Help and Support
 

powered byLive Search

MS03-024: Buffer overrun in Windows could lead to data corruption

View products that this article applies to.
Article ID:817606
Last Review:September 27, 2007
Revision:11.5
On This Page

SYMPTOMS

Server Message Block (SMB) is the Internet standard protocol that Windows uses to share files, printers, and serial ports. Windows also uses it to communicate between computers that are using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what is described as a client server request-response protocol.

A flaw exists in the way that the server validates the parameters of an SMB packet. When a client computer sends an SMB packet to the server, it includes specific parameters that provide the server with a set of "instructions." In this case, the server does not correctly validate the buffer length that is established by the packet. If the client specifies a buffer length that is less than what is required, it can cause the buffer to be overrun.

If attackers send a specially crafted SMB packet request, they could cause a buffer overrun to occur. If this flaw is exploited, it could lead to data corruption, system failure, or in the worst case, it could allow attackers to run the code of their choice. The attackers would have to have a valid user account and they would have to be authenticated by the server to exploit this flaw.

Back to the top

Mitigating factors

Microsoft Windows Server 2003 is not affected by this vulnerability.
By default, it is not possible to exploit this flaw anonymously. The attacker would have to be authenticated by the server before they try to send a SMB packet to it.
If you block port 139/445 at the firewall, you can help prevent the possibility of an attack from the Internet.

Back to the top

RESOLUTION

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 (http://support.microsoft.com/kb/322389/EN-US/) How to obtain the latest Windows XP service pack

Back to the top

Security patch information

For more information about how to resolve this vulnerability, click the appropriate link below:
Windows XP (all versions)
Windows 2000 (all versions)
Windows NT 4.0 Workstation, Windows NT 4.0 Server and Windows NT 4.0 Server, Terminal Server Edition

Windows XP (all versions)

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP (all 32-Bit versions)

DownloadDownload the 817606 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=8F407A78-646C-4F82-BF74-12298ED5D8CF&displaylang=en)

Windows XP 64-Bit Edition Version 2002

DownloadDownload the 817606 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=2644E2F3-92F2-40B3-8887-72FEB81CA58D&displaylang=en) Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 (http://support.microsoft.com/kb/119591/) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 (http://support.microsoft.com/kb/322389/) How to obtain the latest Windows XP service pack
Installation information
This patch supports the following Setup switches:
/? : Display the list of installation switches.
/u : Use Unattended mode.
/f : Force other programs to quit when the computer shuts down.
/n : Do not back up files for removal.
/o : Overwrite OEM files without prompting.
/z : Do not restart when the installation is complete.
/q : Use Quiet mode (no user interaction).
/l : List installed patches.
/x : Extract the files without running Setup.
To verify that the patch is installed on your computer, confirm that the following registry key exists.

Windows XP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB817606
Windows XP with Service Pack 1 (SP1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB817606
Deployment information
To install the patch without any user intervention and without forcing the computer to restart, use the /u, /q, and /z command line switches. For example, to install the Windows XP (all 32-bit versions) of the patch without any user intervention and without forcing the computer to restart, use the following command line:
817606_wxp_sp2_x86_enu /u /q /zFor information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/wsus/bb466201.aspx (http://technet.microsoft.com/en-us/wsus/bb466201.aspx)
Restart requirement
You must restart your computer after you apply this patch.
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when the installation is complete.
/q : Use Quiet mode (no user interaction).
Patch replacement information
This patch does not replace any other patches.
File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version        Size       Path and File name
   ---------------------------------------------------------------------------------------
   28-Mar-2003  19:02  5.1.2600.112     322,304  %Windir%\System32\Drivers\Srv.sys  pre-SP1   i386
   28-Mar-2003  15:54  5.1.2600.1193    322,048  %Windir%\System32\Drivers\Srv.sys  with SP1  i386

   28-Mar-2003  19:03  5.1.2600.112   1,142,016  %Windir%\System32\Drivers\Srv.sys  pre-SP1   ia64
   28-Mar-2003  15:55  5.1.2600.1193  1,140,480  %Windir%\System32\Drivers\Srv.sys  with SP1  ia64
You can also verify the files that this patch installed by reviewing the following registry keys.

Windows XP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB817606\Filelist
Windows XP with Service Pack 1 (SP1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB817606\Filelist

Windows 2000

Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 (http://support.microsoft.com/kb/260910/) How to obtain the latest Windows 2000 service pack
Download information
The following file is available for download from the Microsoft Download Center:

DownloadDownload the 817606 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=8290DBEC-6072-45B9-A91D-E4C1FD93E3E1&displaylang=en) Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 (http://support.microsoft.com/kb/119591/) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note Customers who are running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update.
Prerequisites
This patch requires Windows 2000 Service Pack 3 (SP3).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 (http://support.microsoft.com/kb/260910/) How to obtain the latest Windows 2000 service pack
Installation information
This patch supports the following Setup switches:
/? : Display the list of installation switches.
/u : Use Unattended mode.
/f : Force other programs to quit when the computer shuts down.
/n : Do not back up files for removal.
/o : Overwrite OEM files without prompting.
/z : Do not restart when the installation is complete.
/q : Use Quiet mode (no user interaction).
/l : List installed patches.
/x : Extract the files without running Setup.
To verify the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB817606
Deployment information
To install the patch without any user intervention, use the following command line:
windows2000-kb817606-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:
windows2000-kb817606-x86-enu /z
Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/wsus/bb466201.aspx (http://technet.microsoft.com/en-us/wsus/bb466201.aspx)
Restart requirement
You must restart your computer after you apply this patch.
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when the installation is complete.
/q : Use Quiet mode (no user interaction).
Patch replacement information
This patch is replaced by Windows 2000 Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 (http://support.microsoft.com/kb/260910/) How to obtain the latest Windows 2000 service pack
This patch does not replace any other patches.
File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version        Size     Path and File name
   ------------------------------------------------------------------------
   01-Apr-2003  16:30  5.0.2195.6699  237,776  %Windir%\System32\Drivers\Srv.sys
   01-Apr-2003  16:31  5.0.2195.6697   74,000  %Windir%\System32\Srvsvc.dll
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB817606\Filelist

Windows NT 4.0 (all versions)

Download information
The following files are available for download from the Microsoft Download Center:

Windows NT 4.0 Workstation and Windows NT 4.0 Server

DownloadDownload the 817606 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=1CA9A59A-3074-4D73-82C8-68A37B3BBB80&displaylang=en)

Windows NT 4.0 Server, Terminal Server Edition

DownloadDownload the 817606 package now. (http://microsoft.com/downloads/details.aspx?FamilyId=19C2A999-AAD4-44A6-B608-0178874387AB&displaylang=en) Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 (http://support.microsoft.com/kb/119591/) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 (http://support.microsoft.com/kb/152734/) How to obtain the latest Windows NT 4.0 service pack
Installation information
This patch supports the following Setup switches:
/y : Perform removal (only with /m or /q ).
/f : Force programs to be closed at shutdown.
/n : Do not create an Uninstall folder.
/z : Do not restart when patch completes.
/q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
/m : Use Unattended mode with user interface.
/l : List installed patches.
/x : Extract the files without running Setup.
Deployment information
To install the patch without any user intervention, use the following command line:
q817606i /q
To install the patch without forcing the computer to restart, use the following command line:
q817606i /z
Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/wsus/bb466201.aspx (http://technet.microsoft.com/en-us/wsus/bb466201.aspx)
Restart requirement
You must restart your computer after you apply this patch.
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
/? : Display the list of installation switches.
/u : Use unattended mode.
/f : Force other programs to quit when the computer shuts down.
/z : Do not restart when the installation is complete.
/q : Use Quiet mode (no user interaction).
Patch replacement information
This patch does not replace any other patches.
File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version         Size     Path and File name
   ---------------------------------------------------------------------------------
   27-Mar-2003  15:20  4.0.1381.7214   231,312  %Windir%\System32\Drivers\Srv.sys  Windows NT 4.0
   27-Mar-2003  15:26  4.0.1381.33547  231,280  %Windir%\System32\Drivers\Srv.sys  Windows NT 4.0, Terminal Server Edition

Back to the top

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.

Back to the top

Windows XP

This problem was first corrected in Microsoft Windows XP Service Pack 2.

Back to the top

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-024.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-024.mspx)

Back to the top

APPLIES TO
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Tablet PC Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server
Microsoft Windows NT Workstation 4.0 Developer Edition
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows NT Server 4.0, Terminal Server Edition

Back to the top

Keywords: 
kbbug kbfix kbwin2000presp4fix kbsecvulnerability kbqfe kbenv kbsecurity kbwinnt400presp7fix kbwinxpsp2fix kbsecbulletin kbwinxppresp2fix kbwin2ksp4fix atdownload kbhotfixserver KB817606

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.