Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
A Microsoft German-Language Hotfix for Windows NT 4 Incorrectly Displays Some Security Events as Other Security Events
SecurityTracker Alert ID:  1001110
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 16 2001
Impact:   Modification of system information

Version(s): MSAuditE.dll Version 4.0.1381.7086
Description:   A bug has been reported in the German version of a Microsoft Hotfix for NT 4 that results in certain security events being displayed incorrectly as other events. The hotfix was in response to Microsoft Security Bulletin (MS00-070), titled "Patch Available for Multiple LPC and LPC Ports Vulnerabilities."

Hotfix archive gerq266433i.exe reportedly includes the file MSAuditE.dll, version 4.0.1381.7086 from 08.11.2000, that contains a broken message table for security events. It contains a new security event 519 but does not contain a resource string for this event. As a result, certain security events (519 through 644) are interpreted and displayed incorrectly as other events.

A more thorough German-language description can be found at

The vendor has been notified.

Impact:   Certain security events are displayed incorrectly as other security events.
Solution:   No solution was available at the time of this entry. The vendor plans to correct the situation.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT)

Message History:   None.

 Source Message Contents

Subject:  Bug in German Hotfix for MS00-070

This bug is only in the german version of the Hofix for NT 4, but
because I am not aware of any german security mailing list, I post it

Hotfix archive gerq266433i.exe contains the file
MSAuditE.dll, version 4.0.1381.7086 from 08.11.2000

This file contains a broken message table for security events.
It contains a new security event 519.
The translator for the german version of this file was kind a lazy, he did
skip the ressource string for this new event. As a result of this, all
other ressource strings for event 519 trough 644 are displaced, for
instance event 519 is now interpreted as successful logon, event 528 is
now interpreted as logon failure, deactivated user accounts are reported
as deleted and much other nonsense.

This is not exploitable, but very annoying for the admin.

A more thoroughly description (in german language only ;) can be found at

The error was reported to on 9. March 2001.
They replied on 10. March that they "will get the needed corrections made
soonest". Now we know soonest is not within a week at Microsoft, because
the bugfix for the hotfix is still not available.


Frank Heyne

Delivery co-sponsored by BindView Corporation
Are your security practices adequate enough to protect you from hackers and
crackers?  How do you provide remote access to your users, enable e-mail
messaging, Internet sites and e-commerce activity, and at the same time
maintain security?  Can you implement and administer the effective security
measures you need without doing battle with the people who need access to
your network?

Download FREE the latest Hurwitz Group Report, Management Controls:
Security Impact of IT Administration at <>


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC