Microsoft Patches Allow Safer Surfing
- 26 May, 2000 12:01
SAN FRANCISCO (05/26/2000) - In case you missed it, Microsoft Corp. recently got caught with its proverbial pants down: The phrase "Netscape engineers are weenies!" was found embedded backward in the Web server software included in Windows 95 and 98, Windows NT 4.0 Option Pack, and FrontPage 98.
Some security experts feared that the phrase (included in a file named Dvwssr.dll) opened a back door to Web servers running Microsoft software. The company denies that the prank itself made the software vulnerable. But Microsoft confirmed that coincidentally the .dll file opens two security holes, though these holes affect only Web servers. The fix? Find all instances of Dvwssr.dll by conducting a search for the file on your PC, and delete each occurrence of the file. The only feature you lose by getting rid of this file is the ability to create "link views" or maps of your Web site to check for invalid links.
Meantime, Microsoft has been busy patching two other security holes that threaten users who surf the Web and use e-mail.
BUG: Beware file attachments from unknown sources, including Excel files.
Normally, Excel warns you before you open a file that contains a macro. But an attacker can defeat the Excel 97 and 2000 warning system by embedding Excel 4.0 macro language commands in an external text file. If you receive one of these spreadsheets, opening the file or clicking an internal link could allow a destructive Excel macro to run without warning, altering or deleting files on your hard drive.
FIX: The patch won't let macros run unannounced. Excel 2000 users need to update to Microsoft Office Service Release 1, available at www.officeupdate.com/2000/downloadDetails/O2kSR1DDL.htm. For a link to a 2.8MB fix for Excel 97, with installation info, hop to www.officeupdate.com/downloadDetails/Xl8p9pkg.htm?s=/downloadCatalog/dldExcel.asp.
BUG: You could find yourself staring at the "blue screen of death" simply because you read an HTML e-mail message or visited a Web site, due to a flaw in the way all versions of Windows 95 and 98 handle file path names. To leave you feeling (and seeing) blue, an attacker need only embed a file link that includes more than one DOS device name, such as C:\COM1\COM1. When Windows comes across a path name that contains a single DOS device name, it ignores the path name and treats it as invalid. Unfortunately, Windows doesn't simply discard multiple DOS device names in the same way. Because your system chases after path names that don't exist, it ends up crashing.
FIX: The patch makes Windows recognize file path names with more than one DOS device name as invalid. If you use Windows 98 or Windows 98 Second Edition, download a 228KB fix at www.microsoft.com/downloads/release.asp?releaseID=19389. A 267KB fix for Windows 95 is available at www.microsoft.com/downloads/release.asp?releaseID=19491.
Office Update Gets Another Cleaning
Microsoft's first service release (SR-1) for Office 2000 is supposed to solve problems for users of the popular suite. But as we reported last month, installing SR-1 caused problems for some users. Microsoft has promised to post a revised version of the release (named SR-1a) to address the most serious problem. Users who installed SR-1 after upgrading from Windows NT 4.0 to Windows 2000 experienced a variety of glitches, like nonworking hyperlinks.
Windows 2000 users who have already installed the SR-1 update and have endured the resulting hassles can download a fix from download.microsoft.com/download/ office2000pro/o9regfix/2000/WIN98/EN-US/o9regfix.exe. For additional information, go to Microsoft's article at support. microsoft.com/support/kb/articles/Q258/5/49.asp.
Windows 2000 Shuts Out MSN
Users of the new OS found that they couldn't use their Windows 2000 PCs to set up new MSN accounts. And to use an existing MSN account under Win 2000, users had to configure dial-up Internet access and e-mail manually. Microsoft recently released version 5.1 of its MSN CD to solve the problems. Current MSN members can order the free disc at free.msn.com/upgrade.asp; to order the CD if you aren't a member, visit www.free.msn.com.
WordPerfect Office 2000 Repairs
A scant four months after releasing its Service Pack 2 for WordPerfect Office 2000, Corel has released SP3. To get the free 76MB download, use the links at www.corel.com/support/ftpsite/pub/WordPerfect/wpwin/Office2000/index.htm.