Critical flaw affects almost all Windows versions

Windows Secrets Newsletter • Issue 10 • 2003-07-24 • Circulation: over 400,000

Table of contents

Top Story: Critical flaw affects almost all Windows versions
Insider Tricks: More on Service Pack 4 for Windows 2000
Patch Watch: More on the critical flaw affecting NT, XP, 2000, and 2003
Best Freeware: A new TweakUI from Microsoft
Insider Tricks: Windows Future Storage promises big changes
Wacky Web Week: Internet Explorer error message for WMD

Top Story

Critical flaw affects almost all Windows versions

By Brian Livingston

Every time Microsoft releases “the most secure operating system ever,” the security flaws just keep on coming. Last week, Microsoft notified users that a hole rated “critical” (the most severe rating) affects not only Windows XP, 2000, and NT 4.0, but also its new, much-vaunted Windows Server 2003 product. Microsoft says Windows Me is not vulnerable, but it didn’t test Windows 9x, which the company no longer supports.

This problem is especially explosive because an attacker can run a rogue program by merely sending packets to a remote machine using any one of various ports. One of these, port 135, is commonly used to send pop-up messages across a network. This feature has been notably exploited in recent months by some spammers, who started sending irritating – but otherwise harmless – ads directly to desktops. Now such payloads threaten to escalate wildly.

Corporations ordinarily block such port access if it originates from outside the firewall. But a malicious person inside the firewall could use the flaw to gain complete control over certain systems. And, of course, not all vulnerable systems are effectively protected by firewalls.

This situation is so dire that I’ve included more information in the paid version of this week’s newsletter; but if you don’t get that version, you should just go directly to Microsoft bulletin MS03-026 and download patches for your affected PCs. (Microsoft revised this bulletin as recently as July 21, so you should re-visit the document if you originally read it before that date.)

I haven’t learned of any negative side-effects of installing the patches, and in any event they would pale in comparison to the threat of your vulnerable machines remaining unpatched. If unexpected gotchas do arise, I’ll alert you in a future Brian’s Buzz. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

Insider Tricks

More on Service Pack 4 for Windows 2000

In my July 10 issue of Brian’s Buzz, I reported that installing SP4 on Windows 2000 had various unexpected behaviors. My readers have added new findings of previously unknown quirks.

SP4 doesn’t install Java and bars it later. Reader Patrick Slattery explains:

“One interesting new feature of SP4 is that on slipstreamed installs it will no longer install the Microsoft JVM [Java Virtual Machine] and will not allow the JVM to be installed afterwards. This is partially documented at Microsoft.com.
“On my new server installs that will run Java services that were written in J++, I have to build the system with a slipstreamed SP3 install, and then install SP4. That’s messy, to say the least.
“Microsoft are acting like spoiled brats in this Java spat. I for one am ready to spank them!”

SP4 hoses Autodesk VIZ files. The CAD company acknowledges that W2K SP4 wipes out the ability of Autodesk’s VIZ applications to open MAX and DRF files that are saved after the service pack is installed. The firm, however, has no fix as yet, except to recommend that SP4 be uninstalled. (But don’t do this until you read the next item, below.) Reader Mike Herman comments:

“Service Pack 4 on Windows 2000 kills VIZ 4 deader than dead. Any files created by VIZ after W2K has been upgraded crash Windows Explorer as well as VIZ when VIZ tries to reopen them. This means that the new files cannot be deleted because they crash Explorer, and they cannot be reopened to do further work on them.”

Uninstalling W2K SP4 makes your scheduled tasks not run. If you try to solve the above problems by reversing the install of SP4, any specified tasks will simply fail to occur. A description of the problem and its workarounds are in FAQ 6901 at JSIinc.com:

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Patch Watch

More on the critical flaw affecting NT, XP, 2000, and 2003

My top story, above, concerns the dangerous new security hole that allows an attacker to gain control of remote systems by sending them packets on common communications ports. In this section, I provide additional information.

One of the best analyses of the threat comes from reader Kent England, who holds a Microsoft MVP (Most Valuable Professional) certificate. He minces no words about the importance of installing Microsoft’s latest patch:

“This patch fixes a serious vulnerability in NetBIOS on port 135. A buffer overflow allows an attacker to send a specially formed packet to a Windows workstation on port 135 and execute code of his choice.
“As you recall, port 135 is how [Microsoft] Messenger pop-up advertisements get into computers that are attached to the Internet with their NetBIOS enabled on their Internet connection.
“Given all the people who complain on the Microsoft public newsgroups about Messenger pop-ups and the fact that so many do not use Windows Update, we have a serious crisis on our hands. It won’t be long before someone writes a new and very nasty Messenger pop-up that installs a Trojan or spyware on systems all across the Internet. Spyware already outranks viruses in complain levels on these newsgroups. A malicious Trojan that sneaks in via UDP port 135 will wreak havok on the Internet.

This article is part of our paid content. Subscribe.
Already a paid subscriber? Click here to login.

Best Freeware

A new TweakUI from Microsoft

TweakUI, a configuration utility that’s gone through many versions over the years, has become one of the most popular downloads from Microsoft – even though the Redmond company always officially denies that the program is even supported.

Now a new version, TweakUI 2.10.0.0, has been released. It works only on Windows XP with Service Pack 1 and Windows Server 2003. But people with those configurations should definitely give it a look.

To download it, go to the Microsoft PowerToys page. The right-hand column contains the new TweakUI link, despite the fact that Microsoft carelessly states that this page was last updated as far back as “April 23, 2002.”

Don’t even try to install this version of TweakUI on Windows XP unless it has Service Pack 1. You’ll get an unintelligible error message.

Microsoft seems to have deleted the plain-XP version of TweakUI from the site. You can still get that version from the TweakUI for XP download page at WebAttack.com. They still have TweakUI for 98/NT/Me/2000, too.

The “Woody’s Windows Watch” newsletter has a longer review of the new TweakUI for XP SP1 in its July 24 issue. A handy overview of the older TweakUI and several other PowerToys is also in the April 29, 2002, issue of the now-discontinued “Windows XP Watch” newsletter.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Insider Tricks

Windows Future Storage promises big changes

In the last of my Window Manager columns that appeared in the print version of InfoWorld on April 21, I described some major moves coming from Microsoft.

I opined that in its upcoming Windows 2005 product (code-named Longhorn), “Microsoft plans to introduce an object file system known as WinFS (Windows Future Storage). This data store will have full database functionality built on SQL Server enhancements code-named Yukon.”

Reader David Matthews doesn’t believe this will be the most benign development for all parties in the software industry:

“I truly hope that nobody loses sight of where WinFS came from, or the business reason behind it. The primary reason for WinFS has little to due with technology and everything to do with economics.
“As you may remember, sometime in the past Oracle started claiming that the days of file servers were drawing to a close, because eveyone should really be storing files inside Oracle database systems. Oracle clearly wanted a chunk of the file server market that Microsoft has. As we know, this was not a particularly successful marketing strategy.
“Microsoft decided to turn the tables. If Microsoft were to provide a high-performance database as a ‘free’ part of the server operating system, then few people would want to pay Oracle for a separate product to provide the database function. Microsoft would again leverage its monopoly in operating systems to completely trash the economics of an otherwise unrelated market. This is precisely the strategy that they used to turn the Web browser market into a non-market.

This article is part of our paid content. Subscribe.
Already a paid subscriber? Click here to login.

Wacky Web Week

Internet Explorer error message for WMD

You’ve probably seen IE’s famous “404″ error message every time you’ve made a typo when entering a Web address. Now Anthony Cox, a British blogger, has created an error message for our times: “These Weapons of Mass Destruction Cannot Be Displayed.”

For anyone who has a sense of humor left, the text goes on and on like this, with hilarious effect. “The weapons you are looking for are currently unavailable. The country may be experiencing technical difficulties, or you may need to adjust your weapons inspectors’ mandate.” Republicans and Democrats alike will find something here to chuckle at. My thanks to reader Bob Bailin. More info

Correction: Iranian language is Farsi
In the Wacky Web Week for July 10, I linked to a spoof showing the face of bearded actor Sean Connery (in ayatollah garb) inserted onto the front of a proposed new currency for Iran. I said the enscription on the bill was in Arabic, but everyone knows the written language of Iran is Farsi. Silly me. The first reader to remind me of this was Brian Goodhart.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents

Top-scoring articles in the past 12 months

Internet Services

Web Development

Digital Marketing

Consumer Tech