Windows & .NET Magazine UPDATE, brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
http://www.winnetmag.com
THIS ISSUE SPONSORED BY
Free Download — Control PCs over the Internet!!
http://www.crossteccorp.com/w2kmag.htm
AdminStudio 3.5 Now Shipping!
http://www.installshield.com/winnetmagupdateletter
(below COMMENTARY)
SPONSOR: FREE DOWNLOAD — CONTROL PCs OVER THE INTERNET!
Winner of PC Magazine's Editors' Choice Award — NetOp Remote Control is the professional's choice for fixing remote PC Problems and secure remote access! NetOp is blazingly FAST, extremely SECURE, and provides rock solid STABILITY. Don't trust anything less. Use the Remote Control solution that was DESIGNED for enterprise support and access. NetOp provides a proven ROI that will save you both time and money — immediately. Download your own FREE, fully functional, evaluation copy today and see why for remote access, NetOp is known as the "hands down winner!"
http://www.crossteccorp.com/w2kmag.htm
August 27, 2002—In this issue:
1. COMMENTARY
- Win32 Shatter Attack and the Laptop of the Month
2. HOT OFF THE PRESS
- Microsoft's Fall Lineup Targets Consumers
3. KEEPING UP WITH WIN2K AND NT
- SP3 Upgrade Failure
- SP3 Performance Monitor Hotfix for Non-English Versions
- A Bucketload of Windows Explorer Bugs
- Post-SP3 COM+ Hotfix Rollup 21
- Network Connection Manager Security Hotfix
4. ANNOUNCEMENTS
- Mark Minasi and Paul Thurrott Are Bringing Their Security Expertise to You!
- Planning on Getting Certified?
- Submit Top Product Ideas
5. HOT RELEASES (ADVERTISEMENTS)
- Security Workshops from Microsoft and NetIQ!
- A Tutorial on Disk Defragmentation for Windows NT/2000/XP (What You Don't Know Can Hurt You)
- FREE Directory Reporting Tool and DVD Burner
6. INSTANT POLL
- Results of Previous Poll: Voice Over IP
- New Instant Poll: Windows NT 4.0 Support
7. RESOURCES
- Featured Thread: Protecting Folders in XP
- Tip: Why Can't I Use the Windows 2000 Scheduled Task Wizard to Schedule a New Task with System Account Credentials?
8. NEW AND IMPROVED
- Back Up Your Data
- Manage Patches
- Back Up Data
9. CONTACT US
- See this section for a list of ways to contact us.
1. COMMENTARY
(contributed by Paul Thurrott, [email protected])
In last Thursday's WinInfo Daily UPDATE, I wrote about an interesting Windows-based security problem (see first URL below), in which a UK-based programmer named Chris Paget alleges that the Win32 API that modern Windows versions use is broken. Paget details his claims in an intriguing white paper (see second URL below) that describes the problem, how easily someone can take advantage of it, and the various responses he's received from Microsoft. In some ways, Paget's interaction with Microsoft is the most interesting part of this story. Although I originally concluded that Microsoft had valid reasons for dismissing the seriousness of the vulnerability, I've since talked with the programmer and am no longer so sure. In fact, I find Microsoft's refusal to comment on this story very damning, especially in light of the so-called Trustworthy Computing initiative and the company's promise to be more open and responsive to security concerns.
In short, Paget claims that the Win32 messaging system, a core portion of Windows that determines the interaction among users, applications, and the OS, is flawed. To demonstrate this, the programmer has written a Shatter Attack tool that uses documented Win32 messaging functionality to usurp control of the system and gain elevated system privileges. Other programmers have since used this technique to perform similar feats.
Microsoft's response, which made sense to me at the time, was that Paget's methods required physical or remote access to the system first, in which case, the first tenet of the company's Ten Immutable Laws of Security (see third URL below) was violated, and the system was already insecure. As a Microsoft representative identified only as "Dave" wrote to Paget, "The attack you describe either requires \[users\] to run an attacker's program on their \[systems\] or the attacker needs to have access to the \[users' systems\]," the email reads. "In either case, the attacker has been allowed to cross a security boundary. In our essay, the 'Ten Immutable Laws of Security,' these are Law #1—'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore,' and Law #3—'If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.'"
The problem, Paget told me, is that gaining access to a machine is fairly trivial. He gave me several logical examples of how this might happen, including public Internet cafes and libraries, and application service providers (ASPs) that supply remote access to Microsoft Office XP and other applications through Windows 2000 Server Terminal Services. By not admitting that the flaw is a flaw, Paget says, Microsoft is endangering users. And to give him proper credit, Paget handled this situation properly, notifying Microsoft continuously about the problems he found in the Win32 API.
"I've been interacting with Microsoft \[personnel\] every day, basically, keeping them up-to-date with what I've found," he told me. "I've given them the tools I've produced, and showed them all the new techniques. So far, they've not even acknowledged it as a vulnerability, although they say they are investigating it. But they're not working on a patch and are not even particularly concerned about it. That's what concerns me."
That's what concerns me too. I offered to hook up Paget with someone a little higher up than "Dave," who appears to be a fairly low-level program manager in the Microsoft's Security Response team. Microsoft delivered its response, however, with all the subtlety of a Cold War-era Soviet denouncement. Scott Culp, director of the Security Response team, was too busy to discuss this matter with me or Paget. Furthermore, the company had no comment about the problem or any desire to discuss the matter in any way. I was also told that a company representative (Dave, apparently) was already in contact with Paget and that no further contact would be necessary.
I found Microsoft's response to be more than off-putting, especially given today's security climate, the nature of the charges, and the politically correct manner in which Paget had released his information. And yes, I'm hoping that by publishing this bizarre response, I can goad the company into making good on its promises to keep its users safe and up-to-date. In the meantime, I'm left with the feeling that the kinder, gentler, more secure Microsoft was simply marketing doublespeak—and it's not a very good feeling.
Laptop of the Month: Gateway Solo 200
Continuing the highly portable theme I've been exploring all summer, this month's laptop is a wonderful 3-pound Gateway Solo 200 that sports the slice-style expansion that I prefer. Thus, the Solo 200 is highly portable but can be instantly upgraded with an optical drive, 3.5" floppy drive, and a slew of new ports by docking the laptop to a base that the company provides. With the dock installed, the total system weighs just over 5 pounds, although I don't recommend using the machine this way on battery power because the dock, inexplicably, doesn't include its own battery. However, by providing a two-piece system, Gateway lets you travel light and use the dock when you're home (or, you can pack the docking device in your luggage and bring it along, as I've done).
The Solo 200 features a 933MHz low-voltage Pentium III-M processor, which is standard fare in this class; a beautiful 12" XGA display; 256MB of RAM; an adequate 20GB hard disk; integrated video which, again, seems to be standard fare in the thin-and-light class; a touch pad; integrated wireless, Ethernet, and modem connections; and a standard battery that delivered about 2 hours of battery life, which is adequate though not exceptional. A higher capacity battery is also available, and although I didn't test it, it's an option I would consider.
As for ports, the Solo 200 features 2 USB, 1 FireWire/IEEE-1394, 1 PC Card slot, VGA out, parallel, serial, and PS/2 ports; the docking base adds two more USB ports (all four are accessible), a second FireWire, and second VGA out.
What sets the Solo 200 apart from similar laptops, however, is its styling. Rarely do people comment on the machine I'm using in an airport or plane (unless it's an Apple product, of course), but the Gateway drew impromptu discussions from fellow passengers impressed with its less-than-an-inch thickness and brushed-metal-looking body. It truly is a beautiful little machine.Like last month's Fujitsu Lifebook S6010, however, the Solo 200 comes tantalizingly close to perfection, only to be picked apart in the details. I'd gladly trade the 3.5" floppy drive in the docking base for a second battery, for example, and I'm still no fan of integrated video. But the Solo 200 was an adequate performer overall, with excellent standard features, decent battery life, and amazing industrial design. Considering its excellent $2000 street price and light weight, I'd buy this machine for personal use in a heartbeat.
New Windows Security Vulnerability: Fact or Fiction?
Shatter Attack white paper
Microsoft's Ten Immutable Laws of Security
SPONSOR: ADMINSTUDIO 3.5 NOW SHIPPING!
Converting software packages to the Windows 2000 open software format—MSI—is now faster, easier, and more reliable. AdminStudio 3.5 allows you to repackage applications as fast as running the installation with the new snapshot-free InstallMonitor(TM) technology. With AdminStudio 3.5 you bypass the tedious delays associated with delta-based repackaging techniques. Plus, in addition to SMS and ZENworks package import, AdminStudio 3.5 now provides WinINSTALL package conversion, Marimba distribution, and much more. Download now!
http://www.installshield.com/winnetmagupdateletter
2. HOT OFF THE PRESS
(contributed by Paul Thurrott, [email protected])
Last week, Microsoft unveiled a slew of new consumer-oriented products. The products, which will be available this fall (in time for the holiday buying season), include an online gaming service for the Xbox video-game console, a new Windows XP version targeted at digital-media lovers, a new Windows Media Player (WMP), an attractive new version of Microsoft's online service, several new PC games, and some interesting hardware products. For the details, visit the following URL:
http://www.wininformant.com/articles/index.cfm?articleid=26307
3. KEEPING UP WITH WIN2K AND NT
(contributed by Paula Sharick, [email protected])
Several readers asked for assistance with a Windows 2000 Service Pack 3 (SP3) setup failure that produces the error message "An error in updating your system has occurred. When you click OK, Windows is not upgraded to SP3 and you can no longer install programs that use the Windows Installer (.msi packages)."
When this error occurs, any later attempts to use Windows Installer to install software (e.g., SP3, a Microsoft Office update, or any software that uses winstall technology) will produce a message that says "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed...."
This failure occurs because the latest version of Windows Installer (version 2.0.2600.2), packaged with SP3, doesn't install or run on a system on which the Distributed COM (DCOM) default impersonation level is set to Anonymous. Even worse, after an SP3 installation fails, the system retains the SP3 version of Windows Installer, but the installer won't function properly even if you restart the upgrade. To reinstall SP3 successfully, you need to change the DCOM impersonation level to Identify, and you need to delete the problem Windows Installer file (msisip.dll). To change the DCOM impersonation level, open a command prompt and type
dcomcnfg
If some objects aren't registered, the command will prompt you to register them. Then the utility displays the DCOM Configuration Properties window. Click the Default Properties tab, change the setting in the Default Impersonation field to Identify (click the down arrow for this field to view all valid settings), and click OK to exit.
To delete the problem Windows Installer file, locate and delete (or rename) the file \%windir%\system32\msisip.dll. After taking this corrective action, you should be able to complete an SP3 upgrade. For more information, read the Microsoft article "Service Pack 3 Update Is Unsuccessful When DCOM Impersonation Level Is Set to Anonymous" at
http://support.microsoft.com/default.aspx?scid=kb;en-us;q324631.
WEB-EXCLUSIVE ARTICLES: The following items are posted on the Windows & .NET Magazine Web site. For the complete story, use the following link and scroll to the appropriate article.
http://www.winnetmag.com/articles/index.cfm?articleid=26431
A bug in how Windows 2000 Service Pack 3 (SP3) updates Performance Monitor counters causes the counter names to display with unrecognizable characters at the end of each counter name. Learn more about this problem at the following URL:
http://www.winnetmag.com/articles/index.cfm?articleid=26431
Windows Explorer has several bugs that Windows 2000 Service Pack 3 (SP3) doesn't correct. Visit the following URL for a list of the misbehaviors and bug fixes, all of which are available only from Microsoft Product Support Services (PSS).
http://www.winnetmag.com/articles/index.cfm?articleid=26431
Microsoft released the Windows 2000 post-Service Pack 3 (SP3) COM+ hotfix rollup package on June 4. Find out more about the rollup and how to get it at the following URL:
http://www.winnetmag.com/articles/index.cfm?articleid=26431
Find out about a flaw in the Windows 2000 Network Connection Manager and how to fix it.
http://www.winnetmag.com/articles/index.cfm?articleid=26431
4. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)
Windows & .NET Magazine Network Road Show 2002 is coming this October to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and Trend Micro. Registration is free, but space is limited so sign up now!
http://www.winnetmag.com/seminars/roadshow
Make sure to pick up our new eBook! "The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today!
http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].
5. HOT RELEASE (ADVERTISEMENT)
Join Microsoft and NetIQ, the Elite Force in Enterprise Security, to get the hand-to-hand tactics you need to fight dangerous hacker exploits during our technical workshop series, Digital Crime Prevention Labs. Register before 8/15 to save $100!
http://www.netiq.com/events/seminars/digitalcrimeprevention/default.asp
Download this free technical white paper now from Windows & .NET Magazine's White Paper Central. Brought to you courtesy of Raxco Software.
Imanami SmartR: FREE reporting tool for Exchange 5.5 and AD. Run reports on DL's, users, owners or last modified. Reports are customizable. Creates phone list in seconds! Generate reports in CSV, XML, XLS and HTML. Download for DVD Recorder!
http://www.imanami.com/specials/winupdate_082702.asp?p=winupdate_082702
6. INSTANT POLL
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Has your organization deployed Voice over IP (VoIP) technology?" Here are the results (+/-2 percent) from the 209 votes:
27% Yes
7% No, but we plan to within the next 6 months
9% No, but we plan to within the next 12 months
21% We're investigating VoIP but won't deploy it in the near future
36% No, and we have no plans to pursue it
The next Instant Poll question is, "How long do you anticipate your organization will need to support Windows NT 4.0?" Go to the Windows & .NET Magazine home page and submit your vote for a) Through the end of 2002, b) Through mid-2003, c) Through the end of 2003, d) Through the end of 2004, or e) Beyond 2004.
http://www.winnetmag.com/magazine
7. RESOURCES
This user wants to know whether it's possible to protect (require a password for) a folder in Windows XP. If you can help, join the discussion at this URL.
(contributed by John Savill, http://www.windows2000faq.com)
If you attempt to specify the SYSTEM account when you use the Scheduled Task Wizard to create a new task, Win2K will display the following error message:
The attempt to log on to the account associated with the task failed, therefore, the task did not run.
The specific error is "0x80070057: The parameter is incorrect". Verify that the task's Run-as name and password are valid and try again.
This error message results from a bug in the Win2K Scheduled Task Wizard. To work around this problem, use the AT command to schedule your tasks—the AT command automatically uses SYSTEM account credentials to run tasks. If you subsequently use the Scheduled Task Wizard to modify an existing task that you created with the AT command, you'll have to enter alternative credentials for the task, and the task will no longer run under the SYSTEM account.
8. NEW AND IMPROVED
(contributed by Carolyn Mader, [email protected])
We reported incorrect contact information for NovaStor in the August 26 edition of the Storage UPDATE newsletter. NovaStor's NovaBACKUP 6.7 and InstantRecovery 3.1 products provide backup and disaster-recovery software for small businesses and home users. Contact NovaStor at 805-579-6700 or 800-668-2786.
http://www.novastor.com
St. Bernard Software announced UpdateEXPERT, software that lets you scan and patch security holes. UpdateEXPERT features an extensive database that includes service packs, hotfixes, and other patches. To increase protection, the software scans your networked systems for missing patches and fixes discovered weaknesses. UpdateEXPERT lets you research available fixes, scan your workstations and servers, and deploy updates to any number of networked machines. The software works with network vulnerability scanners to help you enforce security policies. The software manages patches for Windows XP, Windows 2000, and Windows NT. For pricing, contact St. Bernard Software at 858-676-2277 or 800-782-3762.
http://www.stbernard.com
Sony Electronics announced PetaApp, a backup system based on Sony software and Digital Tape Format (DTP) tape drives. PetaApp can back up data in Network Attached Storage (NAS), Storage Area Network (SAN), and heterogeneous storage environments. Comprised of the Sony PetaSite Tape Library, DTF-2 tape drives, PetaBack software, and a Brocade Fibre Channel fabric switch, the PetaApp can back up as much as 2TB of data in 8 hours. For pricing, contact Sony Electronics at 800-829-7669.
http://www.sony.com/datasystems
9. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT THE COMMENTARY — [email protected]
- ABOUT KEEPING UP WITH WIN2K AND NT — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR WINDOWS & .NET MAGAZINE UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR WINDOWS & .NET MAGAZINE UPDATE?
[email protected]
This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
http://www.winnetmag.com/sub.cfm?code=wswi201x1z
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email
