Windows-Help.NET Newsletter 6 Sep. 2003, Vol 6 No. 30

In this issue:

w   Microsoft Promises Changes
w   Microsoft Security Bulletin
w   Recent Support BBS Postings
w   Web Site Updates
w   Administrivia

Click here

Microsoft Promises Changes

by Arie Slob

Hello Windows users,

I've gotten several interesting comments after I published an article MSBlaster Worm Fails To Bring Down Microsoft Windows Update Site, and featured this in my Newsletter last week. You can read the comments here.

Let's talk a bit more about this.

It now seems that Microsoft is rethinking a few things, but there haven't been many details released yet about the way it wants to implement these changes.

The first idea seems to be to have the Windows firewall enabled by default. For good measure, we're speaking about the Windows XP Internet Connection Firewall here. Windows XP is the only Windows version that ships with a built-in firewall.

I think this is quite a good idea... only allow a few ports open (E-mail & Web browsing), and for all other stuff, users would have to manually open ports when needed.

According to Microsoft's Mike Nash, Corporate Vice President of the Security Business Unit, Microsoft is currently looking into some issues that will arise from this firewall change, including compatibility issues and some legal issues.

Another thing discussed is the whole "AutoUpdate" feature. The consensus seems to be that it is still relying to much on the end-user, and so Microsoft seems to be contemplating "forced" updates. That is, updates will be automatically downloaded & installed.

This too I find a good idea.

Now I can hear a lot of people shout & scream. But the way this is thought out, Microsoft will offer businesses a way to "opt-out" of this "forced" updates. I think that for the "home user" segment, forced updates are the way to go. End users have proven on too many occasions that they are not capable of keeping their systems secure & up to date.

In a business environment, forced updates are not a possibility. Some financial institutions for example, mandate six weeks of regression testing before a patch is allowed on "production" machines. Workarounds have to be put in place to secure systems before an "approved" patch can be put in place.

In many cases Microsoft does provide these workarounds in its security bulletins. For example in the case of the MSBlast worm, setting a firewall to disallow traffic to ports 135,139,445 and 593 will prevent the worm from entering a machine.

Many people are complaining that Microsoft's OS is too full of holes. Well, it's not as secure as we would like it to be, but security vulnerabilities are something that will be with us for quite a while: there will always be bugs in software code, and some of these will be serious enough to be exploitable.

But Microsoft isn't deaf. According to Mike Nash, Microsoft is working on making their products a safer & more secure experience (secure by design, secure by default & secure by deployment). Microsoft is aware they have to do more to meet these goals.

Microsoft is also looking at the whole patching process, and wants to make patches less complex, and reduce the number of patch utilities to two, which will further reduce the complexity of patches.

All in all, I think that the MSBlaster worm has managed to open some eyes, both from Microsoft, and from System Administrators & end users. I think it's a shared responsibility: Microsoft needs to do more to make Windows more secure, and end users need to do more to keep their systems secure.

Microsoft Security

Flaw in NetBIOS Could Lead to Information Disclosure

Microsoft issued a patch for several versions of Microsoft Windows, because they contain a flaw in the Network basic input/output system (NetBIOS). Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply, contain random data from the target system's memory.

Severity Rating: Low

Affected Software Versions

  • Microsoft Windows NT 4.0® Server, NT 4.0, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server™ 2003


Flaw in Microsoft Word Could Enable Macros to Run Automatically

Microsoft issued a patch for several versions of Microsoft Word and Microsoft Works Suite, because they contain a flaw that could enable macros to run automatically. A malicious macro could be crafted, that could take the same actions that the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive.

Severity Rating: Important

Affected Software Versions

  • Microsoft Word 97, 98(J), 2000, 2002
  • Microsoft Works Suite 2001, 2002, 2003


Buffer Overrun in WordPerfect Converter Could Allow Code Execution

Microsoft issued a patch for several Microsoft Office versions, because they contain a flaw in the Microsoft WordPerfect converter. As a result of the flaw (buffer overflow), an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if an application that used the WordPerfect converter opened the document.

Severity Rating: Important

Affected Software Versions

  • Microsoft Office 97, 2000, XP
  • Microsoft Word 98(J)
  • Microsoft FrontPage 2000, 2002
  • Microsoft Publisher 2000, 2002
  • Microsoft Works Suite 2001, 2002, 2003


Recent Support BBS Postings

Round IDE cables - Hardware
Zip files Open, they don't download - Internet Explorer/Outlook Express
A Helping Hand For Those Who Might Not Know - Security/Virus/Spyware

Web Site Updates

These pages were added/updated in the past two weeks. Information on previously updated/added pages is available on the What's New? page for 1 month.

Updated: Other Search Resources
Updated: Specialized Search Engines
Updated: Internet Search Engines


Added: Microsoft Security: Buffer Overrun in WordPerfect Converter Could Allow Code Execution
Added: Microsoft Security: Flaw in NetBIOS Could Lead to Information Disclosure
Added: Microsoft Security: Flaw in Microsoft Word Could Enable Macros to Run Automatically
Added: Changes Needed After MSBlaster Worm Hits


Microsoft Ships Automated Deployment Tool for Windows Server 2003

Windows Server 2003 Automated Deployment Services (ADS) is a new component of Windows Server 2003 that helps customers automatically and simultaneously install Windows 2003, Windows 2000, and disk images to multiple blank servers. ADS requires the high-end Windows 2003, Enterprise Edition or Windows 2003, Datacenter Edition to run from.
Automated Deployment Services Technical Overview
Sony to launch Net music service

The entertainment giant plans to launch its own in-house digital music service next year, in a project that will see its music, movie and electronics units work closely together.

Read Full Article @ CNet
REMINDER: Windows-Help.NET Newsletter Summer Schedule

Currently running a summer schedule, I will publish the next newsletter on the 20th of September. I intend to return to the weekly schedule after the October 4th issue.
Longhorn Beta 1

You may have read several stories announcing that Microsoft is slipping up with the release of its next operating system, currently known as "Longhorn". There isn't much to these stories. Microsoft executives all point out that any dates the company mentioned are only targets. When asked about Longhorn during a "Computerworld" interview last week, Microsoft Group Vice President Jim Allchin gave some information when he said, "We'll know so much more when we hit Beta 1. And we're not going to be at Beta 1 at the Professional Developers Conference (in late October). Once we hit Beta 1, we'll be able to get customer feedback. You can't predict when a product is going to ship until you get some customer feedback." Stay tuned…
FREE Software: 4UOnly

4UOnly is a secure password manager to store all your passwords and logins. It offers a time saving feature that allows you to access the passwords without having to type a master password each time

Web site [646 KB]
Web site
Tell a friend about this Newsletter!

Need Help with Windows? Ask your questions here!

FREE Software!

  Our Web Sites

Rose City Software

  Subscribe Free

IT Professionals
FREE Stuff
Windows XP
Microsoft Training &

Lots More Great Mailing Lists!

Enter E-mail address HTML E-mail?
Yes No
Zip Code:

Subscribers to these free lists will receive occasional e-mail announcements of special offers relating to each topic of interest indicated above!

Back Issues, unsubscribing etc.