Patch Available for "Share Level Password" Vulnerability

Article translations Article translations
Article ID: 273991 - View products that this article applies to.
This article was previously published under Q273991
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Symptoms

Microsoft has released a patch that eliminates a security vulnerability in Windows 95, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me). This vulnerability could allow a malicious user to programmatically obtain access to a file share without knowing the entire password that is assigned to that share. For answers to frequently asked questions about this vulnerability and the patch, please view the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/fq00-072.mspx
NOTE: This update has been superceded as described in the following Microsoft Knowledge Base article:
273727 Denial of Service Possible on an IPX/SPX Protocol Using the Name Management Port
NOTE: To more effectively search the Microsoft Knowledge Base, use keywords that relate to your issue. If you are searching for troubleshooting information that is not mentioned in this article, search the Microsoft Knowledge Base again by using keywords that are listed in the following Microsoft Knowledge Base article:
242450 How to Query the Microsoft Knowledge Base Using Keywords

Cause

This problem can occur because of the way the share-level access control password feature is implemented. With this implementation, a malicious user can use a special client utility to gain access to a share without knowing the entire password that is required to access that share.

Resolution

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:
   Date      Time     Version     Size    File name     Operating system
   -----------------------------------------------------------------------
   10/19/2000  06:52p 4.00.955    108,288 Vserver.vxd   Windows 95
   10/17/2000  01:44p 4.00.1113   112,904 Vserver.vxd   Windows 95B or 95C
   10/11/2000  12:54p 4.10.2001   112,912 Vserver.vxd   Windows 98
   09/15/2000  05:18p 4.10.2224   112,912 Vserver.vxd   Windows 98 Second 
                                                        Edition
   09/25/2000  06:34p 4.90.3001   112,896 Vserver.vxd   Windows Me
				

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

More information

Microsoft Windows provides two types of security protection for file and printer sharing. You can select the type of security protection on the Access Control tab in the Network tool in Control Panel.

The first type of security protection is share-level access control. When you use this method, the type of access to grant is controlled by which of two passwords is used to request access. One password specifies read-only access, and the other specifies full access.

The second type of security protection is user-level access control. This method allows you to specify what type of access to grant to specific users. User-level access control does not require the use of passwords to decide what access type to grant.

Because it is the password verification feature that is vulnerable, only share-level access control is affected. To avoid this issue, computers that are part of a Windows-based domain should be set to use user-level access control.

NOTE: Computers that are running Microsoft Windows NT or Microsoft Windows 2000 can only use user-level access control and are not susceptible to this vulnerability.

For additional information about Windows 95 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
161020 Implementing Windows 95 Updates
For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
206071 General Information on Windows 98 and SE Hotfixes
For additional information about Windows Me hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
295413 General Information About Windows Millennium Edition Hotfixes
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 273991 - Last Review: October 24, 2013 - Revision: 2.0
Applies to
  • Microsoft Windows 95
Keywords: 
kbnosurvey kbarchive kbhotfixserver kbqfe kbenv kbprb KB273991

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com