Problematic Windows NT Patch Pulled
February 5, 2003
With the high-tech world still reeling from the Slammer worm, Microsoft ironically has been forced to pull one of its security patches because it actually introduces an error that may cause systems to fail.
While the Slammer worm inflicted its damage on copies of Microsoft SQL Server 2000, the latest problem revolves around a security patch for Windows NT 4.0 systems. But it comes at a time when sysadmins are being scolded for not updating systems with the necessary patches in the first place. (The patch for Slammer has been around since July.)
Security officials at Microsoft withdrew the patch and removed download links for the flaw, which was first issued on December 11. The security vulnerability was found in the WM_TIMER Message Handling in NT 4.0 and could enable privilege elevation.
Patches for Windows 2000 and Windows XP were unaffected by the latest withdrawal, Microsoft said.
In the updated advisory, Microsoft said it was investigating the cause of the problematic patch and promised to release an updated fix soon.
The company urged Windows NT 4.0 administrators to uninstall the patch until a new fix is issued.
The vulnerability affects the way Windows messages run interactive processes to react to user events like keystrokes or mouse movements and communicate with other interactive processes. One such event,WM_TIMER, is sent at the expiration of a timer and can be used to cause a process to execute a timer callback function.
"A security vulnerability results because it's possible for one process in the interactive desktop to use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process did not set a timer. If that second process had higher privileges than the first, this would provide the first process with a way of exercising them," Microsoft warned.
The software giant cautioned that an attacker who had the ability to log onto a system interactively could potentially run a program that would piggyback on a WM_TIMER request, causing it to take any action the attacker specified. "This would give the attacker complete control over the system," Microsoft said.
The withdrawn patch also made changes to several processes that run on the interactive desktop with high privileges. Although none of these would, in the absence of the TM_TIMER vulnerability, enable an attacker to gain privileges on the system, Microsoft said they were included in the patch to make the services more robust.