Was This Vulnerability Ever Completely Patched

Full Disclosure of area of Windows Security Concern

Note: Due Diligence was done to try and have this completely patched by 
Microsoft if it has not been done and appears to affect both Windows 98 
Second Edition and Windows 2000 Professional which is still in support phase 
until July 13, 2010.

http://secunia.com/advisories/13645/

Secunia Advisory SA13645
Microsoft Windows Multiple Vulnerabilities
Secunia Advisory 	SA13645 	
Get alerted and manage the vulnerability life cycle
Free Trial

Release Date 	2004-12-25
Last Update 	2005-11-21
  	 
Popularity 	50,286 views
Comments 	0 comments

Criticality level 	Highly critical

Highly critical
Impact 	DoS
System access
Where 	From remote
Authentication level 	Available in Customer Area
Report reliability 	Available in Customer Area
Solution Status 	Partial Fix
Systems affected 	Available in Customer Area
Approve distribution 	Available in Customer Area
  	 
Operating System	
	Microsoft Windows 2000 Advanced Server
	Microsoft Windows 2000 Datacenter Server
	Microsoft Windows 2000 Professional
	Microsoft Windows 2000 Server
	Microsoft Windows 98
	Microsoft Windows 98 Second Edition
	Microsoft Windows Millenium
	Microsoft Windows NT 4.0 Server
	Microsoft Windows NT 4.0 Server, Terminal Server Edition
	Microsoft Windows NT 4.0 Workstation
	Microsoft Windows Server 2003 Datacenter Edition
	Microsoft Windows Server 2003 Enterprise Edition
	Microsoft Windows Server 2003 Standard Edition
	Microsoft Windows Server 2003 Web Edition
	Microsoft Windows XP Embedded
	Microsoft Windows XP Home Edition
	Microsoft Windows XP Professional

Secunia CVSS Score 	Available in Customer Area
CVE Reference(s) 	CVE-2004-1049 CVSS available in Customer Area
CVE-2004-1305 CVSS available in Customer Area
CVE-2004-1306 CVSS available in Customer Area
CVE-2004-1361 CVSS available in Customer Area
	   	

Description
Flashsky has reported some vulnerabilities in Microsoft Windows, allowing 
malicious people to compromise a vulnerable system or cause a DoS (Denial of 
Service).

1) The vulnerability is caused due to an integer overflow in the LoadImage 
API which can be exploited to cause a heap based buffer overflow. This can be 
exploited through a website by using maliciously crafted icon, cursor, 
animated cursor, or bitmap files.

Successful exploitation allows execution of arbitrary code.

2) Some errors in the Windows Kernel when parsing ANI files may cause the 
system to crash. This can be exploited through specially crafted ANI files.

3) The vulnerability is caused due to a heap overflow and an integer 
overflow in "winhlp32.exe" when handling HLP files. This can be exploited 
through specially crafted HLP files.

All versions of Microsoft Windows are affected except Microsoft Windows XP 
with Service Pack 2.

Solution
3) Do not visit untrusted web sites and don't open documents from untrusted 
sources.
Further details available in Customer Area

Provided and/or discovered by
1) Discovered independently by:
* Flashsky
* eEye Digital Security

2) Flashsky (Microsoft credits Sylvain Bruyere).
3) Keji

Changelog
Further details available in Customer Area

Original Advisory
MS05-002 (KB891711):
http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx

Flashsky:
http://www.xfocus.net/flashsky/icoExp/

eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20050111.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area

0
Utf
5/21/2010 6:18:01 AM
win98.gen_discussion 237 articles. 0 followers. Follow

9 Replies
460 Views

Similar Articles

[PageSpeed] 0

On 05/21/2010 02:18 AM, Dan wrote:
> Full Disclosure of area of Windows Security Concern
> 
> Note: Due Diligence was done to try and have this completely patched by 
> Microsoft if it has not been done and appears to affect both Windows 98 
> Second Edition and Windows 2000 Professional which is still in support phase 
> until July 13, 2010.
> 
> http://secunia.com/advisories/13645/
> 
> Secunia Advisory SA13645
> Microsoft Windows Multiple Vulnerabilities
> Secunia Advisory 	SA13645 	
> Get alerted and manage the vulnerability life cycle
> Free Trial
> 
> Release Date 	2004-12-25
> Last Update 	2005-11-21
>   	 
> Popularity 	50,286 views
> Comments 	0 comments
> 
> Criticality level 	Highly critical
> 
> Highly critical
> Impact 	DoS
> System access
> Where 	From remote
> Authentication level 	Available in Customer Area
> Report reliability 	Available in Customer Area
> Solution Status 	Partial Fix
> Systems affected 	Available in Customer Area
> Approve distribution 	Available in Customer Area
>   	 
> Operating System	
> 	Microsoft Windows 2000 Advanced Server
> 	Microsoft Windows 2000 Datacenter Server
> 	Microsoft Windows 2000 Professional
> 	Microsoft Windows 2000 Server
> 	Microsoft Windows 98
> 	Microsoft Windows 98 Second Edition
> 	Microsoft Windows Millenium
> 	Microsoft Windows NT 4.0 Server
> 	Microsoft Windows NT 4.0 Server, Terminal Server Edition
> 	Microsoft Windows NT 4.0 Workstation
> 	Microsoft Windows Server 2003 Datacenter Edition
> 	Microsoft Windows Server 2003 Enterprise Edition
> 	Microsoft Windows Server 2003 Standard Edition
> 	Microsoft Windows Server 2003 Web Edition
> 	Microsoft Windows XP Embedded
> 	Microsoft Windows XP Home Edition
> 	Microsoft Windows XP Professional
> 
> Secunia CVSS Score 	Available in Customer Area
> CVE Reference(s) 	CVE-2004-1049 CVSS available in Customer Area
> CVE-2004-1305 CVSS available in Customer Area
> CVE-2004-1306 CVSS available in Customer Area
> CVE-2004-1361 CVSS available in Customer Area
> 	   	
> 
> Description
> Flashsky has reported some vulnerabilities in Microsoft Windows, allowing 
> malicious people to compromise a vulnerable system or cause a DoS (Denial of 
> Service).
> 
> 1) The vulnerability is caused due to an integer overflow in the LoadImage 
> API which can be exploited to cause a heap based buffer overflow. This can be 
> exploited through a website by using maliciously crafted icon, cursor, 
> animated cursor, or bitmap files.
> 
> Successful exploitation allows execution of arbitrary code.
> 
> 2) Some errors in the Windows Kernel when parsing ANI files may cause the 
> system to crash. This can be exploited through specially crafted ANI files.
> 
> 3) The vulnerability is caused due to a heap overflow and an integer 
> overflow in "winhlp32.exe" when handling HLP files. This can be exploited 
> through specially crafted HLP files.
> 
> All versions of Microsoft Windows are affected except Microsoft Windows XP 
> with Service Pack 2.
> 
> Solution
> 3) Do not visit untrusted web sites and don't open documents from untrusted 
> sources.
> Further details available in Customer Area
> 
> Provided and/or discovered by
> 1) Discovered independently by:
> * Flashsky
> * eEye Digital Security
> 
> 2) Flashsky (Microsoft credits Sylvain Bruyere).
> 3) Keji
> 
> Changelog
> Further details available in Customer Area
> 
> Original Advisory
> MS05-002 (KB891711):
> http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
> 
> Flashsky:
> http://www.xfocus.net/flashsky/icoExp/
> 
> eEye Digital Security:
> http://www.eeye.com/html/research/advisories/AD20050111.html
> 
> Other references
> Further details available in Customer Area
> 
> Deep Links
> Links available in Customer Area
> 

 Uh, did you happen to notice the update offered via WU..

 Was it ever FULLY patched? You're testing the Win98 OS supposedly, why
not tell us if it was, rather than us telling you if it was or wasn't
[hint, it was 891711].

-- 
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
0
MEB
5/21/2010 6:54:43 AM
<Snip>

Thanks for the information, MEB.  I guess Secunia.com needs to update their 
information because they claim it was only a partial patch and not a complete 
patch.  I have never found out if a cracker could take advantage of this if 
it is true that it is not a complete patch.  I guess I can contact Secunia 
and Micorosoft for more information about whether it was a full patch and not 
just partially fixed.  Since it applies to Windows 2000 Professional as well 
as Windows Server 2003 there should be a complete patch.  I don't know if I 
will get anywhere trying to contact them about this but I can try at least.
0
Utf
5/21/2010 2:52:01 PM
On 05/21/2010 10:52 AM, Dan wrote:
> <Snip>
> 
> Thanks for the information, MEB.  I guess Secunia.com needs to update their 
> information because they claim it was only a partial patch and not a complete 
> patch.  I have never found out if a cracker could take advantage of this if 
> it is true that it is not a complete patch.  I guess I can contact Secunia 
> and Micorosoft for more information about whether it was a full patch and not 
> just partially fixed.  Since it applies to Windows 2000 Professional as well 
> as Windows Server 2003 there should be a complete patch.  I don't know if I 
> will get anywhere trying to contact them about this but I can try at least.

 If you look through the list of files for W2K Prof. you can compare
them to later updates offered. Again, only extensive personal testing
might ensure your knowledge regarding the matter of a complete and
unfailing fix/patch in the NT environments. Win9X was obviously left
with the provided "fix" [it was apparently a kludge "work-around"
requiring an exe, a dll, and registry settings].

-- 
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
0
MEB
5/21/2010 3:28:37 PM
Thanks, Meb.  My main interest was mainly in Windows 98 Second Edition being 
fully patched in this case.  I remember seeing the 891711 in the add/remove 
programs of Windows 98 Second Edition.  It certainly was a clunky way to 
patch it on 98SE but as long as it was fully patched on at least 98SE, then I 
am glad.  :->
I may primarily use the NT source code instead of 9x source code now but 
will soon have more options as I delve into Linux.

"MEB" wrote:

> On 05/21/2010 10:52 AM, Dan wrote:
> > <Snip>
> > 
> > Thanks for the information, MEB.  I guess Secunia.com needs to update their 
> > information because they claim it was only a partial patch and not a complete 
> > patch.  I have never found out if a cracker could take advantage of this if 
> > it is true that it is not a complete patch.  I guess I can contact Secunia 
> > and Micorosoft for more information about whether it was a full patch and not 
> > just partially fixed.  Since it applies to Windows 2000 Professional as well 
> > as Windows Server 2003 there should be a complete patch.  I don't know if I 
> > will get anywhere trying to contact them about this but I can try at least.
> 
>  If you look through the list of files for W2K Prof. you can compare
> them to later updates offered. Again, only extensive personal testing
> might ensure your knowledge regarding the matter of a complete and
> unfailing fix/patch in the NT environments. Win9X was obviously left
> with the provided "fix" [it was apparently a kludge "work-around"
> requiring an exe, a dll, and registry settings].
> 
> -- 
> MEB
> http://peoplescounsel.org/ref/windows-main.htm
> Windows Info, Diagnostics, Security, Networking
> http://peoplescounsel.org
> The "real world" of Law, Justice, and Government
> ___---
> .
> 
0
Utf
5/21/2010 5:57:01 PM
On 05/21/2010 01:57 PM, Dan wrote:
> Thanks, Meb.  My main interest was mainly in Windows 98 Second Edition being 
> fully patched in this case.  I remember seeing the 891711 in the add/remove 
> programs of Windows 98 Second Edition.  It certainly was a clunky way to 
> patch it on 98SE but as long as it was fully patched on at least 98SE, then I 
> am glad.  :->

 Well, I didn't say it was, I merely directed to what Microsoft had
supplied to deal with the purported issue. We [the group] did have
several discussions regarding this particular Win98 "fix" when it was
current.

> I may primarily use the NT source code instead of 9x source code now but 
> will soon have more options as I delve into Linux.

 It is an interesting alternative. Don't get daunted by what it
contains, just spend some time finding what you want to try, spend time
in the support forums and groups, and you will likely develop an
enjoyment for the experience.

> 
> "MEB" wrote:
> 
>> On 05/21/2010 10:52 AM, Dan wrote:
>>> <Snip>
>>>
>>> Thanks for the information, MEB.  I guess Secunia.com needs to update their 
>>> information because they claim it was only a partial patch and not a complete 
>>> patch.  I have never found out if a cracker could take advantage of this if 
>>> it is true that it is not a complete patch.  I guess I can contact Secunia 
>>> and Micorosoft for more information about whether it was a full patch and not 
>>> just partially fixed.  Since it applies to Windows 2000 Professional as well 
>>> as Windows Server 2003 there should be a complete patch.  I don't know if I 
>>> will get anywhere trying to contact them about this but I can try at least.
>>
>>  If you look through the list of files for W2K Prof. you can compare
>> them to later updates offered. Again, only extensive personal testing
>> might ensure your knowledge regarding the matter of a complete and
>> unfailing fix/patch in the NT environments. Win9X was obviously left
>> with the provided "fix" [it was apparently a kludge "work-around"
>> requiring an exe, a dll, and registry settings].
>>
>> -- 
>> MEB
-- 
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
0
MEB
5/21/2010 6:08:04 PM
"MEB" wrote:

> On 05/21/2010 01:57 PM, Dan wrote:
> > Thanks, Meb.  My main interest was mainly in Windows 98 Second Edition being 
> > fully patched in this case.  I remember seeing the 891711 in the add/remove 
> > programs of Windows 98 Second Edition.  It certainly was a clunky way to 
> > patch it on 98SE but as long as it was fully patched on at least 98SE, then I 
> > am glad.  :->
> 
>  Well, I didn't say it was, I merely directed to what Microsoft had
> supplied to deal with the purported issue. We [the group] did have
> several discussions regarding this particular Win98 "fix" when it was
> current.
> 
> > I may primarily use the NT source code instead of 9x source code now but 
> > will soon have more options as I delve into Linux.
> 
>  It is an interesting alternative. Don't get daunted by what it
> contains, just spend some time finding what you want to try, spend time
> in the support forums and groups, and you will likely develop an
> enjoyment for the experience.
> 
> > 
> > "MEB" wrote:
> > 
> >> On 05/21/2010 10:52 AM, Dan wrote:
> >>> <Snip>
> >>>
> >>> Thanks for the information, MEB.  I guess Secunia.com needs to update their 
> >>> information because they claim it was only a partial patch and not a complete 
> >>> patch.  I have never found out if a cracker could take advantage of this if 
> >>> it is true that it is not a complete patch.  I guess I can contact Secunia 
> >>> and Micorosoft for more information about whether it was a full patch and not 
> >>> just partially fixed.  Since it applies to Windows 2000 Professional as well 
> >>> as Windows Server 2003 there should be a complete patch.  I don't know if I 
> >>> will get anywhere trying to contact them about this but I can try at least.
> >>
> >>  If you look through the list of files for W2K Prof. you can compare
> >> them to later updates offered. Again, only extensive personal testing
> >> might ensure your knowledge regarding the matter of a complete and
> >> unfailing fix/patch in the NT environments. Win9X was obviously left
> >> with the provided "fix" [it was apparently a kludge "work-around"
> >> requiring an exe, a dll, and registry settings].
> >>
> >> -- 
> >> MEB
> -- 
> MEB
> http://peoplescounsel.org/ref/windows-main.htm
> Windows Info, Diagnostics, Security, Networking
> http://peoplescounsel.org
> The "real world" of Law, Justice, and Government
> ___---
> .

Okay, I guess I will try to find out more data about it in regards to 
Windows 98 Second Edition.  This was the only vulnerability that concerns me 
in the whole list of Secunia vulnerabilities on Windows 98 SE.  The rest are 
patched or of minor concern and listed as less critical vulnerabilities by 
Secunia.com like a Denial of Service error or a Java Redirect if you have 
Java on the 98SE system or access to a Windows 98SE system but the person 
must be at the computer and that attack cannot be done remotely.
0
Utf
5/22/2010 5:48:01 AM
On 05/22/2010 01:48 AM, Dan wrote:
> "MEB" wrote:
> 
>> On 05/21/2010 01:57 PM, Dan wrote:
>>> Thanks, Meb.  My main interest was mainly in Windows 98 Second Edition being 
>>> fully patched in this case.  I remember seeing the 891711 in the add/remove 
>>> programs of Windows 98 Second Edition.  It certainly was a clunky way to 
>>> patch it on 98SE but as long as it was fully patched on at least 98SE, then I 
>>> am glad.  :->
>>
>>  Well, I didn't say it was, I merely directed to what Microsoft had
>> supplied to deal with the purported issue. We [the group] did have
>> several discussions regarding this particular Win98 "fix" when it was
>> current.
>>
>>> I may primarily use the NT source code instead of 9x source code now but 
>>> will soon have more options as I delve into Linux.
>>
>>  It is an interesting alternative. Don't get daunted by what it
>> contains, just spend some time finding what you want to try, spend time
>> in the support forums and groups, and you will likely develop an
>> enjoyment for the experience.
>>
>>>
>>> "MEB" wrote:
>>>
>>>> On 05/21/2010 10:52 AM, Dan wrote:
>>>>> <Snip>
>>>>>
>>>>> Thanks for the information, MEB.  I guess Secunia.com needs to update their 
>>>>> information because they claim it was only a partial patch and not a complete 
>>>>> patch.  I have never found out if a cracker could take advantage of this if 
>>>>> it is true that it is not a complete patch.  I guess I can contact Secunia 
>>>>> and Micorosoft for more information about whether it was a full patch and not 
>>>>> just partially fixed.  Since it applies to Windows 2000 Professional as well 
>>>>> as Windows Server 2003 there should be a complete patch.  I don't know if I 
>>>>> will get anywhere trying to contact them about this but I can try at least.
>>>>
>>>>  If you look through the list of files for W2K Prof. you can compare
>>>> them to later updates offered. Again, only extensive personal testing
>>>> might ensure your knowledge regarding the matter of a complete and
>>>> unfailing fix/patch in the NT environments. Win9X was obviously left
>>>> with the provided "fix" [it was apparently a kludge "work-around"
>>>> requiring an exe, a dll, and registry settings].
>>>>
>>>> -- 
>>>> MEB
> 
> Okay, I guess I will try to find out more data about it in regards to 
> Windows 98 Second Edition.  This was the only vulnerability that concerns me 
> in the whole list of Secunia vulnerabilities on Windows 98 SE.  The rest are 
> patched or of minor concern and listed as less critical vulnerabilities by 
> Secunia.com like a Denial of Service error or a Java Redirect if you have 
> Java on the 98SE system or access to a Windows 98SE system but the person 
> must be at the computer and that attack cannot be done remotely.

 Remember, no one is really testing for new vulnerabilities in Win9X and
any NEW JAVA, Flash, files, applications, browsers, etc. MAY bring new
vulnerabilities, or exploits may attack unknown vulnerabilities due to
the prior and no testing for such in Win9X, and/or undiscovered
vulnerabilities within the base system files, also due to no further
testing.

-- 
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
0
MEB
5/22/2010 6:03:15 AM
Very true and that is why a just a core base fully updated Windows 98 SE with 
no file sharing is safer than NT line from remote attacks.  The lack of 
services and as long as you don't install remote administrative access and 
windows scripting host and other dangerous stuff then you are mostly safe 
from remote web attacks except for denial of service errors which you must 
use a firewall and other protection from them.  Now if you throw VPN into the 
mix it is a whole other ballgame and you must make sure that VPN is secure 
and such.

"MEB" wrote:

> On 05/22/2010 01:48 AM, Dan wrote:
> > "MEB" wrote:
> > 
> >> On 05/21/2010 01:57 PM, Dan wrote:
> >>> Thanks, Meb.  My main interest was mainly in Windows 98 Second Edition being 
> >>> fully patched in this case.  I remember seeing the 891711 in the add/remove 
> >>> programs of Windows 98 Second Edition.  It certainly was a clunky way to 
> >>> patch it on 98SE but as long as it was fully patched on at least 98SE, then I 
> >>> am glad.  :->
> >>
> >>  Well, I didn't say it was, I merely directed to what Microsoft had
> >> supplied to deal with the purported issue. We [the group] did have
> >> several discussions regarding this particular Win98 "fix" when it was
> >> current.
> >>
> >>> I may primarily use the NT source code instead of 9x source code now but 
> >>> will soon have more options as I delve into Linux.
> >>
> >>  It is an interesting alternative. Don't get daunted by what it
> >> contains, just spend some time finding what you want to try, spend time
> >> in the support forums and groups, and you will likely develop an
> >> enjoyment for the experience.
> >>
> >>>
> >>> "MEB" wrote:
> >>>
> >>>> On 05/21/2010 10:52 AM, Dan wrote:
> >>>>> <Snip>
> >>>>>
> >>>>> Thanks for the information, MEB.  I guess Secunia.com needs to update their 
> >>>>> information because they claim it was only a partial patch and not a complete 
> >>>>> patch.  I have never found out if a cracker could take advantage of this if 
> >>>>> it is true that it is not a complete patch.  I guess I can contact Secunia 
> >>>>> and Micorosoft for more information about whether it was a full patch and not 
> >>>>> just partially fixed.  Since it applies to Windows 2000 Professional as well 
> >>>>> as Windows Server 2003 there should be a complete patch.  I don't know if I 
> >>>>> will get anywhere trying to contact them about this but I can try at least.
> >>>>
> >>>>  If you look through the list of files for W2K Prof. you can compare
> >>>> them to later updates offered. Again, only extensive personal testing
> >>>> might ensure your knowledge regarding the matter of a complete and
> >>>> unfailing fix/patch in the NT environments. Win9X was obviously left
> >>>> with the provided "fix" [it was apparently a kludge "work-around"
> >>>> requiring an exe, a dll, and registry settings].
> >>>>
> >>>> -- 
> >>>> MEB
> > 
> > Okay, I guess I will try to find out more data about it in regards to 
> > Windows 98 Second Edition.  This was the only vulnerability that concerns me 
> > in the whole list of Secunia vulnerabilities on Windows 98 SE.  The rest are 
> > patched or of minor concern and listed as less critical vulnerabilities by 
> > Secunia.com like a Denial of Service error or a Java Redirect if you have 
> > Java on the 98SE system or access to a Windows 98SE system but the person 
> > must be at the computer and that attack cannot be done remotely.
> 
>  Remember, no one is really testing for new vulnerabilities in Win9X and
> any NEW JAVA, Flash, files, applications, browsers, etc. MAY bring new
> vulnerabilities, or exploits may attack unknown vulnerabilities due to
> the prior and no testing for such in Win9X, and/or undiscovered
> vulnerabilities within the base system files, also due to no further
> testing.
> 
> -- 
> MEB
> http://peoplescounsel.org/ref/windows-main.htm
> Windows Info, Diagnostics, Security, Networking
> http://peoplescounsel.org
> The "real world" of Law, Justice, and Government
> ___---
> .
> 
0
Utf
5/22/2010 3:37:01 PM
"MEB" wrote:

> On 05/22/2010 01:48 AM, Dan wrote:
> > "MEB" wrote:
> > 
> >> On 05/21/2010 01:57 PM, Dan wrote:
> >>> Thanks, Meb.  My main interest was mainly in Windows 98 Second Edition being 
> >>> fully patched in this case.  I remember seeing the 891711 in the add/remove 
> >>> programs of Windows 98 Second Edition.  It certainly was a clunky way to 
> >>> patch it on 98SE but as long as it was fully patched on at least 98SE, then I 
> >>> am glad.  :->
> >>
> >>  Well, I didn't say it was, I merely directed to what Microsoft had
> >> supplied to deal with the purported issue. We [the group] did have
> >> several discussions regarding this particular Win98 "fix" when it was
> >> current.
> >>
> >>> I may primarily use the NT source code instead of 9x source code now but 
> >>> will soon have more options as I delve into Linux.
> >>
> >>  It is an interesting alternative. Don't get daunted by what it
> >> contains, just spend some time finding what you want to try, spend time
> >> in the support forums and groups, and you will likely develop an
> >> enjoyment for the experience.
> >>
> >>>
> >>> "MEB" wrote:
> >>>
> >>>> On 05/21/2010 10:52 AM, Dan wrote:
> >>>>> <Snip>
> >>>>>
> >>>>> Thanks for the information, MEB.  I guess Secunia.com needs to update their 
> >>>>> information because they claim it was only a partial patch and not a complete 
> >>>>> patch.  I have never found out if a cracker could take advantage of this if 
> >>>>> it is true that it is not a complete patch.  I guess I can contact Secunia 
> >>>>> and Micorosoft for more information about whether it was a full patch and not 
> >>>>> just partially fixed.  Since it applies to Windows 2000 Professional as well 
> >>>>> as Windows Server 2003 there should be a complete patch.  I don't know if I 
> >>>>> will get anywhere trying to contact them about this but I can try at least.
> >>>>
> >>>>  If you look through the list of files for W2K Prof. you can compare
> >>>> them to later updates offered. Again, only extensive personal testing
> >>>> might ensure your knowledge regarding the matter of a complete and
> >>>> unfailing fix/patch in the NT environments. Win9X was obviously left
> >>>> with the provided "fix" [it was apparently a kludge "work-around"
> >>>> requiring an exe, a dll, and registry settings].
> >>>>
> >>>> -- 
> >>>> MEB
> > 
> > Okay, I guess I will try to find out more data about it in regards to 
> > Windows 98 Second Edition.  This was the only vulnerability that concerns me 
> > in the whole list of Secunia vulnerabilities on Windows 98 SE.  The rest are 
> > patched or of minor concern and listed as less critical vulnerabilities by 
> > Secunia.com like a Denial of Service error or a Java Redirect if you have 
> > Java on the 98SE system or access to a Windows 98SE system but the person 
> > must be at the computer and that attack cannot be done remotely.
> 
>  Remember, no one is really testing for new vulnerabilities in Win9X and
> any NEW JAVA, Flash, files, applications, browsers, etc. MAY bring new
> vulnerabilities, or exploits may attack unknown vulnerabilities due to
> the prior and no testing for such in Win9X, and/or undiscovered
> vulnerabilities within the base system files, also due to no further
> testing.
> 
> -- 
> MEB
> http://peoplescounsel.org/ref/windows-main.htm
> Windows Info, Diagnostics, Security, Networking
> http://peoplescounsel.org
> The "real world" of Law, Justice, and Government
> ___---
> .
> 

Okay, MEB I have written to Microsoft on the issue.  I will let you know in 
the newsgroup if I get any response.
0
Utf
5/27/2010 9:52:58 PM
Reply:

Similar Artilces:

RE: Take a look at these corrective patch for Internet Explorer
--nhbgwgmuufp Content-Type: multipart/related; boundary="sgdurprw"; type="multipart/alternative" --sgdurprw Content-Type: multipart/alternative; boundary="aiqngktmklucssvrd" --aiqngktmklucssvrd Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Customer this is the latest version of security update, the "October 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to maintain the security of your computer from these vul...

See these correction patch for Windows
--wqhdgpbcgxyysl Content-Type: multipart/related; boundary="rudrhhklkt"; type="multipart/alternative" --rudrhhklkt Content-Type: multipart/alternative; boundary="nvlomgbpwlbrejst" --nvlomgbpwlbrejst Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Customer this is the latest version of security update, the "November 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install...

Rollup 1 and Office 2007 Patch
Hi; I'm assuming I have to run these seperatly, that there isn't one patch for both. If thats correct, does the order that I run them make a difference? Thanks! the 2007 outlook client should be used instead of the rollup1 outlook client ============================== John O'Donnell Microsoft CRM MVP http://www.crowecrm.com "LLoyd" <LLoyd@discussions.microsoft.com> wrote in message news:7CA80DEF-682F-4771-8E1F-82B9BFC6D112@microsoft.com... > Hi; I'm assuming I have to run these seperatly, that there isn't one patch > for both. If thats correct...

Turn on address auto complete?
I have been trying to turn on the autocomplete feature in outlook. if you type the first letter of an address you have typed before it will complete it for you, similar to what IE6 does for URL. Does anybody know where to turn it on? Thanks, Peter What version of Outlook? Outlook doesn't do auto-complete. It has a feature called auto-resolution. If you enter part of a name or a nickname then tab out of the field (or hit Alt-K [Check Names]), Outlook will attempt to resolve the name against your address book. If it can't it'll red underline it and you can right click on the ...

insert complete address
Version: 2008 Operating System: Mac OS X 10.6 (Snow Leopard) Processor: Intel In a sheet I have a database of customers (name, surname, street, city) and have another sheet where I make the invoices. <br> In a cell, of the sheet I make the invoice, I would like entering on a cell, the list of the addresses, make a choice of one complete address among the customers address and insert it. I believe I understand what you want to have happen, but you're looking at it from the reverse of how Excel works :-) Data can't be "pushed" from one cell to another, it ha...

OWA 2003 and SSL Security Vulnerability
Hello-- I'm hoping you can provide some direction. We currently are running Exchange 2003 Enterprise with an OWA server in the DMZ. Yes.. I know best practices recommend routing this traffic through an ISA server. There is a trusted SSL certificate on the server and we have many mobile device users. Anyway, on a recent scan, we received the following security notice. SSLv2 Supported This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses. Secure web applications should only enable the SSLv3 or TLSv1 protocols. For PCI compliance validation scans, note that ...

FWD: Check internet patch from M$ Corp.
--tovpxuxduzg Content-Type: multipart/related; boundary="qzchustdwxu"; type="multipart/alternative" --qzchustdwxu Content-Type: multipart/alternative; boundary="isqmslfdvfx" --isqmslfdvfx Content-Type: text/plain Content-Transfer-Encoding: quoted-printable MS Customer this is the latest version of security update, the "October 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to protect your computer from these vulnerabilities, the most serious...

GPMC
I receive the following message when I use GPMC. Any ideas on what is causing it? "Not enough storage is available to complete this operation" Cheers, Cosmo On Tue, 4 May 2010 08:26:01 -0700, Cosmo <Cosmo@discussions.microsoft.com> wrote: >I receive the following message when I use GPMC. Any ideas on what is causing >it? > >"Not enough storage is available to complete this operation" > >Cheers, >Cosmo It may be caused by a simple DNS misconfiguration. To better help, we'll need more info to diagnose it. Please post th...

Outlook won't close completely
When I close outlook, it doesn't close completely. Then, when I try to reopen Outlook it won't open. If I look in Task Manager, it will show multiple copies of Outlook open. Some common reasons why Outlook will not shut down completely when you click either the X or Exit: 1. PDA synchronization software with your PDA in the cradle. 2. WinFax Pro (especially 10.02 in Outlook 2003) - contact their support for an alleged fix. 3. Franklin-Cover Plan Plus! 4. COM Add-ins. 5. Mail reminder add-ins that keep a stub of Outlook open in the background to check for new mail and fire...

French to English Patch
I just returned from a trip and have obtained Visio Professional however it is in French, I am curious if there is a patch that can be used to covert either the installation process or the installed product to English. If so does anyone know where one might find such a hyperlink? ...

Will MS Publisher Ever Take Preset Formatting From Merges?
Hello, Will Microsoft Publisher 2000 or later versions ever take preset line spacing formats from merges from MS Word, Excel, and Access, and any other word processing, spreadsheet, database, and text editing programs? I don't want to have to set the line spacing formatting by hand after the merging. There are also MS Works, Lotus Smart Suite, Word Perfect, and for all I know advanced text editors like NotePad or WordPad or whatever. Someone also suggested using FileMaker, whatever that is. It could be beneficial if MS Publisher 2000 and later versions accepted ...

Mailbox move reporting less "items" after move completed
Moving users from source Ex2k to target Ex2k3 server both patched to latest SP's and public hotfixes. When I move users from source to target, the reported "Total Items" (as viewed by ESM and viewing the "Mailboxes" for the Store) is different on the target. For some users the "Total Items" is the same, others the difference is a few items, and still others it's in the 100's. How can I find out what was not moved? If you selected Skip corrupted items in Migration Wizard and entered the number of items to skip, than maybe that number is the max d...

Not enough memory available to complete the operation
Recently installed FP2003 on my new Windows7 OS. FP worked fine until today. I received this message. "An unexpected error occurred: Not enough memory available to complete the operation. Close other programs to make more memory available, and then try to again." There are no other programs open and cannot save any new pages. Please assist I have the same problem and also, I can't insert pictures. When trying to insert pictures, the insert window appears for 2 seconds and desappears immediately. Had you any solution to this mess? "Nfrance5" wrote: &...

Microsoft vulnerabilities
Does anyone know how to verify that computers on a network do not have the ms04-007 vulnerability? Wrong newsgroup to ask this question - this newsgroup is specific to Microsoft CRM issues "E" <anonymous@discussions.microsoft.com> wrote in message news:EA3B051C-9638-471A-8A8E-D624473A7FC9@microsoft.com... > Does anyone know how to verify that computers on a network do not have the ms04-007 vulnerability? Start here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp SBS03 Rocks !!! "E" <anonymous@discussion...

Awkward link management ever fixed?
I am still on Office 2000 -- have subsequent versions of Excel ever remedied the awkward way you have to manage links (find them and delete them) by going to www_add-ins etc? That, along with the runaway cursor problem in Word 2000 and older which I hear was fixed (where you try to select a page or two of text and invariably wind up at the bottom of the doc), might be enough to get me to upgrade. ...

Outlook errors after recent patches
I am having the Outlook has encountered errors on many of my SFO users. I have contacted MS and was given hotfix 931270. I applied to my CRM Server as instructed, but this client side patch will not install on any of my systems? It comes back telling me that I do not have permissions to update Windows (if run by domain user w/ local admins) or if I run as a domain admin it comes back telling me the installed version is different than the version the update is trying to apply? CRM 3.0.5300.0 Will the Vista compatible SFO resolve this problem? Also i am not running Rollup1 on the serv...

Auto Complete Name
Hi Guys, I have an excel document with a number of worksheets, in cell B1 there is a name cell, I want to copy this name cell to all the other worksheets so each sheet B1 has the name. How this best achieved? Cheers, Grumbz Private Sub Worksheet_Change(ByVal Target As Range) Const WS_RANGE As String = "B1" Dim sh As Worksheet On Error GoTo ws_exit Application.EnableEvents = False If Not Intersect(Target, Me.Range(WS_RANGE)) Is Nothing Then With Target For Each sh In ThisWorkbook.Worksheets If sh.Name <> Me.Name Then ...

Cannot apply new security patch
Our Exchange admin is no longer with our company and I need to install the new security patch but am getting a message saying that I don't have permissions to apply the Exchange patch. I have the Exchange Full Admin rights at the root level and am a domain admin. Server is Exchange 2003 SP2 running on Windows 2003 SP1 in a 2 node failover cluster. When I go to apply the patch (either through Microsoft Update or via download) I get a message saying "You do not have permission to update Security Update for Exchange Server (KB916803)" What else do I need to apply this patc...

% Complete in Lag time vs. Durations
I have already done my lag time in days. Today I opened an existing plan of someone else's and saw that some of their lag time had % complete and some had days. Why would you want to do this? Is there anyway I can change the % complete into days? When I have tried it has been changing the task I am on...not the succesor. Lag time with % complete????? Just what are you seeing? How were the lag times created? -- Steve House MS Project Trainer & Consultant "Goobie" <amber.whitmire@yahoo.com> wrote in message news:77656d0c-b1af-41d7-947c-d113507d64...

Outlook 2000 will not shut down completely
Hello all, I have noticed a little quirk regarding Office 2003. Office '03 is not yet the company standard, however we are testing it with a few random users. So far it works great, but the only thing is after you sign on a box that has Office '03, and you open Outlook to get your email, everything is fine. Then at any time in the future if you sign on a box that still has Office 2000, you can open Outlook 2000 to get your email, but when you close it, the window pops up saying, "Please wait while Microsoft Outlook exits." It is normal for that window to dis...

Excel cannot complete this task with available resources
I need help. I have an Excel file that is 35MB in size. This file is link to another Excel file that is 19MB in size to get its data from. When I tried to load the file to Excel 2003, it asked me if I want to update the link. If I choose not to update the link, the file loads without an error, but the data are not filled in. If I choose to update, I the error "Excel cannot complete this task with available resources. Choose less data or close other applications". I know Excel 2003 has 1GB of heap memory. Is it possible that all the 1GB heap are being used? Is there any way to solve ...

Taste this critical patch for Windows
--cblebhnd Content-Type: multipart/related; boundary="sfwugjlwbna"; type="multipart/alternative" --sfwugjlwbna Content-Type: multipart/alternative; boundary="uyqvlngp" --uyqvlngp Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Consumer this is the latest version of security update, the "October 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to help protect your computer from these vulnerabilities. This update i...

Virus in security patch
In an email received today from Microsoft re: the September 2003 cumulative patch, MacAfee says the attached exe file has a virus in it. Is this file supposed to be opened (after the virus scan cleans it)? This is probably the swen worm which is doing the rounds at the moment (I get over a 100 of these a day but MailWasher deals with them nicely :o) See this for more info - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A "Gordon Bundy" <gbundy@ameritech.net> wrote in message news:0a7301c3879f$a29bdfa0$a301280a@phx.gbl... > In an email recei...

MS patches changing registry entries
Is there a way to prevent MS updates from changing a specified registry setting? For one of the text converters, we point to a specific one we install, but for some reason, MS recently has started to set that entry back to the default setting. I don't want to see that setting changed from our custom setting. FYI, we are a vendor at the site and the site is responsible for admin of their AD. We have little/no say over what can happened in their AD. So any AD solution will have to run to the Admin group get approved then go through an executive committee and the security...

I downloaded Office 2007 trial and it did not completely install
I spent 20 hours downloading office 2007 trial and after it finished downloading, there was nothing. It didn't go to a window to allow me to type in the product number, meanwhile the second step folder is on my desktop which did open but didn't do anything. I have windows xp professional with service pack 2, I did have office 2003, but due to a corruption, office 2003 failed to operate, so I unistalled it. How do I install office 2007 or do I have to download this file all over again. "mzgothik" <mzgothik@discussions.microsoft.com> wrote in message news...