Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
MS03-025: Flaw in Windows message handling through Utility Manager could enable privilege elevation
Article ID: 822679 - View products that this article applies to.
Microsoft Windows 2000 includes support for Accessibility options. Accessibility options are a set of assistive technologies in Windows that permits users with disabilities to access the full functionality of the operating system. You can turn on or turn off the Accessibility options by using shortcuts that are built into the operating system or by using Utility Manager. Utility Manager is an accessibility utility that permits users to check the status of accessibility programs (for example, Microsoft Magnifier, Windows Narrator, and On–Screen Keyboard) and to turn them on or off.
There is a flaw in the way that Utility Manager handles Windows messages. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability occurs because the control that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. Therefore, it is possible for one process in the interactive desktop to use a specific Windows message to cause the Utility Manager process to run a callback function at the address of its choice. Because the Utility Manager process runs at a higher level of permissions than the first process, this provides the first process with a method of exercising that higher level of permissions.
By default, Utility Manager contains controls that run in the interactive desktop with LocalSystem permissions. As a result, an attacker who had the ability to log on to a system interactively could potentially run a program that could send a specially crafted Windows message upon the Utility Manager process, causing Utility Manager to take any action that the attacker specifies. This would give the attacker complete control over the system.
Note The attack cannot be carried out remotely, and the attacker would have to have the ability to interactively log on to the system.
Service pack informationTo resolve this problem, obtain the latest service pack for Microsoft Windows 2000.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
Download informationThe following file is available for download from the Microsoft Download Center:
Release Date: July 9, 2003
Download the 822679 package now.
Collapse this imageExpand this image
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
(http://support.microsoft.com/kb/119591/ )How to Obtain Microsoft Support Files from Online Services
Note If you are running Windows 2000 Service Pack 2, visit the following Microsoft Web site to obtain this additional security update:
PrerequisitesThis security patch requires Windows 2000 Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260910/EN-US/ )How to Obtain the Latest Windows 2000 Service Pack
Installation informationThis security patch supports the following Setup switches:
Deployment informationTo install this security patch without any user intervention, run the following command line:
Windows2000-KB822679-x86-ENU /u /qTo install this security patch without restarting the computer, run the following command line:
Windows2000-KB822679-x86-ENU /zNote You can combine these switches into one command line.
For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:
Restart requirementYou must restart your computer after you apply this patch.
Removal informationTo remove this update, use the Add/Remove Programs tool in Control Panel.
System administrators can use the Spunist.exe utility to remove this security patch. Spuninst.exe is located in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
Patch replacement informationThis patch does not replace any other patches.
File informationThe English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
You can also verify the files that this security patch installs by reviewing the following registry key:
Date Time Version Size File name -------------------------------------------------------------- 21-May-2003 18:55 5.0.2195.6713 4,010,496 Sp3res.dll 12-Jun-2003 20:55 220.127.116.11 27,920 Umandlg.dll
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.
For more information about this vulnerability, visit the following Microsoft Web site:
Article ID: 822679 - Last Review: July 30, 2007 - Revision: 6.3