COMMAND

    "OffloadModExpo Registry Permissions"

SYSTEMS AFFECTED

    - Microsoft Windows NT 4.0 Workstation
    - Microsoft Windows NT 4.0 Server
    - Microsoft Windows NT 4.0 Server, Enterprise Edition
    - Microsoft Windows NT 4.0 Server, Terminal Server Edition

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    This vulnerability involves a  registry key used by  the CryptoAPI
    Base CSPs to  specify the driver  DLL for a  hardware accelerator.
    By  design,  such  a  DLL  would  have access to users' public and
    private keys.  Although only administrators should have permission
    to add such a DLL, the permissions on the key actually would allow
    any user who could interactively log  onto  the machine to do  so.
    By writing a bogus DLL  and installing it, a malicious  user could
    compromise the  keys of  other users  who   subsequently used  the
    machine.

    The machines primarily at risk would be workstations and  terminal
    servers.  If normal security recommendations are followed,  normal
    users  will  not  be  allowed  to  interactively  log  onto domain
    controllers, web servers, database servers, ERP servers, and other
    security-critical machines. Windows NT  auditing could be used  to
    determine who changed the key's  value.  A tool is  available that
    resets the permissions on the affected key to the correct  default
    values.   In addition,  it incorporates  the functionality  of the
    tool provided in Microsoft Security Bulletin MS00-008.

    Microsoft thanks Sergio Tabanelli  and Banca Nazionale del  Lavoro
    for reporting this  vulnerability to MS  and working with  them to
    protect customers.

SOLUTION

    Windows  2000  is  not  affected  by  this  vulnerability.   Patch
    availability:

        - X86: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20330
        - Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20331