Security 10897 Published by

Microsoft has released a patch that eliminates a security vulnerability in an optional service that ships with Microsoft:registered: Windows NT:registered: 4.0 and Windows:registered: 2000 Servers. The vulnerability could allow a malicious user to execute hostile code on a remote server that is running the service.

Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-094.asp

Affected Software Versions

Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5 servers.

Patch Availability

Microsoft Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193

Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531

NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2.