Windows 2000 "Mixed Object Access" security hole...

Question

Windows 2000 "Mixed Object Access" Vulnerability Security hole alert!

Answer

This question was answered on April 20, 2000. Much of the information contained herein may have changed since posting.

Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) Windows(r) 2000 that could, under very specific conditions, allow a malicious user to change information in the Active Directory that he should not be able to change.

Frequently asked questions regarding this vulnerability and the patch can be found at

<a href="http://www.microsoft.com/technet/security/bulletin/fq00-026.asp"><font color="#003399">http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
</font></a>

Issue

======================

Active Directory allows for access control of directory objects on a per-attribute basis However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a

particular way with ones involving attributes that he does have permission to modify.

The vulnerability does not afford the malicious user an opportunity to modify all objects in a class - only the specific class objects for which he has permission to modify at least one attribute Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by whom.

Affected Software Versions

==========================

- Windows 2000 Server

- Windows 2000 Advanced Server

Note The vulnerability only affects the above products when they are used as domain controllers.

Download the Patch at:

==================

<a href="http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20490"><font color="#003399">http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20490
</font></a>

Note: Additional security patches are available at the Microsoft Download Center.

More Information

================

Please see the following references for more information related to this issue.

- Frequently Asked Questions: Microsoft Security Bulletin MS00-026,

<a href="http://www.microsoft.com/technet/security/bulletin/fq00-026.asp"><font color="#003399">http://www.microsoft.com/technet/security/bulletin/fq00-026.asp
</font></a>

- Microsoft Knowledge Base article Q259401 discusses this issue

and will be available soon.

- Microsoft TechNet Security web site,

<a href="http://www.microsoft.com/technet/security/default.asp"><font color="#003399">http://www.microsoft.com/technet/security/default.asp
</font></a>

Obtaining Support on this Issue

===============================

This is a fully supported patch Information on contacting Microsoft Technical Support is available at

<a href="http://support.microsoft.com/support/contact/default.asp"><font color="#003399">http://support.microsoft.com/support/contact/default.asp
</font></a>

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on April 20, 2000