This article describes the following security-related bugs and update scenarios that are addressed in Windows 2000 Service Pack 4 (SP4).
Potentially Elevated Security Permissions Through the _vti_bot Folder
Arbitrary code inserted in a WebBot is executed in-process in Microsoft Internet Information Services (IIS) 5.0. This update helps to prevent the loading of WebBots from folders that are not under either the global WebBot folder or the version-specific WebBot folder.
Windows 2000 Internet Key Exchange Selects Incorrect Certificate
If Internet Protocol security (IPSec) is configured on a Windows 2000-based certification authority (CA), Internet Key Exchange (IKE) may select one of the following certificates:
- A certificate without digital signature key usage. This causes the certificate to be rejected by IPSec peers.
- A CA signing certificate that is unacceptable to the client.
Update to Help Prevent Cross-Forest Certificate Enrollment
This update helps to prevent users from a trusted forest from enrolling a certificate by using credentials that are not from the forest where they want to enroll the certificate.
Update to Verify cbDestLength in the Imaadpcm Component
This update verifies the cbDestLength element in the Imaadpcm component to prevent a user from running malicious code remotely.
Zones Removed from the Registry When You Start the DNS Service
If the Domain Name Service (DNS) is configured to load zone information from the registry only, and some of your zones are dot-terminated
in the registry, some zones may be removed when you start the DNS service.
Account Replication Latency Causes Certificate Enrollment to Fail
When you join new computers to a domain, those computers may not be able to gain access to IPSec-protected servers until Group Policy is refreshed in the domain and until replication of the new computer account information has completed throughout the domain.
Potential Denial of Service Vulnerability Exists in SAM
A potential Denial of Service attack exists because the Security Accounts Manager (SAM) lookup application programming interface (API) allocates memory before it performs a security access verification. A multithreaded attack against the two affected SAM APIs (SamrLookupNamesInDomain
) may cause the server to stop responding to client access requests.
Call to USBH_IoctlGetNodeConnectionDriverKeyName May Return Uninitialized Data
Sometimes, a user-mode request to USBH_IoctlGetNodeConnectionDriverKeyName
returns uninitialized data that may reveal sensitive kernel-mode memory contents.
Update to Use MAX_PATH Variable in Port Name Buffers
The buffers to contain port names that are set by request packets have been coded to permit the size that is referenced by the MAX_PATH variable instead of by a numeric value, such as 255. This helps to prevent potential buffer overrun possibilities in the port name buffers.
The MyGetSidFromDomain Function Calls DsGetDCName to Obtain the Domain Security ID
A potential vulnerability exists because the myGetSidFromDomain
function calls the nonsecure DsGetDCName
API. This creates the potential to spoof
a domain controller.
ModifyDN Request May Cause an Infinite Loop When the New Parent Is Specified by a Distinguished Name
When you use the LDP tool to retrieve the GUID of an object, and you specify the new parent in a modifyDN request by using a <guid=guid
> Distinguished Name (DN), an infinite loop condition may occur.
User May Impersonate a Named Pipe Client in a Terminal Services Session and Gain Access to the System Account
A potential vulnerability exists where a malicious user may create a named pipe to impersonate a named pipe client in a Terminal Services session to gain access to the System account.
CDP and AIA URLs Are Not Displayed in the Certification Authority Snap-in If the URL Contains "%%20" Characters
When you add a new Certificate Revocation List Distribution Point (CDP) or Authority Information Access (AIA) Uniform Resource Locator (URL) in the Certification Authority snap-in, the URL of the CDP or AIA is not listed on the X.509 Extensions
tab of the snap-in if the URL contains the following string:
Although the URL of the CDP or AIA is not listed in the Certification Authority snap-in, the URL is saved correctly to the registry and is specified correctly in the certificate that is issued by the certification authority (CA).
Update Helps to Prevent Two Client-Supplied Authorization Data Entries from Being Included in a Kerberos Ticket
This update checks for the presence of a Proxy AutoConfig (PAC) validator and helps to prevent two client-supplied authorization data entries from being included in a Kerberos ticket.
Server Can Gain Access to Your Computer by Using an RPC Connection When You Download and Install Drivers in Internet Explorer
In Microsoft Internet Explorer, if the security level for the Internet zone is set to Medium-low
or lower, and you do not have a proxy server or firewall set up to prevent outgoing remote procedure call (RPC) connections, a malicious user can configure a server that prompts you to install a driver. In this way, a malicious user may gain access to your computer by creating an RPC connection. This update displays a warning message that prompts you about whether you want to create an RPC connection when you download and install drivers in Internet Explorer.
A Socket Handle Memory Leak Condition May Occur in Cryptnet.dll
In certain situations, a Lightweight Directory Access Protocol (LDAP) socket is not released correctly, and a socket handle memory leak condition in Cryptnet.dll may occur.
Vulnerability in Terminal Services Licensing May Permit a Malicious User to Generate Additional Client Licenses in Terminal Services Licensing
A vulnerability exists in Terminal Services Licensing where a malicious user may be able to generate additional client licenses in Terminal Services Licensing. For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack