Security Home > Windows NT, 2000 & XP > Windows NT

Windows NT Screen Saver Vulnerability

A vulnerability exists in all versions of Microsoft® Windows NT® operating system, which could allow a user to gain administrative privileges on a computer by running a malicious screen saver program.

Issue

Windows NT provides a screen saver feature, in which a user-selected screen saver program is run when the machine has been idle for a specified length of time. Windows NT initially launches a screen saver in the local system context, then immediately changes its security context to match that of the user. However, Windows NT does not check whether this context change was successfully made. This is the underlying problem in this vulnerability. If the context change can be made to fail, the screen saver will remain running in a highly-privileged state. The risk is that a malicious user could develop a screen saver program that, for example, uses the elevated privileges to add the author to the Administrators group.

It is important to understand that the user must able to run exploitation code on a machine in order to elevate their privileges. There are two types of machines at risk:

  • Machines that allow non-administrative users to interactively log on. Workstation and terminal servers typically do allow this, but, per standard security practices, most other machines only allow administrators to interactively log on.
  • Machines that allow remote users to submit arbitrary programs for execution. Servers such as domain controllers, line of business servers, application servers, print and file servers and the like typically do not accept arbitrary programs for execution.

    • It also is important to note that the scope of the privilege elevation is highly dependent on the specific machine on which the exploitation code is run. For example, a user who exploited this vulnerability on a workstation could join the local Administrators group, but could not directly exploit this vulnerability to become a domain administrator. However, a user who exploited this vulnerability on a domain controller would be able to become a domain Administrator, because the domain SAM is shared among all domain controllers.

    Affected Products

    • Windows NT Server, Enterprise, Terminal Server and Workstation 4.0

    Solution

    Users are recommended to upgrade to the current Windows NT service pack which includes a fix for this vulnerability.

    Further Details

    Source: Microsoft Corporation

    Reference: Microsoft Corporation

    Updated: March 12, 1999

    >> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

More Guides » Registry Guide Support Forums Software Guide Scripting Guide Search