows Server 2003 x64 Edition

However on the Microsoft Knowledgebase article at
http://support.microsoft.com/?kbid=921883 , there is no specific mention of
Windows 2000 and all we have mentioned is:

APPLIES TO:
Microsoft Windows 2000 Service Pack 4, when used with:
Microsoft Small Business Server 2000 Standard Edition

We don't use Small Business Server 2000 so my question is, does MS06-040
apply to my Windows 2000 Servers and my Windows 2000 Professional Desktops,
all running SP4.

Secondly, if it does apply to Windows 2000 Server and Windows 2000
Professional, why arn't they mentioned on the knowledge base article?

Thanks in advance for clearing this up.

Cheers,

Neil.
System Support Engineer.

 

[Roger Abell [MVP]]

The patch is needed on any Windows 2000.

I am not sure why KB 921883
http://support.microsoft.com/?kbid=921883
it states as it does for applies to information, but I think I may, in that
the SBS issue was noted specifically in a revision after the initial doc
release, and this may have been with the Windows 2000 Sp4 mention
became trimmed to SBS

 

[Joe Richards [MVP]]

Not only does it include you but there is a working exploit already in
the wild attacking machines. Your entire network is vulnerable to the
attack.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Michael Bednarek]

The patch is needed on any Windows 2000.

Not trying to pick nits, but if ports 135-139, 445 are invisible to the
Internet -as any responsibly configured firewall would make them-, the
vulnerability described in MS06-040 cannot be exploited, or?

 

[Roger Abell [MVP]]

Not trying to pick nits, but if ports 135-139, 445 are invisible to the
Internet -as any responsibly configured firewall would make them-, the
vulnerability described in MS06-040 cannot be exploited, or?

Firewall where? At the network perimeter? Then machines can be
exploited from inside. W2k does not ship with a firewall, and if a
host-based IP filtering is build with IPsec then possibly the default
allows for IKE, etc. would be exploited.

In all honesty, before sending, I had a "unless workarounds" in my
text, but I thought better of it and deleted before posting, mostly
because this poster obviously has domain and thus need for these
ports on a number of those 100 W2k Servers.

Now, in retrospect, I agree, the part that was left and posted is
overstatement, as it does not indicate the workaround that might
be applicable for some cases.
Even so, sooner or later the patch should get applied rather than just
forever relying on the workaround.

 

[Roger Abell [MVP]]

You will find that
http://support.microsoft.com/kb/921883
has now been updated to clarify.
Thanks for pointing that out.

 

[Guest]

Is there a MSI available for the Hotfix? I can't find it anywhere!

Thanks!!!

--Ed