Bug in German Hotfix for MS00-070

[Frank Heyne <fh () Rcs1 urz tu-dresden de>]

This bug is only in the german version of the Hofix for NT 4, but
because I am not aware of any german security mailing list, I post it
here.

Hotfix archive gerq266433i.exe contains the file
MSAuditE.dll, version 4.0.1381.7086 from 08.11.2000

This file contains a broken message table for security events.
It contains a new security event 519.
The translator for the german version of this file was kind a lazy, he did
skip the ressource string for this new event. As a result of this, all
other ressource strings for event 519 trough 644 are displaced, for
instance event 519 is now interpreted as successful logon, event 528 is
now interpreted as logon failure, deactivated user accounts are reported
as deleted and much other nonsense.

This is not exploitable, but very annoying for the admin.

A more thoroughly description (in german language only ;) can be found at
http://www.heysoft.de/Warnung.htm

The error was reported to secure () microsoft com on 9. March 2001.
They replied on 10. March that they "will get the needed corrections made
soonest". Now we know soonest is not within a week at Microsoft, because
the bugfix for the hotfix is still not available.


Greetings

Frank Heyne