Check or Attack Name: MsrpcLsaLookupnamesDos

A potentially serious denial of service attack on the Windows NT Local Security Authority (LSA) service could allow a remote attacker to crash this service by making a malformed request to LsaLookupNames. In most cases, the system will have to be rebooted to regain normal functionality.

Apply the Windows NT 4.0 post-SP5 LSA3-fix update. This fix can be installed on Windows NT 4.0 Service Pack 4 and Service Pack 5.

Windows NT 4.0 Service Pack 4 (SP4) and SP5 users, apply the LSA3-fix update:

1. Open a web browser.
2. Go to ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/LSA3-fix/.
3. View the readme.txt for versions and install instructions.
4. Download the appropriate patch for your operating environment.
5. Find the patch file you downloaded to your computer.
6. Double-click its icon to start the installation.
7. Follow the installation directions.

Microsoft Security Bulletin MS99-020, Patch Available for "Malformed LSA Request" Vulnerability, http://www.microsoft.com/security/bulletins/ms99-020.asp

Microsoft Knowledge Base Article Q231457, Malformed Request Causes LSA Service to Hang, http://support.microsoft.com/support/kb/articles/q231/4/57.asp

BindView Development, Phantom Technical Advisory, http://www.bindview.com/security/advisory/phantom_a.html

CIAC Information Bulletin J-049, J-049: Windows NT, Two Denial-of-Service Vulnerabilities (Malformed LSA Request and CSRSS Worker Thread Exhaustion), http://ciac.llnl.gov/ciac/bulletins/j-049.shtml