Security Bulletin

Microsoft Security Bulletin MS00-065 - Critical

Patch Available for 'Still Image Service Privilege Escalation' Vulnerability

Published: September 06, 2000 | Updated: May 18, 2003

Version: 1.1

Originally posted: September 6, 2000
Updated: June 13, 2003


Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows 2000. The vulnerability could allow a user logged onto a Windows 2000 machine from the keyboard to become an administrator on the machine.

Affected Software:

  • Microsoft Windows 2000

Vulnerability Identifier: CVE-2000-0851

General Information

Technical details

Technical description:

An unchecked buffer exists in the 'Still Image Service' on Windows 2000 hosts. A locally logged-on user can execute malicious code that will use the still image service to escalate their permissions equal to that of the Still Image Service, namely, LocalSystem.

The Still Image Service is not installed by default, but is automatically installed, via plug-n-play, when a user attaches a still image device (i.e. digital camera, scanner, etc.) to a Windows 2000 host.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-065 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000. The vulnerability could allow a user to gain inappropriate privileges on a Windows 2000 machine. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. A malicious user who could interactively log on to a Windows 2000 machine and run a program could pose as any other user on the machine, including the administrator or the system itself. The machines most likely to be affected by this vulnerability are Windows 2000 Professional workstations and terminal servers, because they typically allow normal users to interactively log onto them. Security-critical machines such as domain controllers, ERP servers, print and file servers, and SQL servers typically do not allow normal users to interactively log onto them and, if this were the case, would not be at risk from this vulnerability. The vulnerability would allow a Guest user or normal user to assume any desired level of privilege on the machine that was compromised. In the case of a compromised workstation, it's unlikely, but not impossible, that the malicious user could extend control to the rest of the network. However, if he or she compromised a domain controller, he or she would gain de facto control of the domain.

What causes the vulnerability?
There is an unchecked buffer in the Still Image Service that may allow a malicious program to obtain LocalSystem privileges. With this level of access, the currently logged-on user can obtain administrative privileges on the host.

What is the Still Image Service?
The Still Image Service is automatically installed when a still image device (digital camera, scanner, etc) is attached to the Windows 2000 host. Further details on the still image service can be found at the following URL's:

Does this vulnerability affect any versions of Windows 98, Windows ME, or NT4?
No. This vulnerability, and the associated patch, affect only Windows 2000 hosts.

Who should use the patch?
Microsoft recommends that all Windows 2000 users consider installing the patch.

What does the patch do?
The patch eliminates the vulnerability by providing updated Still Image code.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How do I use the patch?
Knowledge Base article Q272736 (available soon) contains detailed instructions for applying the patch to your site

How can I tell if I installed the patch correctly?
The Knowledge Base article Q272736 (available soon) provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article

What is Microsoft doing about this issue?

  • Microsoft has delivered a patch that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued a Knowledge Base article Q272736 (available soon) explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

Other information:


Microsoft thanks DilDog of @Stake Inc. ( for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.


The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • September 6, 2000: Bulletin Created.
  • V1.1 (May 18, 2003): Introduced versioning and updated links to information on Still Imaging and WIA Technologies.

Built at 2014-04-18T13:49:36Z-07:00