Editors' Note: Netmon does not ship as part of Windows NT 4.0 Workstation or Windows 2000 Professional. These products would only be affected if SMS had been installed on them.
Microsoft ships two versions of Network Monitor (Netmon): a basic version that ships with Windows NT 4.0 and Windows 2000 server products, and a full version that ships as part of Systems Management Server (SMS) 1.2 and 2.0. Both versions include protocol parsers that aid administrators in interpreting and analyzing previously captured network data. However, several of the parsers have unchecked buffers. If a malicious user delivered a specially malformed frame to a server that was monitoring network traffic, and the administrator parsed it using an affected parser, it would have the effect of either causing Netmon to fail or causing code of the malicious user's choice to run on the machine.
Netmon requires administrative privileges to run, but should only be run by local, rather than domain, administrators. If this is done, the vulnerability could be used to gain complete control over the local machine, but could not be used to gain control over a domain. Netmon does not ship on workstation products, so unless SMS had been installed on a workstation, it would not be affected by this vulnerability.
Read the Netmon Protocol Parsing Vulnerability FAQ.