Windows-Help.NET Newsletter

01. Microsoft Issues Highly Critical Windows Fix

by Arie Slob

Hello Windows users,

This week, Microsoft published two new Windows security fixes (see below) for the month February (after it had published a fix for Internet Explorer the previous week).

One of the fixes has attracted more attention then usual however. It is the MS04-007 fix, pertaining to a vulnerability in the ASN.1 library.

Affected software:

Windows NT
Windows 2000
Windows XP
Windows Server 2003

The vulnerability is caused by an unchecked buffer in the ASN.1 Library, which could result in a buffer overflow. An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

The controversy surrounding this fix is caused by the fact that this vulnerability had been discovered 7 months ago by eEye Digital Security. According to eEye the ASN vulnerability is more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms, because the ASN library is widely used by Windows security subsystems, so the vulnerability is exposed through an array of authentication protocols.

Marc Maiffret, chief hacking officer and cofounder of eEye Digital Security criticized Microsoft for the lag time between eEye's discoveries and Microsoft's fixes saying: "We contacted Microsoft about these vulnerabilities 200 days ago, which is insane." Microsoft defends the whopping 7 months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems. "We really took the steps to make sure our investigation was as broad and deep as possible," Microsoft security program manager Stephen Toulouse said.

Security experts Sophos, said computer users should keep a sense of proportion about the flaw, however.

"At the moment, we haven't seen any hackers or worms exploiting this hole, but that doesn't mean computer users don't need to protect their PCs," said Sophos' Graham Cluley, senior technology consultant for Sophos. "Everyone should ensure their computer is patched against this vulnerability as soon as possible. This announcement couldn't have come at a worse time for Microsoft, as they try and build their reputation for security."

So, go and visit windowsupdate.com and get all your friends & relatives to do likewise!

02. Microsoft Security

Microsoft Windows Security Bulletin Summary for February, 2004

Severity Rating: Critical

Microsoft Security Bulletin MS04-007 - ASN .1 Vulnerability Could Allow Code Execution

Severity Rating: Important

Microsoft Security Bulletin MS04-006 - Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution

03. Recent Support BBS Postings

Changing Taskbar Clock Info - Windows XP
Going to raid, need info - Hardware
Links won't open in a new window - Internet Explorer
Mozilla Firefox 0.8 Release - Netscape and Mozilla

05. Recommended Web sites

Each month we will feature a few Web sites here, ones which sent us the most visitors to our Web site in the previous month. We would encourage you to visit these popular Web sites yourself!

Here are some sites in the Top 15 for January 2004:

Home Sight & Sound - Comprehensive collection of links and home sight & sound information.

Refdesk.com - "The single best source for facts on the Net."

Experts Exchange - IT Professional Collaboration Network.

The Top 15 sites are listed on our Web site.

06. Web Site Updates

These pages were added/updated in the past week. Information on previously updated/added pages is available on the What's New? page for 1 month.

Windows-Help.NET

Added: Microsoft Issues Highly Critical Windows Fix
Updated: Microsoft Windows Security Bulletin Summary for February, 2004

Windows XP

Added: Critical Update for Windows Media Player (All Versions)

7. Critical Update for Windows Media Player (All Versions)

This update contains a change to the behavior of Windows Media Player's ability to launch URLs in the local computer zone from other zones. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Supported Operating Systems: Windows 2000, Windows Server 2003, Windows XP

Download
[2.77 MB - English]
Other Languages
More Info

8. Windows 2000 & Windows NT 4 Source Code Leaks

Microsoft Corp. says incomplete portions of the source code were leaked over the Internet, but analysts caution it's too early to say how much damage the leak may cause.

Sources indicate that the data is roughly 650 MB (the size of a typical CD-ROM), whereas the entire source code would probably exceed 40 GB.

Microsoft Statement

9. Excel 2003/2002 Add-in: MSN Money Stock Quotes

This add-in for Excel 2003 and Excel 2002 allows you to get dynamic stock quotes from the MSN Money Web site. The tools and features found in Excel are particularly well suited to analyzing financial data such as stocks. This add-in allows you to easily gather and study the stocks of interest to you, refresh your quotes when you want, and readily change or modify the quotes gathered.

Download
[387 KB - English]
Other Languages [FR/IT/DE]

10. Tip: Internet Explorer Cannot Connect to Secure Web Sites

Quite a number of people have been reporting problems connecting to Secure Web sites (the ones that start with https:// ). There are a number of possible causes, which in turn have a number of suggested fixes.

Read Full Article

11. Tip: Kernel32.dll errors caused by IEXPLORE

When you use Microsoft Internet Explorer to access the Internet, you may receive error messages caused by IEXPLORE.

Read Full Article

12. Clicking hyperlink in an Outlook Express e-mail message, causes Internet Explorer to display a 404 Object Not Found error page

When you click a hyperlink in an e-mail message in Microsoft Outlook Express, the wrong page appears in Microsoft Internet Explorer, or the following error page appears:

http:/1.0 404 Object Not Found

Read Microsoft Knowledge Base Article