Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

Microsoft has released a patch that eliminates a security vulnerability in Windows 95, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me). This vulnerability could allow a malicious user to programmatically obtain ac

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 273991 - Last Review: January 29, 2007 - Revision: 2.6

Patch Available for "Share Level Password" Vulnerability

View products that this article applies to.
System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows Vista Solution Center
This article was previously published under Q273991

SYMPTOMS

Microsoft has released a patch that eliminates a security vulnerability in Windows 95, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me). This vulnerability could allow a malicious user to programmatically obtain access to a file share without knowing the entire password that is assigned to that share. For answers to frequently asked questions about this vulnerability and the patch, please view the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/fq00-072.mspx (http://www.microsoft.com/technet/security/bulletin/fq00-072.mspx)
NOTE: This update has been superceded as described in the following Microsoft Knowledge Base article:
273727  (http://kbalertz.com/Feedback.aspx?kbNumber=273727/EN-US/ ) Denial of Service Possible on an IPX/SPX Protocol Using the Name Management Port
NOTE: To more effectively search the Microsoft Knowledge Base, use keywords that relate to your issue. If you are searching for troubleshooting information that is not mentioned in this article, search the Microsoft Knowledge Base again by using keywords that are listed in the following Microsoft Knowledge Base article:
242450  (http://kbalertz.com/Feedback.aspx?kbNumber=242450/EN-US/ ) How to Query the Microsoft Knowledge Base Using Keywords
Back to the top

CAUSE

This problem can occur because of the way the share-level access control password feature is implemented. With this implementation, a malicious user can use a special client utility to gain access to a share without knowing the entire password that is required to access that share.
Back to the top

RESOLUTION

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:
   Date      Time     Version     Size    File name     Operating system
   -----------------------------------------------------------------------
   10/19/2000  06:52p 4.00.955    108,288 Vserver.vxd   Windows 95
   10/17/2000  01:44p 4.00.1113   112,904 Vserver.vxd   Windows 95B or 95C
   10/11/2000  12:54p 4.10.2001   112,912 Vserver.vxd   Windows 98
   09/15/2000  05:18p 4.10.2224   112,912 Vserver.vxd   Windows 98 Second 
                                                        Edition
   09/25/2000  06:34p 4.90.3001   112,896 Vserver.vxd   Windows Me

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Back to the top

MORE INFORMATION

Microsoft Windows provides two types of security protection for file and printer sharing. You can select the type of security protection on the Access Control tab in the Network tool in Control Panel.

The first type of security protection is share-level access control. When you use this method, the type of access to grant is controlled by which of two passwords is used to request access. One password specifies read-only access, and the other specifies full access.

The second type of security protection is user-level access control. This method allows you to specify what type of access to grant to specific users. User-level access control does not require the use of passwords to decide what access type to grant.

Because it is the password verification feature that is vulnerable, only share-level access control is affected. To avoid this issue, computers that are part of a Windows-based domain should be set to use user-level access control.

NOTE: Computers that are running Microsoft Windows NT or Microsoft Windows 2000 can only use user-level access control and are not susceptible to this vulnerability.

For additional information about Windows 95 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
161020  (http://kbalertz.com/Feedback.aspx?kbNumber=161020/EN-US/ ) Implementing Windows 95 Updates
For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
206071  (http://kbalertz.com/Feedback.aspx?kbNumber=206071/EN-US/ ) General Information on Windows 98 and SE Hotfixes
For additional information about Windows Me hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
295413  (http://kbalertz.com/Feedback.aspx?kbNumber=295413/EN-US/ ) General Information About Windows Millennium Edition Hotfixes
Back to the top
APPLIES TO
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98 Standard Edition
  • Microsoft Windows 95
Back to the top
Keywords: 
kbhotfixserver kbqfe kbenv kbprb kbqfe KB273991
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting