Free Windows Help Tutorials sponsored by inkjet printer cartridges dot org /title> <META HTTP-EQUIV="imagetoolbar" CONTENT="no"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=ISO 8859-1"> <META name="description" Content="Hundreds of downloadable Windows help tutorials, articles and how-to guides sponsored by inkjet printer cartridges dot org."><style type="text/css">  </style> </head> <body bgcolor=#999999 vlink=blue link=blue> <span name = "INTRA" class="pg" style="top:0px; left:5px; width:714px; height:1010px"></span> <span name = "INTRA" style='top:0px; left:5px; height:1010px; width:714px' class='img'> <img src="pg0002im.png" height = "1010 width = "714" border="0"> </span> <span class='nav' style='left: 10px; top: 10px'><pre></pre></span><span name = "INTRA" style='top:51px; left:48px' class="ft3"><pre><font face='Helvetica'>Problem Solving:Windows NT/2000</font></pre></span> <span name = "INTRA" style='top:204px; left:77px' class="ft0"><pre><font face='Arial'><i><b>DoS</b></i> <i><b>Attack</b></i></font></pre></span> <span name = "INTRA" style='top:203px; left:272px' class="ft1"><pre><font face='Arial'>the password has been changed this</font></pre></span> <span name = "INTRA" style='top:203px; left:466px' class="ft1"><pre><font face='Arial'>KnownDLLs list and patches it so that</font></pre></span> <span name = "INTRA" style='top:215px; left:272px' class="ft1"><pre><font face='Arial'>error allows anyone to log into that</font></pre></span> <span name = "INTRA" style='top:215px; left:466px' class="ft1"><pre><font face='Arial'>calls to the NT system DLL are instead</font></pre></span> <span name = "INTRA" style='top:226px; left:91px' class="ft1"><pre><font face='Arial'>An attack on NT which sends either</font></pre></span> <span name = "INTRA" style='top:227px; left:272px' class="ft1"><pre><font face='Arial'>account from any computer which</font></pre></span> <span name = "INTRA" style='top:227px; left:466px' class="ft1"><pre><font face='Arial'>diverted to the malicious version now</font></pre></span> <span name = "INTRA" style='top:238px; left:77px' class="ft1"><pre><font face='Arial'>the</font></pre></span> <span name = "INTRA" style='top:238px; left:110px' class="ft1"><pre><font face='Arial'>Local</font></pre></span> <span name = "INTRA" style='top:238px; left:154px' class="ft1"><pre><font face='Arial'>Security</font></pre></span> <span name = "INTRA" style='top:238px; left:211px' class="ft1"><pre><font face='Arial'>Authority</font></pre></span> <span name = "INTRA" style='top:239px; left:272px' class="ft1"><pre><font face='Arial'>uses the NT hash for authentication</font></pre></span> <span name = "INTRA" style='top:239px; left:466px' class="ft1"><pre><font face='Arial'>in memory. As system DLLs run with</font></pre></span> <span name = "INTRA" style='top:250px; left:77px' class="ft1"><pre><font face='Arial'>(LSASS.EXE) or the Spooler Service</font></pre></span> <span name = "INTRA" style='top:251px; left:272px' class="ft1"><pre><font face='Arial'>(Windows 95, 98 and NT) using a</font></pre></span> <span name = "INTRA" style='top:251px; left:466px' class="ft1"><pre><font face='Arial'>an elevated security context the mali </font></pre></span> <span name = "INTRA" style='top:262px; left:77px' class="ft1"><pre><font face='Arial'>(SPOOLSS.EXE) to 100% utilisation of</font></pre></span> <span name = "INTRA" style='top:263px; left:272px' class="ft1"><pre><font face='Arial'>blank password a clear security vio </font></pre></span> <span name = "INTRA" style='top:263px; left:466px' class="ft1"><pre><font face='Arial'>cious DLL could more or less do any </font></pre></span> <span name = "INTRA" style='top:274px; left:77px' class="ft1"><pre><font face='Arial'>the processor is possible by opening</font></pre></span> <span name = "INTRA" style='top:275px; left:272px' class="ft1"><pre><font face='Arial'>lation.</font></pre></span> <span name = "INTRA" style='top:275px; left:466px' class="ft1"><pre><font face='Arial'>thing its writer wished, such as gaining</font></pre></span> <span name = "INTRA" style='top:286px; left:77px' class="ft1"><pre><font face='Arial'>multiple named pipe connections to</font></pre></span> <span name = "INTRA" style='top:287px; left:286px' class="ft1"><pre><font face='Arial'>To close this loophole obtain and</font></pre></span> <span name = "INTRA" style='top:287px; left:466px' class="ft1"><pre><font face='Arial'>Administrator access to the worksta </font></pre></span> <span name = "INTRA" style='top:298px; left:77px' class="ft1"><pre><font face='Arial'>these services and sending random</font></pre></span> <span name = "INTRA" style='top:299px; left:272px' class="ft1"><pre><font face='Arial'>install msv1 fix. Details are in KB arti </font></pre></span> <span name = "INTRA" style='top:299px; left:466px' class="ft1"><pre><font face='Arial'>tion. This access can then be used to do</font></pre></span> <span name = "INTRA" style='top:310px; left:77px' class="ft1"><pre><font face='Arial'>data to them. The RPC (Remote Proce </font></pre></span> <span name = "INTRA" style='top:311px; left:272px' class="ft1"><pre><font face='Arial'>cle Q214840. The problem was fixed in</font></pre></span> <span name = "INTRA" style='top:311px; left:466px' class="ft1"><pre><font face='Arial'>whatever the attacker wanted, includ </font></pre></span> <span name = "INTRA" style='top:322px; left:77px' class="ft1"><pre><font face='Arial'>dure Call) service will detect that the</font></pre></span> <span name = "INTRA" style='top:323px; left:272px' class="ft1"><pre><font face='Arial'>SP5.</font></pre></span> <span name = "INTRA" style='top:323px; left:466px' class="ft1"><pre><font face='Arial'>ing installing Trojan horses, pass </font></pre></span> <span name = "INTRA" style='top:334px; left:77px' class="ft1"><pre><font face='Arial'>RPC requests are invalid, but in trying</font></pre></span> <span name = "INTRA" style='top:335px; left:466px' class="ft1"><pre><font face='Arial'>word capturing utilities or network</font></pre></span> <span name = "INTRA" style='top:346px; left:77px' class="ft1"><pre><font face='Arial'>to send a response to the invalid caller</font></pre></span> <span name = "INTRA" style='top:349px; left:272px' class="ft0"><pre><font face='Arial'><i><b>KnownDLLs</b></i> <i><b>Exploit</b></i></font></pre></span> <span name = "INTRA" style='top:347px; left:466px' class="ft1"><pre><font face='Arial'>sniffers to capture sensitive network</font></pre></span> <span name = "INTRA" style='top:358px; left:77px' class="ft1"><pre><font face='Arial'>and close the connection will go into a</font></pre></span> <span name = "INTRA" style='top:359px; left:466px' class="ft1"><pre><font face='Arial'>traffic.</font></pre></span> <span name = "INTRA" style='top:370px; left:77px' class="ft1"><pre><font face='Arial'>loop, using 100% of the CPU time, and</font></pre></span> <span name = "INTRA" style='top:371px; left:286px' class="ft1"><pre><font face='Arial'>This exploit potentially allows an</font></pre></span> <span name = "INTRA" style='top:371px; left:480px' class="ft1"><pre><font face='Arial'>The hotfix to correct the problem</font></pre></span> <span name = "INTRA" style='top:382px; left:77px' class="ft1"><pre><font face='Arial'>additionally leaking memory. The af </font></pre></span> <span name = "INTRA" style='top:383px; left:272px' class="ft1"><pre><font face='Arial'>unprivileged user to gain local admin </font></pre></span> <span name = "INTRA" style='top:383px; left:466px' class="ft1"><pre><font face='Arial'>patches</font></pre></span> <span name = "INTRA" style='top:383px; left:520px' class="ft1"><pre><font face='Arial'>the</font></pre></span> <span name = "INTRA" style='top:383px; left:552px' class="ft1"><pre><font face='Arial'>Session</font></pre></span> <span name = "INTRA" style='top:383px; left:604px' class="ft1"><pre><font face='Arial'>Manager</font></pre></span> <span name = "INTRA" style='top:394px; left:77px' class="ft1"><pre><font face='Arial'>fected computer will therefore slow to</font></pre></span> <span name = "INTRA" style='top:395px; left:272px' class="ft1"><pre><font face='Arial'>istrator privileges on an NT computer.</font></pre></span> <span name = "INTRA" style='top:395px; left:466px' class="ft1"><pre><font face='Arial'>(SMSS.EXE) to increase the levels of</font></pre></span> <span name = "INTRA" style='top:406px; left:77px' class="ft1"><pre><font face='Arial'>a halt and may eventually hang.</font></pre></span> <span name = "INTRA" style='top:408px; left:272px' class="ft1"><pre><font face='Arial'>The attack would require the attacker</font></pre></span> <span name = "INTRA" style='top:408px; left:466px' class="ft1"><pre><font face='Arial'>protection possible on the base system</font></pre></span> <span name = "INTRA" style='top:418px; left:91px' class="ft1"><pre><font face='Arial'>To prevent Denial of Service (DoS)</font></pre></span> <span name = "INTRA" style='top:420px; left:272px' class="ft1"><pre><font face='Arial'>to write a program which manipulates</font></pre></span> <span name = "INTRA" style='top:420px; left:466px' class="ft1"><pre><font face='Arial'>objects. Note that, as with some other</font></pre></span> <span name = "INTRA" style='top:430px; left:77px' class="ft1"><pre><font face='Arial'>from such an attack you should obtain</font></pre></span> <span name = "INTRA" style='top:432px; left:272px' class="ft1"><pre><font face='Arial'>NT system files in memory. While this</font></pre></span> <span name = "INTRA" style='top:432px; left:466px' class="ft1"><pre><font face='Arial'>hotfixes, simply applying the patch</font></pre></span> <span name = "INTRA" style='top:442px; left:77px' class="ft1"><pre><font face='Arial'>and install nprpc fix. Details are in Mi </font></pre></span> <span name = "INTRA" style='top:444px; left:272px' class="ft1"><pre><font face='Arial'>may seem unlikely in the vast majority</font></pre></span> <span name = "INTRA" style='top:444px; left:466px' class="ft1"><pre><font face='Arial'>does not itself fix the problem, it</font></pre></span> <span name = "INTRA" style='top:454px; left:77px' class="ft1"><pre><font face='Arial'>crosoft</font></pre></span> <span name = "INTRA" style='top:454px; left:124px' class="ft1"><pre><font face='Arial'>Knowledge</font></pre></span> <span name = "INTRA" style='top:454px; left:193px' class="ft1"><pre><font face='Arial'>Base</font></pre></span> <span name = "INTRA" style='top:454px; left:229px' class="ft1"><pre><font face='Arial'>article</font></pre></span> <span name = "INTRA" style='top:456px; left:272px' class="ft1"><pre><font face='Arial'>of enterprises, it is always possible for</font></pre></span> <span name = "INTRA" style='top:456px; left:466px' class="ft1"><pre><font face='Arial'>merely makes it possible for the prob </font></pre></span> <span name = "INTRA" style='top:466px; left:77px' class="ft1"><pre><font face='Arial'>Q195733. The fix itself was incorpo </font></pre></span> <span name = "INTRA" style='top:468px; left:272px' class="ft1"><pre><font face='Arial'>a single malicious individual to write</font></pre></span> <span name = "INTRA" style='top:468px; left:466px' class="ft1"><pre><font face='Arial'>lem to be fixed. Once you have applied</font></pre></span> <span name = "INTRA" style='top:478px; left:77px' class="ft1"><pre><font face='Arial'>rated into SP5.</font></pre></span> <span name = "INTRA" style='top:480px; left:272px' class="ft1"><pre><font face='Arial'>a program that exploits this vulner </font></pre></span> <span name = "INTRA" style='top:480px; left:466px' class="ft1"><pre><font face='Arial'>Smss fix, you must add a registry</font></pre></span> <span name = "INTRA" style='top:492px; left:272px' class="ft1"><pre><font face='Arial'>ability in a way that end users can use</font></pre></span> <span name = "INTRA" style='top:492px; left:466px' class="ft1"><pre><font face='Arial'>subkey</font></pre></span> <span name = "INTRA" style='top:492px; left:514px' class="ft1"><pre><font face='Arial'>of</font></pre></span> <span name = "INTRA" style='top:492px; left:537px' class="ft1"><pre><font face='Arial'> ProtectionMode </font></pre></span> <span name = "INTRA" style='top:492px; left:637px' class="ft1"><pre><font face='Arial'>to</font></pre></span> <span name = "INTRA" style='top:504px; left:77px' class="ft0"><pre><font face='Arial'><i><b>Password</b></i> <i><b>Changes</b></i></font></pre></span> <span name = "INTRA" style='top:504px; left:272px' class="ft1"><pre><font face='Arial'>easily and then distribute it via the</font></pre></span> <span name = "INTRA" style='top:504px; left:466px' class="ft1"><pre><font face='Arial'>HKEY_LOCAL_MACHINE\Sytem </font></pre></span> <span name = "INTRA" style='top:516px; left:272px' class="ft1"><pre><font face='Arial'>Internet.</font></pre></span> <span name = "INTRA" style='top:516px; left:466px' class="ft1"><pre><font face='Arial'>\CurrentControlSet\Control\Session</font></pre></span> <span name = "INTRA" style='top:526px; left:91px' class="ft1"><pre><font face='Arial'>This is a serious vulnerability affect </font></pre></span> <span name = "INTRA" style='top:528px; left:286px' class="ft1"><pre><font face='Arial'>The way it works is by using a loop </font></pre></span> <span name = "INTRA" style='top:528px; left:466px' class="ft1"><pre><font face='Arial'>Manager and set its value to be a</font></pre></span> <span name = "INTRA" style='top:538px; left:77px' class="ft1"><pre><font face='Arial'>ing networks that have what Microsoft</font></pre></span> <span name = "INTRA" style='top:540px; left:272px' class="ft1"><pre><font face='Arial'>hole in the protection of NT system</font></pre></span> <span name = "INTRA" style='top:540px; left:466px' class="ft1"><pre><font face='Arial'>REG_DWORD of 0x1. Once you have</font></pre></span> <span name = "INTRA" style='top:550px; left:77px' class="ft1"><pre><font face='Arial'>refers to as downlevel clients such as</font></pre></span> <span name = "INTRA" style='top:552px; left:272px' class="ft1"><pre><font face='Arial'>objects, which are the means by which</font></pre></span> <span name = "INTRA" style='top:552px; left:466px' class="ft1"><pre><font face='Arial'>done this and rebooted, the computer</font></pre></span> <span name = "INTRA" style='top:563px; left:77px' class="ft1"><pre><font face='Arial'>Windows for Workgroups, OS/2 or an</font></pre></span> <span name = "INTRA" style='top:564px; left:272px' class="ft1"><pre><font face='Arial'>NT controls access to processes and</font></pre></span> <span name = "INTRA" style='top:564px; left:466px' class="ft1"><pre><font face='Arial'>will be protected from this attack.</font></pre></span> <span name = "INTRA" style='top:575px; left:77px' class="ft1"><pre><font face='Arial'>Apple Macintosh. It was introduced</font></pre></span> <span name = "INTRA" style='top:576px; left:272px' class="ft1"><pre><font face='Arial'>resources. When a system DLL (Dy </font></pre></span> <span name = "INTRA" style='top:576px; left:480px' class="ft1"><pre><font face='Arial'>More details are in KB article</font></pre></span> <span name = "INTRA" style='top:587px; left:77px' class="ft1"><pre><font face='Arial'>by the changes made to logon valida </font></pre></span> <span name = "INTRA" style='top:588px; left:272px' class="ft1"><pre><font face='Arial'>namic Link Library) is required by two</font></pre></span> <span name = "INTRA" style='top:588px; left:466px' class="ft1"><pre><font face='Arial'>Q218473, and the fix was first posted</font></pre></span> <span name = "INTRA" style='top:599px; left:77px' class="ft1"><pre><font face='Arial'>tion in Service Pack 4.</font></pre></span> <span name = "INTRA" style='top:600px; left:272px' class="ft1"><pre><font face='Arial'>or more processes, NT economises on</font></pre></span> <span name = "INTRA" style='top:600px; left:466px' class="ft1"><pre><font face='Arial'>in Service Pack 5.</font></pre></span> <span name = "INTRA" style='top:611px; left:91px' class="ft1"><pre><font face='Arial'>The client software on Windows for</font></pre></span> <span name = "INTRA" style='top:612px; left:272px' class="ft1"><pre><font face='Arial'>the use of memory by loading a single</font></pre></span> <span name = "INTRA" style='top:623px; left:77px' class="ft1"><pre><font face='Arial'>Workgroups and the Microsoft UAM</font></pre></span> <span name = "INTRA" style='top:624px; left:272px' class="ft1"><pre><font face='Arial'>copy of the DLL into memory and</font></pre></span> <span name = "INTRA" style='top:626px; left:466px' class="ft0"><pre><font face='Arial'><i><b>MaxRequestThreads</b></i></font></pre></span> <span name = "INTRA" style='top:635px; left:77px' class="ft1"><pre><font face='Arial'>(User Authentication Module) for</font></pre></span> <span name = "INTRA" style='top:636px; left:272px' class="ft1"><pre><font face='Arial'>mapping a copy into the process space</font></pre></span> <span name = "INTRA" style='top:647px; left:77px' class="ft1"><pre><font face='Arial'>Macintosh uses the older, less secure</font></pre></span> <span name = "INTRA" style='top:648px; left:272px' class="ft1"><pre><font face='Arial'>of the calling process. When a process</font></pre></span> <span name = "INTRA" style='top:648px; left:480px' class="ft1"><pre><font face='Arial'>Exceeding the MaxRequestThreads</font></pre></span> <span name = "INTRA" style='top:659px; left:77px' class="ft1"><pre><font face='Arial'>LAN Manager hash of the password.</font></pre></span> <span name = "INTRA" style='top:660px; left:272px' class="ft1"><pre><font face='Arial'>calls a function in such a DLL, NT re </font></pre></span> <span name = "INTRA" style='top:660px; left:466px' class="ft1"><pre><font face='Arial'>number may crash NT. This is another</font></pre></span> <span name = "INTRA" style='top:671px; left:77px' class="ft1"><pre><font face='Arial'>When a user changes his or her pass </font></pre></span> <span name = "INTRA" style='top:672px; left:272px' class="ft1"><pre><font face='Arial'>fers to a system object called the</font></pre></span> <span name = "INTRA" style='top:672px; left:466px' class="ft1"><pre><font face='Arial'>Denial of Service attack, this time tar </font></pre></span> <span name = "INTRA" style='top:683px; left:77px' class="ft1"><pre><font face='Arial'>word from an older system such as the</font></pre></span> <span name = "INTRA" style='top:684px; left:272px' class="ft1"><pre><font face='Arial'>KnownDLLs list, which gives the loca </font></pre></span> <span name = "INTRA" style='top:684px; left:466px' class="ft1"><pre><font face='Arial'>geting the Client Server Runtime Sub </font></pre></span> <span name = "INTRA" style='top:695px; left:77px' class="ft1"><pre><font face='Arial'>ones mentioned above, NT Server will</font></pre></span> <span name = "INTRA" style='top:696px; left:272px' class="ft1"><pre><font face='Arial'>tion in memory of the DLL called.</font></pre></span> <span name = "INTRA" style='top:696px; left:466px' class="ft1"><pre><font face='Arial'>system (CSRSS). NT's architecture is</font></pre></span> <span name = "INTRA" style='top:707px; left:77px' class="ft1"><pre><font face='Arial'>store the LAN Manager hash in the</font></pre></span> <span name = "INTRA" style='top:708px; left:286px' class="ft1"><pre><font face='Arial'>System DLLs can't be modified in</font></pre></span> <span name = "INTRA" style='top:708px; left:466px' class="ft1"><pre><font face='Arial'>based around a client server model,</font></pre></span> <span name = "INTRA" style='top:719px; left:77px' class="ft1"><pre><font face='Arial'>SAM (Security Accounts Manager) da </font></pre></span> <span name = "INTRA" style='top:720px; left:272px' class="ft1"><pre><font face='Arial'>memory, as NT's security system pre </font></pre></span> <span name = "INTRA" style='top:720px; left:466px' class="ft1"><pre><font face='Arial'>where every time a user process</font></pre></span> <span name = "INTRA" style='top:731px; left:77px' class="ft1"><pre><font face='Arial'>tabase, and set the stronger NT hash</font></pre></span> <span name = "INTRA" style='top:732px; left:272px' class="ft1"><pre><font face='Arial'>vents it. However, the security protec </font></pre></span> <span name = "INTRA" style='top:732px; left:466px' class="ft1"><pre><font face='Arial'>wishes the operating system to do</font></pre></span> <span name = "INTRA" style='top:743px; left:77px' class="ft1"><pre><font face='Arial'>form of the password to NULL. Once</font></pre></span> <span name = "INTRA" style='top:744px; left:272px' class="ft1"><pre><font face='Arial'>tion on base system objects, of which</font></pre></span> <span name = "INTRA" style='top:744px; left:466px' class="ft1"><pre><font face='Arial'>something on its behalf it must issue a</font></pre></span> <span name = "INTRA" style='top:756px; left:272px' class="ft1"><pre><font face='Arial'>the KnownDLLs list is one, is lax and</font></pre></span> <span name = "INTRA" style='top:756px; left:466px' class="ft1"><pre><font face='Arial'>request, as a client, to the OS and await</font></pre></span> <span name = "INTRA" style='top:768px; left:272px' class="ft1"><pre><font face='Arial'>allows all users read and write access</font></pre></span> <span name = "INTRA" style='top:768px; left:466px' class="ft1"><pre><font face='Arial'>the result of its request. In this way,</font></pre></span> <span name = "INTRA" style='top:781px; left:88px' class="ft1"><pre><font face='Arial'>getadmin\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:780px; left:272px' class="ft1"><pre><font face='Arial'>to the KnownDLLs list. An attacker</font></pre></span> <span name = "INTRA" style='top:780px; left:466px' class="ft1"><pre><font face='Arial'>unprivileged user processes can use</font></pre></span> <span name = "INTRA" style='top:793px; left:88px' class="ft1"><pre><font face='Arial'>simp tcp\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:792px; left:272px' class="ft1"><pre><font face='Arial'>would therefore first write a malicious</font></pre></span> <span name = "INTRA" style='top:792px; left:466px' class="ft1"><pre><font face='Arial'>facilities that only privileged processes</font></pre></span> <span name = "INTRA" style='top:805px; left:88px' class="ft1"><pre><font face='Arial'>tear\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:804px; left:272px' class="ft1"><pre><font face='Arial'>program as a DLL and give it the name</font></pre></span> <span name = "INTRA" style='top:804px; left:466px' class="ft1"><pre><font face='Arial'>have access to.</font></pre></span> <span name = "INTRA" style='top:817px; left:88px' class="ft1"><pre><font face='Arial'>srv\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:816px; left:272px' class="ft1"><pre><font face='Arial'>of an NT system DLL. They would also</font></pre></span> <span name = "INTRA" style='top:816px; left:480px' class="ft1"><pre><font face='Arial'>The Client Server Runtime System</font></pre></span> <span name = "INTRA" style='top:829px; left:88px' class="ft1"><pre><font face='Arial'>y2k\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:828px; left:272px' class="ft1"><pre><font face='Arial'>need to write another program which</font></pre></span> <span name = "INTRA" style='top:828px; left:466px' class="ft1"><pre><font face='Arial'>is the process that manages these re </font></pre></span> <span name = "INTRA" style='top:841px; left:88px' class="ft1"><pre><font face='Arial'>euro\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:840px; left:272px' class="ft1"><pre><font face='Arial'>manipulates the KnownDLLS list.</font></pre></span> <span name = "INTRA" style='top:840px; left:466px' class="ft1"><pre><font face='Arial'>quests. This attack depends again on</font></pre></span> <span name = "INTRA" style='top:853px; left:88px' class="ft1"><pre><font face='Arial'>lsa2\hotfix.exe z m</font></pre></span> <span name = "INTRA" style='top:852px; left:286px' class="ft1"><pre><font face='Arial'>He or she would then go to a com </font></pre></span> <span name = "INTRA" style='top:852px; left:466px' class="ft1"><pre><font face='Arial'>malicious code being executed at the</font></pre></span> <span name = "INTRA" style='top:864px; left:272px' class="ft1"><pre><font face='Arial'>puter running NT and run the pro </font></pre></span> <span name = "INTRA" style='top:864px; left:466px' class="ft1"><pre><font face='Arial'>computer code that makes a request</font></pre></span> <span name = "INTRA" style='top:876px; left:272px' class="ft1"><pre><font face='Arial'>gram, loading the malicious DLL.</font></pre></span> <span name = "INTRA" style='top:876px; left:466px' class="ft1"><pre><font face='Arial'>to a system process that requires user</font></pre></span> <span name = "INTRA" style='top:885px; left:91px' class="ft1"><pre><font face='Arial'>Figure 1 Example batch file used</font></pre></span> <span name = "INTRA" style='top:888px; left:272px' class="ft1"><pre><font face='Arial'>Then they would run the second pro </font></pre></span> <span name = "INTRA" style='top:888px; left:466px' class="ft1"><pre><font face='Arial'>input, but never supplies that input.</font></pre></span> <span name = "INTRA" style='top:898px; left:130px' class="ft1"><pre><font face='Arial'>to install hotfixes.</font></pre></span> <span name = "INTRA" style='top:900px; left:272px' class="ft1"><pre><font face='Arial'>gram, which accesses the unprotected</font></pre></span> <span name = "INTRA" style='top:900px; left:466px' class="ft1"><pre><font face='Arial'>The thread that CSRSS.EXE creates to</font></pre></span> <span name = "INTRA" style='top:946px; left:52px' class="ft1"><pre><font face='Arial'>File: P1718.2</font></pre></span> <span name = "INTRA" style='top:946px; left:543px' class="ft1"><pre><font face='Arial'>Issue 118 (May 2000) page 4</font></pre></span> <span name = "INTRA" style='top:944px; left:260px' class="ft2"><pre><font face='Arial'><b>PC</b> <b>Network</b> <b>Advisor</b></font></pre></span> <span name = "INTRA" class='nav' style='left: 357px; top: 1010px'><pre><a href='page0001.htm'><</a> Next page <a href='page0001.htm'>></a></pre></span> <span name = "INTRA" style='top:1050px; left:50px' class="ft4"><pre><b><font color="#FF0000" size="3" face="Arial">New!</font><font color="#FF0000" size="3" face="Arial Narrow"> </font><font size="2" face="Arial">The best sites for quality <a href="http://www.inkjet-printer-cartridges.org">inkjet printer cartridges</a> and the best sites for <a href="http://www.cheap-inkjet-cartridges.com">cheap inkjet cartridges</a></font></b></pre></span></body> <span name = "INTRA" style='top:1100px; left:300px' class="ft4"><pre><b><font color="#FF0000" size="3" face="Arial"><a href="../index.html">Windows Help Desk Home</a> </font></b></pre></span></body></html>