Microsoft Security Bulletin MS02-0401
Local User Actions May Provide Unauthorized Remote Access
Originally posted: April 1, 2002

Summary

Who should read this bulletin: Customers and administrators of Microsoft
Windows operating systems.

Impact of vulnerability: Critical.

Recommendation: Customers using affected versions of the Windows operating
systems mentioned in this document should follow the guidance shown below.

Affected Software:

- Microsoft Windows 3.1, 95, 98, SE, and ME
- Microsoft Windows NT and 2000 (all versions)
- Microsoft Windows XP (Home and Professional)

Technical details and description:

Microsoft Windows draws on many shared system resources (e.g., Dynamic Link
Libraries (.DLL) and shared swap files) as part of normal operation. More
significantly, Windows, like all computer systems, utilizes the industry
standard Alternating Current Power Supply Management Process(ACPSMP) to
facilitate the robust Windows system utilization environment for users and
administrators. However, it has been determined that using ACPSMP with
Windows presents a significant operational and security risk.

Exploiting the ACPSMP dependency of Windows could allow an attacker to take
actions such as the unauthorized access, modification, or deletion of data;
placing malicious code on one system to potentially attack another; or
changing system security settings.

In the case of networked systems, particularly Windows-based servers, a
malicious attacker could attempt to exploit this vulnerability by locating
the affected system on a local- or wide-area network and subsequently
conduct unauthorized activities against/on such systems.

Examples of the types of potential attacks resulting from the ACPSMP
vulnerability can be found at Microsoft Technet.

Mitigating factors:

- The vulnerability may not present itself to an attacker provided the
customer implements appropriate system and network security standards and
preventative practices outlined below.

- Various vendor-endorsed, user-level remediating for affected systems are
found later in this document.

Vulnerability Identifier: USA-2002-0401

Tested Versions:

Microsoft tested the following products to assess whether they are affected
by these vulnerabilities. Previous versions are no longer supported, and may
or may not be affected by these vulnerabilities. Vendor-endorsed corrective
actions only apply to the following, supported, Microsoft products impacted
by this vulnerability:

- Microsoft Windows 3.1, 95, 98, SE, and ME
- Microsoft Windows NT and 2000 (all versions)
- Microsoft Windows XP (Home and Professional)

Frequently asked questions about this vulnerability:

What's the scope of the vulnerability?

This vulnerability is present on all Microsoft Windows operating systems,
with an increased risk to those systems residing on a local- or wide-area
network, including the Internet.

Exploiting the ACPSMP within Windows systems could allow an attacker to take
actions such as the unauthorized access, modification, or deletion of data;
placing malicious code on one system to potentially attack another; or
changing the macro security settings. This vulnerability is significant due
to poor software development standards and the apparent lack of adequate
software quality assurance testing prior to the public release of the
Windows operating system by its vendor.

Reducing the potential exposure of a vulnerable system is possible if the
customer implements appropriate system and network security standards and
practices promoted by the Carnegie Mellon Computer Emergency Response Team
(CERT), the System Administration and Security Institute (SANS), or other
computer security organizations.

However, these are short-term temporary measures that do not directly
address the underlying vulnerability. Refer to the 'Remediation
Instructions' found below for more complete, long-term corrective measures.

What causes the vulnerability?

Through the implementation of ACPSMP, Microsoft Windows, like all computer
systems, requires an uninterrupted flow of tailored power to system hardware
components. As mentioned, this has been determined to be a potential
security risk to Microsoft Windows systems. Terminating the power flow to
the Windows system hardware will prevent network-based security compromises
(e.g., viruses, worms, or hacking) from an unauthorized third party. As long
as electrical or battery power is provided to a Windows-based computer, the
potential for system exploitation remains.

What is ACPSM?

The Alternating Current Power Supply Management Process (ACPSMP) is the
industry-standard power management system for computers, peripherals, and
other electronic hardware, and can be as simple a function as plugging a
computer or peripheral into an electrical outlet. ACPSMP is the process
through which a computer user provides electronic power to computer
components to enable their use.

Can't Windows or my anti-virus software protect against this problem?

Because Windows and other security applications, such as anti-virus tools
and firewalls, reside within the Windows operating environment, they are
unable to protect against the need for ACPSMP, which operates outside, but
is essential to, the parameters of your computer's operating system
environment.

Who should apply the fixes?

Anyone using or administering systems running the affected software versions
should conduct the following actions, based on their product and operating
environment.

Remediating Instructions for Home and Small Business Users

To prevent the potential exploitation of the ACPSMP vulnerability, users are
advised to remove their affected Windows system from public networks or the
Internet unless necessary for critical purposes such as MP3 searching or
porn downloading.

The ACPSMP vulnerability is best addressed through user education, such as
done to counter 'social engineering' attacks. Such education might include
informing users not to plug in or turn on their Windows-based computer,
thereby preventing the flow of electrons into the computer and thus
preventing the ACPSMP vulnerability.

Remediating Instructions for Corporate/Enterprise Users

Corporate users are advised to remove affected Windows systems from
networked connections unless necessary for critical business purposes.
However, the ACPSMP vulnerability is best addressed through user education,
such as done to counter 'social engineering' attacks. Such education might
include informing users not to plug in or turn on their Windows-based
computer, thereby preventing the flow of electrons into the computer and
thus preventing the ACPSMP vulnerability.

Given the nature of the ACPSMP vulnerability and Windows' inability to
adequately mitigate this issue, senior technical managers and executives are
strongly advised to reevaluate continued corporate use of Microsoft Windows
as their operating system within their organizations. Other,
less-vulnerable, more scalable, reliable, and securable options to consider
include FreeBSD, Linux, and OSX.

I'm running one of the alternative operating systems you mentioned, am I
vulnerable to ACPSMP?

Although every electronic device - from computers to toaster ovens -
requires a flow of electrons to operate, these recommended replacement
operating systems are exponentially more secure and reliable, and although
using ACPSMP, are not as susceptible to exploitation arising from slick
marketing, poor design or user ignorance.

How can I verify that my Windows system is secure from the ACPSMP
vulnerability?

If, upon starting the flow of electrons into your computer, you see a
Microsoft Windows graphical "splash page" and the Windows desktop (evidenced
by the Start Button) in the lower left-hand of the screen, you may still be
vulnerable. However, if you are presented with a log-in from one of the
alternative operating systems mentioned above (evidenced by an image of a
smiling computer or a friendly penguin) you are protected from this
particular Windows vulnerability.

Caveats: None, except to read the date of this Advisory note. :)

Localization: The mitigation instructions and recommended alternative
operating systems mentioned above are appropriate for use on Windows-based
systems worldwide.

Obtaining other security patches:

As of this date there is no patch for this vulnerability.

Patches for other security issues are available from the following
locations:

- Security patches are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security patch".

- Patches for consumer platforms are available from the Windows Update web
site

- All patches available via Windows Update also are available in a
redistributable form from the Windows Update Corporate site.

Other information:

Acknowledgments:  Microsoft thanks the open-source development community,
Apple's MacOSX Team, William Feinbloom, and Richard Forno for their
assistance in researching and reporting this issue; and for the security
researchers around the world that continue to demonstrate and prove the
inherent vulnerabilities arising from using slickly-marketed, closed-source,
proprietary operating systems.

Support:

- Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.

- Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply. Plus, since this is an April Fool's
prank, nothing you have read in this article should be viewed as official
Microsoft advice, even if it makes sense in the real world.

Revisions: - V1.0 (April 1, 2002): Bulletin Created

(c) 2002 Infowarrior.org. All Rights Reserved. Permission to reproduce or
redistribute this satire in any fashion granted provided appropriate credit
given.

_____________________________________________________________________
** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!

** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]