MS03-025: Flaw in Windows message handling through Utility Manager could enable privilege elevation (822679)


The information in this article applies to:

  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3

Technical updates

  • July 10, 2003: Changed the registry key references from "Q822679" to "KB22679."
  • August 4, 2003: Changed the registry key references from "KB22679" to "KB822679."

SYMPTOMS

Microsoft Windows 2000 includes support for Accessibility options. Accessibility options are a set of assistive technologies in Windows that permits users with disabilities to access the full functionality of the operating system. You can turn on or turn off the Accessibility options by using shortcuts that are built into the operating system or by using Utility Manager. Utility Manager is an accessibility utility that permits users to check the status of accessibility programs (for example, Microsoft Magnifier, Windows Narrator, and On-Screen Keyboard) and to turn them on or off.

There is a flaw in the way that Utility Manager handles Windows messages. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability occurs because the control that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. Therefore, it is possible for one process in the interactive desktop to use a specific Windows message to cause the Utility Manager process to run a callback function at the address of its choice. Because the Utility Manager process runs at a higher level of permissions than the first process, this provides the first process with a method of exercising that higher level of permissions.

By default, Utility Manager contains controls that run in the interactive desktop with LocalSystem permissions. As a result, an attacker who had the ability to log on to a system interactively could potentially run a program that could send a specially crafted Windows message upon the Utility Manager process, causing Utility Manager to take any action that the attacker specifies. This would give the attacker complete control over the system.

Note The attack cannot be carried out remotely, and the attacker would have to have the ability to interactively log on to the system.

Mitigating factors

  • An attacker must have valid logon credentials to exploit this vulnerability. This vulnerability cannot be exploited remotely.
  • Correctly secured servers are at little risk from this vulnerability. Standard best practices recommend that you permit only trusted administrators to log on to such systems interactively. Without these permissions, an attacker cannot exploit this vulnerability.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Download information

The following file is available for download from the Microsoft Download Center:

DownloadDownload the 822679 package now.

Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note If you are running Windows 2000 Service Pack 2, visit the following Microsoft Web site to obtain this additional security update:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Prerequisites

This security patch requires Windows 2000 Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Installation information

This security patch supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List installed hotfixes.
  • /x: Extract the files without running Setup.
To verify that the security patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB822679

Deployment information

To install this security patch without any user intervention, run the following command line:

Windows2000-KB822679-x86-ENU /u /q

To install this security patch without restarting the computer, run the following command line:

Windows2000-KB822679-x86-ENU /z

Note You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart requirement

You must restart your computer after you apply this patch.

Removal information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this security patch. Spuninst.exe is located in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   21-May-2003  18:55  5.0.2195.6713   4,010,496  Sp3res.dll       
   12-Jun-2003  20:55  1.0.0.3            27,920  Umandlg.dll
You can also verify the files that this security patch installs by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB822679\Filelist

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-025.mspx

Modification Type:MajorLast Reviewed:1/31/2006
Keywords:kbHotfixServer KbSECVulnerability KbSECBulletin kbSecurity kbQFE KB822679 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.