Windows 2000 Service Pack 3 (SP3) fixes the following
security problems or adds the following updates:
Default Diffie-Hellman SChannel Certificate Selection on Web Enrollment Page Causes Error: 0x80090008 - NTE_BAD_ALGID
The default Diffie-Hellman (DH) certificate selection
of Both on the Certificate Authority (CA) Web enrollment page results in
Error: 0x80090008 - NTE_BAD_ALGID. An update is available to change the default
certificate selection to Signature on Windows 2000 CAs.
Set LAN Manager (LM) One-Way Function (OWF) Password Results in Access Denied Error
When you use the UserAllInformation level to set passwords, you are successful if you pass password
information in clear text, but if you try to use LM OWF, you receive an Access
Denied error (error code 5).
Invalid Entry in Certificate Store Causes Event ID 1008
An update to the CertOpenStore function allows it to
skip an invalid entry.
Incorrect Key Usage with Encrypting File System (EFS) May Cause Access Violation in LSASS.exe
For EFS to use other certificates in Windows 2000, it
is updated to look for the EFS object identifier (also known as OID) in the
enhanced key usage (CERT_ENHKEY_USAGE) structure in the certificate store.
Imported Certificate More Than 512-Bit Is Considered Invalid for Encrypting File System (EFS)
This update imports certificates up to 1024-bit by
using Base cryptographic service provider (CSP) instead of Enhanced
CSP.
Roaming User Cannot Delete a User Key Container That Was Created on Different Computer
The code in the DeleteContainerInfo function is updated
to allow it to delete a container, by the name it was given, that was created
on a different computer.
New Key Distribution Center (KDC) Certificate Is Not Used After Enrollment
When a new KDC certificate is obtained, after the
previous one expires, Windows continues to use the expired certificate until
the server is restarted, or the KDC service is restarted.
Buffer Overrun Vulnerability in the Runas Command
When you supply a program name that is about 600
characters in length in the Runas command line, you may receive a memory access error. This might
allow the execution of malicious code, or be used as a denial of service
attack.
File Decryption Following a Password Change May Be Unsuccessful in Domains with Both Windows 2000 and Windows Server 2003 Domain Controllers
After a user account password change, the Data
Protection API (DAPI) contacts the domain controller to have the domain
controller decrypt the "master key." Because of a change in the encryption
scheme in the Windows Server 2003 family, if the master key was encrypted by a
Windows Server 2003 domain controller, an attempt to decrypt it by using a
Windows 2000 domain controller is unsuccessful.
Certificate Is Not Removed from the Certification Authority Store After Removing It from the Encrypting File System (EFS)
This update removes a certificate and the certificates
in its chain of certificates (if they are not in the chain of other remaining
certificates in the EFS store) from the certification authority when the
certificate is removed from the EFS store.
User Credentials Remain in Memory Buffer After Using the Runas Command
After using the Runas command-line utility, a user's
credentials are not erased after quitting the program. To exploit this
vulnerability, a malicious user must have interactive access to the computer. A
program might wait for a RunAs session to quit, and then subsequently search
for that user's credentials.
Malicious Code That Listens on the Same Pipe as the RunAs Service Might Receive User Credentials
This update prevents the Runas command from running if
the RunAs service is stopped.
Possible Denial of Service Vulnerability in the Windows 2000 RunAs Service
If you disable the named pipe on which the RunAs
service listens, the secondary logon function (Runas) is effectively disabled.
Malicious code that is run with administrative privileges might be used to
block activity on this pipe. This update to the RunAs service permits multiple
instances of this pipe, and holds state data for each client.
Buffer Overflow Vulnerability in Telnet.exe
Passing 252 characters as the port parameter in the
Telnet.exe command line results in a buffer overflow. This may allow malicious
code to run in the context of the currently logged-on user.
Kerberos Change Password Is Unsuccessful in a MIT Realm When the Principal Requires Pre-authorization
The Kerberos.dll file is updated to make sure that the
KerbLookupMitRealm function is always called.
Links Can Contain Encoded Text That Can Add HTTP Request Headers
This update includes an updated Wininet.dll file that
checks host names for invalid characters and returns an error if it finds
any.
Vulnerability in the Unsafe ActiveX Control Dialog Box
The Internet Explorer dialog box that prompts you to
confirm the running of an unsafe ActiveX control can be hidden by covering it
with a chromeless window. This may trick a user into accepting the installation
of an unsafe ActiveX control.
Renaming a Computer or Joining a Computer to the Domain
This update removes the need for Inheritable Access
Control Entries to rename a computer or to join a computer to the
domain.
This update also fixes the problem described in the following
Microsoft Knowledge Base (KB) article:
290533
(http://support.microsoft.com/kb/290533/EN-US/
)
User Permission to Add Workstation to Domain Includes Permission to Rename Computer Account
Group Policy Object Version Number Changes to 0 (Zero) After 65535 Changes
A Group Policy object (GPO) with a version number of
zero is determined to be a newly created blank GPO. The Group Policy engine
uses this version number to determine whether to apply the GPO (a version zero
GPO is skipped). When you change a GPO with a version number of 65535, it is
assigned a version number of zero, causing it to be skipped by the Group Policy
engine.
Denial of Service Vulnerability in the Internet Key Exchange Service
A denial of service attack can be carried out against
Windows 2000 computers that run Internet Key Exchange (IKE) by flooding them
with User Datagram Protocol (UDP) packets.
Unsigned Webview Templates
This update includes an updated security policy that
prevents unsigned webview templates from running.
Security-Related Problems in Microsoft Internet Explorer
This update prevents the reading of a user's files by
using a script. The update also includes the fixes that are described in the
following Microsoft Knowledge Base (KB) articles:
317745
(http://support.microsoft.com/kb/317745/EN-US/
)
MS02-005: Patch Is Available for File Download Dialog Box Spoofing Vulnerability
312461
(http://support.microsoft.com/kb/312461/EN-US/
)
MS01-055: Internet Explorer Cookie Data Can Be Exposed or Altered Through Script Injection
282062
(http://support.microsoft.com/kb/282062/EN-US/
)
IIS Does Not Authenticate for the /_AuthChangeUrl URL
317727
(http://support.microsoft.com/kb/317727/EN-US/
)
MS02-005: Patch Is Available for the Application Invocation via Content-Type Field Vulnerability
Security Audit Is Not Performed When You Add Users from Another Domain to Universal Groups
Auditing is not performed when you add users to, or
remove users from a universal group, when those users are from a different
domain in the same forest.
Improved or Updated Security in the Internet Key Exchange Process
This security update prevents a man-in-the-middle
attack from being performed in the Internet Key Exchange process. This update
causes the Windows 2000 IPSEC initiator and responder to validate the Internet
Key Exchange (IKE) Main Mode HASH.
Unauthorized DHCP Server Message Block Server Collects NTLM Hashes
A Windows 2000 Server Message Block server might be
created that sends a null challenge and therefore receives a user's NT LAN
Manager hash (challenge/response pairs).
"Fail Privilege Use" Audit Entry Is Not Generated
An audit entry is not generated when users without
proper permissions try to view the security log. This update adds a return code
check that meets the Common Criteria Security evaluation (C2) requirement.
IPSEC Driver Drops Certain Packet Fragments
Fragmented IPSEC packet fragments of a certain size are
dropped.
Nonsecure Communication Is Accepted When the 'Accept Unsecured Communication' Option Is Not Selected
IPSec accepts nonsecure packets when the Accept
unsecured communication check box in the IPSec filter is not selected
but the Fall back to unsecured communication with non IPSec-aware
computer is selected.
Mounting a Volume to a Folder on the Same Volume Causes Windows Explorer to Stop Responding
When you try to edit the security permission of a
volume that is looped to itself (a volume that is mounted to a folder on the
same volume), the program from which you try to apply the security permissions
stops responding (crashes).
GetEffectiveRightsFromAcl() Function Returns Incorrect Access Mask
After you install Service Pack 2 (SP2) for Windows
2000, the GetEffectiveRightsFromAcl() function no longer returns the correct
32-bit value that specifies the rights that are permitted or denied in an
access control entry (ACE).
Incorrect Location Checked When Verifying Whether an Audit Category Is Enabled
The LsaIWriteAuditEvent function checks the wrong
category when it verifies that auditing is enabled for a category.
The Close Object Audit Entry Does Not Use a Non-System Account
Before installing this update, the Open Object audit
entry runs under the account of the current user but the Close Object audit
entry is generated by using the SYSTEM account.
Flooding Port 464 on a Domain Controller Causes "Spike" in CPU Usage and Memory Leak
Repeatedly running a script or program that floods port
464 with hundreds of connections may cause the Local Security Authority (LSA)
to consume about 90 percent CPU usage. Also, LSA memory usage increases by
about 10 megabytes (MB). After this attempted denial of service attack, CPU
usage remains at the high level for about 45 minutes before it returns to
typical levels.
Strong Password Function Does Not Recognize the Forward Slash Character as a Special Character
This update changes the strong password dynamic link
library file (Passfilt.dll) to have it recognize the forward slash (/) character as a "Special Character" in strong password
creation.
Private Key Persists in Memory
Two copies of a user's private key remain in memory and
persist even when the user logs off the computer.
Signing and Encrypting of Messages with NT LAN Manager (NTLM)
This update supports the signing and encrypting of
messages with NTLM.
Remote Procedure Call with Invalid Parameters Causes Error in Netdde.exe
When a remote procedure call (RPC) passes invalid
parameters to \pipe\nddeapi, the NETDDE server may incorrectly filter these invalid
parameters. As a result, you may receive the following error message:
NETDDE.EXE has generated errors and will be closed by Windows.
You will have to restart the program. An error log is being created.
Buffer Overrun Vulnerability Exists in the Dynamic Host Configuration Protocol (DHCP) Service
An unchecked buffer exists in the DHCP service that can
be remotely accessed through a named pipe that does not provide enough access
control. This exploit might permit malicious code to run in the context of the
SYSTEM account.
Incorrect DHCP Security Access Mask
This update changes the Dynamic Host Configuration
Protocol (DHCP) security access mask to restrict user permissions to View and
Read permissions.
Access Violation in Terminal Services License Manager
An access violation (AV) occurs in License Manager
(Licmgr.exe) when you try to refresh the server settings, and the connection to
the target licensing server has been lost.
Back to the top
