Store Locator: Enter Zip Code: List All Locations

Windows 2000 "Mixed Object Access" security hole...

Question

Windows 2000 "Mixed Object Access" Vulnerability Security hole alert!

Answer

This question was answered on April 20, 2000. Much of the information contained herein may have changed since posting.

Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) Windows(r) 2000 that could, under very specific conditions, allow a malicious user to change information in the Active Directory that he should not be able to change.

Frequently asked questions regarding this vulnerability and the patch can be found at

<a href="http://www.microsoft.com/technet/security/bulletin/fq00-026.asp"><font color="#003399">http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
</font></a>

Issue

======================

Active Directory allows for access control of directory objects on a per-attribute basis. However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a

particular way with ones involving attributes that he does have permission to modify.

The vulnerability does not afford the malicious user an opportunity to modify all objects in a class - only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by whom.

Affected Software Versions

==========================

- Windows 2000 Server

- Windows 2000 Advanced Server

Note The vulnerability only affects the above products when they are used as domain controllers.

Download the Patch at:

==================

<a href="http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20490"><font color="#003399">http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20490
</font></a>

Note: Additional security patches are available at the Microsoft Download Center.

More Information

================

Please see the following references for more information related to this issue.

- Frequently Asked Questions: Microsoft Security Bulletin MS00-026,

<a href="http://www.microsoft.com/technet/security/bulletin/fq00-026.asp"><font color="#003399">http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
</font></a>

- Microsoft Knowledge Base article Q259401 discusses this issue

and will be available soon.

- Microsoft TechNet Security web site,

<a href="http://www.microsoft.com/technet/security/default.asp"><font color="#003399">http://www.microsoft.com/technet/security/default.asp
</font></a>

Obtaining Support on this Issue

===============================

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at

<a href="http://support.microsoft.com/support/contact/default.asp"><font color="#003399">http://support.microsoft.com/support/contact/default.asp
</font></a>

Author

Posted by Ken of Data Doctors on April 20, 2000

Personal Services | Business Services | Radio Show | Free Help Center | Franchising | About Us | Sitemap

Business Network Solutions | Computer Data Recovery | Computer Franchises | Computer Hardware Repair | Computer Help | Computer Network Support | Computer Problems | Computer Repair | Computer Troubleshooting | Data Recovery | Data Recovery Service | Data Recovery Services | Disk Recovery | File Recovery | Wireless Networking Solutions