Problematic Windows NT Patch Pulled

With the high-tech world still reeling from the Slammer worm, Microsoft ironically has been forced to pull one of its security patches because it actually introduces an error that may cause systems to fail.

While the Slammer worm inflicted its damage on copies of Microsoft SQL Server 2000, the latest problem revolves around a security patch for Windows NT 4.0 systems. But it comes at a time when sysadmins are being scolded for not updating systems with the necessary patches in the first place. (The patch for Slammer has been around since July.)

Security officials at Microsoft withdrew the patch and removed download
links for the flaw, which was first issued
on December 11. The security vulnerability was found in the WM_TIMER
Message Handling in NT 4.0 and could enable privilege elevation.

Patches for Windows 2000 and Windows XP were unaffected by the latest
withdrawal, Microsoft said.

In the updated advisory, Microsoft said it was
investigating the cause of the problematic patch and promised to release an
updated fix soon.

The company urged Windows NT 4.0 administrators to uninstall the patch
until a new fix is issued.

The vulnerability affects the way Windows messages run interactive
processes to react to user events like keystrokes or mouse movements and
communicate with other interactive processes. One such
event,WM_TIMER, is sent at the expiration of a timer and can be used
to cause a process to execute a timer callback function.

“A security vulnerability results because it’s possible for one process
in the interactive desktop to use a WM_TIMER message to cause another
process to execute a callback function at the address of its choice, even if
the second process did not set a timer. If that second process had higher
privileges than the first, this would provide the first process with a way
of exercising them,” Microsoft warned.

The software giant cautioned that an attacker who had the ability to log
onto a system interactively could potentially run a program that would
piggyback on a WM_TIMER request, causing it to take any action the
attacker specified. “This would give the attacker complete control over the
system,” Microsoft said.

The withdrawn patch also made changes to several processes that run on
the interactive desktop with high privileges. Although none of these would,
in the absence of the TM_TIMER vulnerability, enable an attacker to gain
privileges on the system, Microsoft said they were included in the patch to
make the services more robust.

News Around the Web