 
The Internet News Page has been put here to give you information regarding important happenings on the Net. Feel free to contribute to this forum. All input is welcome. Because I run NT Server 4.0, you will notice a disproportionate amount of news devoted to NT 4.0. All problems and solutions discussed below are to be taken very carefully. Fully backup your system before attempting any of the following. The solutions below are not by this company. They are culled from the many NT newsgroups, mailing lists and IRC channels. use at your own risk. Worldwide Web Design makes no warranties as to the suitability or accuracy of any given item. Please report any inaccuracies to security. All service packs and post service pack hotfixes are for the x86 platform unless otherwise specified. Please see Microsoft for other supported platforms. Microsoft has their own newsgroups for questions & discussions of their products. Files listed as a post service pack means you should already have the service pack installed on your system before applying the fix. For example, a post service pack 2 hotfix means sp2 has to be installed before applying the fix. Not everyone will apply the latest service pack until it has been released for a few months and tested throughly by the NT community. This is why you have service pack 2 & 3, in addition to post service pack 2 & 3 hotfixes. Cyrix Corporation today introduced the MMX-enabled 6x86MX processor, formerly code-named M2, which delivers Pentium II-class performance at half the price. The 6x86MX processor enables PC manufacturers to deliver the performance and features of expensive Pentium II systems for under $2,000. The chip also enables Cyrix to continue its leadership role in driving mainstream PC prices below $1,500. "The 6x86MX processor enables customers to deliver high-performance, MMX-enabled entertainment PCs in the rapidly growing sub-$1,500 category." The 6x86MX processor provides Winstone 97 performance on par with similarly configured Pentium II systems running at 233 MHz, on Windows 95. On the same benchmark, the chip outperformed all other competitors processors running on identically configured systems. The 6x86MX processor is able to obtain this high level of performance through an enhanced 64K unified cache and a 512 entry branch target buffer (BTB). In addition, the new memory management unit (MMU) consists of a two-level translation look-aside buffer (TLB) that is capable of storing up to 384 unique memory block addresses. These features allow the 6x86MX processor to satisfy a higher percentage of memory accesses on-chip, reducing the need to access slower off-chip memory.
Internet Explorer 3.02 may stop responding when connecting to a Web link that contains a Java application after you have installed Windows NT 4.0 Service Pack 3. The application will stop responding only if the Display Properties Color Palette is set to True Color. The readme for this hotfix.
Systems Affected: NT 4.0, up to Service Pack 3, running the MS DNS Server Microsoft DNS can be made to crash by redirecting the output of the Chargen service to the MS DNS service. A typical attack might be launched from a system using the following command: $ telnet ntbox 19 | telnet ntbox 53 The above command is shown as seen on a UNIX command line. Once the command is issued, a telnet session isd on port 19 (chargen) of the ntbox, and all output is redirected to a second telnet sessiond on port 53 (dns) of the same ntbox. Launching the attack in this manner may subject the attacker to the same barrage of packets the DNS service will experience. But none-the-less, the attack is successful in crashing MS DNS.
A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. NT expects normal data to follow. Microsoft has updated Tcpip.sys to correct the problem. **NOTE: This hotfix was originally posted on 5/12/97. A second fix was completed on 5/21/97, to address another nearly identical attack, and this hotfix has replaced the original one. The first hotfix is included in 4.0 SP3, however the second one is not, so a 4.0 Post Service Pack 3 is now available also. Service Pack 3 must be applied to NT 4.0 prior to applying this fix. The readme for this hotfix.
If you are running with Active Server Pages 1.0b (ASP) on Microsoft Internet Information Server 3.0 (IIS), you may experience performance problems caused by a memory leak in asp.dll. This may take a long period of time for you to notice depending on how often the Active Server Pages are accessed. It has been confirmed that this performance issue is due to a memory leak in asp.dll. You may confirm this by use of Performance Monitor. The readme for this hotfix.
The Domain Name Service (DNS) fails with an access violation, and ceases to resolve names. If a DNS query is modified so that the original query's AnswerCount field is greater than 0, the DNS server may cause an access violation (AV). If the AnswerCount is greater than 0, we expect to already have data from the original query, but in this case, the data is not present. In addition, this hotfix also fixes the problem of telnetting to port 53 crashing the DNS service. An NT 4.0 DNS server produces the following event error 454: DNS Server select() Function failed. The data is the error. Besides the event error, CPU usage is high, the DNS server is unstable, and it sometimes crashes. The possible cause of this problem is when an unknown user telnets to the DNS server port 53. When this is done, and a few characters are typed, the above behavior is seen on the NT 4.0 DNS server. The readme 1 & readme 2 for this hotfix.
Microsoft Index Server Exposes Passwords
The JDK 1.1.1 bytecode verifier does not check that the number of arguments passed into a method is less than the amount of space allocated to local variables for that method, in its MAXLOCAL classfile attribute. So, if a method is given more arguments than it has room for in the space allotted to its local variables, this could cause a stack overflow, most likely leading to the JVM crashing. There is no known security attack based on this verifier bug, but since the bug relates to classloading, which has been the basis for security attacks in the past, it is appropriate to issue a fix. This is now fixed in the JDK 1.1.2 verifier. JDK 1.1.2 will be publically available in the week of May 26; the fix has been communicated to Java licensees.
Finally the long awaited SP (18.2MB) is finally here. Service Pack releases are cumulative: they contain all previous fixes and any new fixes from service pack 1 & 2, including all post service pack hotfixes. You do not need to install service pack 1 or 2 to run 3. Alternate sites for downloading SP3: FTP and on the WWW. You can download the NT 4.0 Service Pack 3 symbol files (23.1MB) from any of the following locations: FTP 1, FTP 2 or WWW 1. Symbol files are not needed to install when using service packs. If you are a developer, you might consider installing them, but for the vast majority of NT users, they are not needed. The readme for this service pack.
Digital Equipment said Tuesday that it filed a lawsuit charging Intel with infringement of 10 of the company's patents to boost the performance of its Pentium, Pentium Pro and Pentium II processors. Digital, which filed its suit in the U.S. District Court, District of Massachusetts, is seeking an injunction and undisclosed monetary damages, including triple damages for Intel's willful violation of the patents.
"It is possible to remotely cause denial of service to any windows 95/NT user. It is done by sending OOB [Out Of Band] data to an established connection you have with a windows user. NetBIOS [139] seems to be the most effective since this is a part of windows. Apparently windows doesn't know how to handle OOB, so it panics and crazy things happen. I have heard reports of everything from windows dropping carrier to the entire screen turning white. Windows also sometimes has trouble handling anything on a network at all after an attack like this. A reboot fixes whatever damage this causes." The readme 1 , readme 2 & readme 3 for this hotfix.*NOTE* service pack 2 must be applied to NT 4.0 prior to applying this fix. To see if your machine isto this attack, visit the following website and take a test.
NT 4.0 Post Service Pack 2 Hotfix Addresses The Following:
Intel has confirmed the flaw in its Pentium Pro and Pentium II microprocessors, but the company has no intention of recalling the chips, nor will it delay shipments of the recently introduced Pentium II microprocessors, a company spokeswoman said. The problem can be corrected by "software workarounds," she said. "What's different this time around from two years go is there are software workarounds. We didn't have any two years ago. We now have a process in place." Intel had a similar problem with the classic Pentium chip in 1994, which cost the company more than $400 million. Robert Collins, a critic of Intel, first exposed the flaw on his website "Intel Secrets" on May 5.
A bug has cropped up in Windows '95/NT that will allow any user to crash any other computer on any port. It is possible to remotely cause denial of service to any windows 95/NT user. It is done by sending OOB [Out Of Band] data to an established connection you have with a windows user. NetBIOS [139] seems to be the most effective since this is a part of windows. Apparently windows doesn't know how to handle OOB, so it panics and crazy things happen. Many reports have contained everything from windows dropping carrier to the entire screen turning white. Windows also sometimes has trouble handling anything on a network at all after an attack like this. A reboot fixes whatever damage this causes. To see if your machine isto this attack, visit the following website and take a test.
This flaws seems to only seriously affect people with the following configuration: Internet Explorer 3.x or 4.0, or Netscape 3.x or 4.x & Microsoft PowerPoint 97. This flaw may can also occur in Netscape and on older versions of powerpoint. The PPT (PowerPoint Slide Show) fileswithout prompting in Internet Explorer 3.0 (and in some other browsers) In fact in IE 3.0 theyas an embedded object, and with a little tinkering the user may not even know that they just entered a powerpoint slideshow. Even if your security is set to high this will still work! Although Microsoft has added a security feature to the Office 97 suit to alert users of possible "hostile" macros they have not applied this feature on the PowerPoint text and buttons. This means that on moving over a place on the screen an event can be fired that will allow execution of a program.
On the heals of April's RedButton exploit comes yet another demonstration of attacking NT networks. A new program has just been released, complete with source code, that will downgrade a Server Message Block (SMB) negotiation - the standard handshake that occurs when a client attempts to connect to an NT Server. Downgrading the authentication causes the client to send its password in clear text, unencrypted. This has been a known possibility for quite some time, however no one has released a working program along with source code up until now.
Beware of PDF files (documents in Adobe Acrobat format) that you download from the Internet - they could contain dangerous commands that destroy your data. Adobe's PDF format has developed into a kind of standard for documents used by manufacturers e.g. to distribute technical information, handbooks, etc. across the Internet. It was already possible in the recent versions of the PDF specification to have system commands executed. Now it is even easier in the current version 1.2. At least under Windows 3.x, Windows 95 and Windows NT document authors can assign actions to hotlinks and buttons within the text that execute any program with parameters. Even automatic actions during loading of the document into the Reader are possible.
When you use Unattended Setup with the following keys [Unattended] ExtendOemPartition=1 nowaitaftertextmode = 1 you receive the following message which stops the Unattended Setup: Pre-installation completed successfully - press any key to shut down and reboot the system. This option was originally designed for Original Equipment Manufacturers (OEM) and was intended to stop Setup so that the computer could be shipped to a user at that point. The readme for this hotfix.
NT 4.0 Post Service Pack 1 Hotfix For SPX Data Stream Type Header May Reset Unexpectedly
This NT (3.5x & 4.0) security bug allows a remote user access to vital parts of a NT system. The security problem affects the majority of NT based networks. The "RedButton Bug" enables a remote user to get unauthorized access to a part of the NT system including registry and file system. The "RedButton" utility, which is available for download at http://www.NTsecurity.com/RedButton/ demonstrates the possibility of such an access. Administrators should seriously consider blocking access to ports 137, 138, and 139 on any machines exposed to the Internet. You can also stop the Server service to protect yourself, although doing so eliminates the ability for that server to share resources. Another option presented by http://www.ntshop.net/security/redbutton.htm is to edit the registry: 1.HKEY_LOCAL_MACHINE/CurrentControlSet/Control/SecurePipeServers 2. Create a key called winreg (if it doesn't exist) 3. Set the security on it however you like, but don't give the Everyone group access - but don't define Everyone with NO ACCESS either as this locks out all accounts. 4. Reboot the system
The ntguide.exe document fully outlines the installation and usage of the driver. This document should be downloaded and reviewed prior to installing the driver. (This document can be viewed with WordPad). This driver supports the following models: BJC-70, BJC-210, BJC-240, BJC-600, BJC-600e, BJC-800, BJC-820, BJC-4000, BJC-4100, BJC-4200, BJC-4550. NT200US.EXE NT 4.x BJ Drivers 2.00 (04/10/97) NTGUIDE.EXE NT Guide (Download First) (04/10/97)
There is a storm on the horizon -- at least for Intel. In April AMD will attempt to seize the performance crown, before Intel is able to shoot back with its Pentium-II and MMX-233 one month later. But Cyrix and Digital are also lurking in the background, waiting to intervene in the battle at the beginning of summer.
MS Releases "Steelhead" Beta for NT Server 4.0
AMD today announced it has begun shipments of its sixth-generation AMD-K6TM MMX processor, the personal computer industry's highest performance Microsoft Windows compatible x86 microprocessor. "The AMD-K6 processor is smaller, faster, easier to use, more energy efficient and less expensive than Pentium Pro, making it the superior engine for Windows computing,"
Yesterday, a report in the Electronic Engineering Times spread the word that a new tool available on the Internet could harvest lists of user passwords from NT servers. The Electronic Engineering Times reported that a utility now circulating on the Net could let a hacker gain access to an entire registry of users and their security passwords. The software was originally written with the innocuous goal of moving NT users to Unix, but the report said the tool could be manipulated to bypass the NT security framework. The hacker code is being circulated through a mailing list on the Internet. This alleged security problem could enable a remote user to unscramble encrypted information, like a user password, and display it as plain text. The article refers to the existence of two utilities, PWDUMP and NTCRACK, that enable the uncovering of this flaw.
Judge Rejects Intel Request
MS has uncovered a bug in the FrontPage Extensions that could allow users to potentially add content to pages on a Web site without permission through use of raw HTML. This can only happen if:
Panasonic, Hitachi Show 24X CD-ROM Drives
NT 4.0 Server and Workstation have been affected by this reported bug. This results when embedded images reside on a different server, and get the password information. This one can happen if you use a web page that points to a Rogue SMB Server. Version affected: Netscape Navigator 3.01 and Microsoft Internet Explorer 3.01 with Security Patches, running NT 4.0 So far, this has only been confirmed on the following test benches:
NT Security Hole Found In Internet Explorer
Shockwave Security Hole Develops
SMB Attacks On Windows 95 With & Without Internet Explorer
A lawsuit filed today in federal court in Delaware by Intel Corporation claiming trademark rights to the term "MMX" is without merit and poses no threat to delay shipments of the forthcoming AMD-K6(TM) MMX processor, according to the company. Thomas McCoy, general counsel for AMD, said that Intel's claim of trademark rights to MMX, a term that is the generic acronym for "multimedia extensions," is the issue in the litigation. "We believe the term MMX belongs to the public domain, and we expect to prevail when the matter goes to trial," said McCoy.
Yet another security hole has been found in Microsoft's Internet Explorer 3.01a. This hole allows a malicious web page to automatically run any program on the user's hard drive, which means that users of Internet Explorer could have their hard drives completely deleted, their private information stolen, or their computer infected with a virus merely by looking at a web page. This bug works on a similar principle as the bug discovered earlier. However, instead of using .lnk files or .url files, this bug exploits the fact that other files can also be downloaded and automatically executed without prompting the user for permission. This bug is not fixed by the security patch which Microsoft put out for the earlier bug. This bug has thus far only been verified on the Windows 95 version of Internet Explorer. This bug does not appear to affect NT (any service pack/version), in its usual configuration. These exploits are harmless and are for demonstration purposes only. However, they could easily have been made very harmful if that had been our intent. These demos require that the "Internet Wizard" be present on your system. It is the Internet Wizard that parses the ".ISP" files. You must also have Win95 located in "C:\WINDOWS". Note that a script to delete a whole hard drive wouldn't care where windows is located, however.
On certain machines running Internet Explorer 3.0, an icon can be embedded within a web page. When double-clicked, this icon may run a remote application without warning. This is not the same as the ".LNK and .URL" bug discovered below. This bug only effects Internet Explorer 3.0 users (version 4.70.1215). The problem is significantly more serious if the user is on a platform with CIFS (NT 4.0 with Service Pack 1 or later installed). If this is the case, the location of the malicious executable code to be run on the victim's machine could be anywhere on the Internet. If this is not the case, the location of the machine containing the code is restricted to within the scope of Windows name resolution. For example, the host must be either on the same subnet, listed in the victim's LMHOSTS file, or listed on the victim's WINS server. Internet Explorer enables a user to use a URL describing a remote directory. When a user clicks on such a link, they are brought to what is essentially a Windows Explorer window, but inside of Internet Explorer. If this URL is used as the basis for an |