COMMAND

    "Mixed Object Access"

SYSTEMS AFFECTED

    - Windows 2000 Server
    - Windows 2000 Advanced Server

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    Active Directory  allows for  access control  of directory objects
    on a  per-attribute basis.   However, the  vulnerability at  issue
    here  could  allow  a  malicious  user to modify object attributes
    that  he  does  not  have  permission  to  modify,  as  long as he
    combined the  operation in  a particular  way with  ones involving
    attributes that he does have permission to modify.

    The  vulnerability  does   not  afford  the   malicious  user   an
    opportunity to modify all objects  in a class - only  the specific
    class objects for which he  has permission to modify at  least one
    attribute.  Further, the vulnerability provides no capability   to
    bypass  normal  authentication  or   Windows  2000  auditing,   so
    administrators could  determine if  this vulnerability  were being
    exploited, and by whom.

    The vulnerability only  affects the above  products when they  are
    used as domain controllers.

    Microsoft thanks  Sebastien Malbois  of Bouygues  Construction for
    reporting  this  issue  to  us  and  working  with  us  to protect
    customers.

SOLUTION

    Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20490

    It appears a Netbios  scope ID MAY have  been inserted so you  may
    experience some problems with it.   This is a known issue.   There
    is a workaround, see the following:

        http://support.microsoft.com/support/kb/articles/Q255/1/95.ASP?LN=EN-US&SD=gn&FR=0