1995-12-20 - Update on Microsoft .PWL and SMB Spin Control

Header Data

From: Rich Graves <llurch@networking.stanford.edu>
To: cypherpunks@toad.com
Message Hash: 858f19f3ca683c48a1aad797263db2a522ce6628e3b491f725cfb2f10b55666c
Message ID: <Pine.ULT.3.91.951219193256.8207C@Networking.Stanford.EDU>
Reply To: <c=US%a=_%p=msft%l=RED-72-MSG951211115528QX007C00@red-01-msg.itg.microsoft.com>
UTC Datetime: 1995-12-20 04:07:51 UTC
Raw Date: Tue, 19 Dec 95 20:07:51 PST

Raw message

From: Rich Graves <llurch@networking.stanford.edu>
Date: Tue, 19 Dec 95 20:07:51 PST
To: cypherpunks@toad.com
Subject: Update on Microsoft .PWL and SMB Spin Control
In-Reply-To: <c=US%a=_%p=msft%l=RED-72-MSG951211115528QX007C00@red-01-msg.itg.microsoft.com>
Message-ID: <Pine.ULT.3.91.951219193256.8207C@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

I was thinking about copying this to Yves and Yusuf, but I figure it 
will get to them anyway.

The WinNews #22 mass mailing (by the way, there seems to have been no
#21) has this to say about the .PWL bug: 

 NEW POSTINGS TO WINDOWS 95 WEB SITE AND FORUMS 

  * Under "WINDOWS 95 SOFTWARE LIBRARY"
      * In "Windows 95 Updates"
  
          - "Enhanced Password Cache Security Update" - an 
  enhanced security component that substantially strengthens
  the encryption used for the Microsoft Windows 95 password
  cache.

The update comes with no ReadMe -- it's a self-contained installer only.
No details on how it works appear to be available anywhere. There seems
to be no way to ensure that you have received a patch without viruses or
other modifications. I will not recommend or distribute this archive to
anyone until these problems are fixed. 

I also just noticed how WinNews #19 was censored:

 Free Software

  "Updated Drivers for Windows 95 File and Printer Sharing" - has a single 
  readme. The files are self-extracting executables located at: 
  FreeSoftware|Windows 95 Updates

The correct name for this page and patch is "Updated Drivers for Windows
95 File and Printer Sharing Security Issue." WinNews gave no indication
what this patch did. 

A "WinNews Special Issue" with some details on the SMB bug (including
incorrect information that has been quietly corrected, but not retracted
on WinNews or elsewhere) was sent to at least some WinNews subscribers in
late October. This "Special Issue" is not archived on Microsoft's Web
site, however -- it's the only issue that isn't. 

One month, ten days after the Windows 95 Product Manager assured me that
they would be made available "within two weeks," there are still no
international versions of the SMB or C$ security patches available on
Microsoft's Web site. All non-English copies of Win95 are still
vulnerable. 

Most of the major PC magazines are going to carry something on the SMB 
and .PWL bugs next month. Windows Magazine's story is going to be 
unambiguously positive:

  In response to a posting on the Internet questioning the security of
  Windows 95's optional password caching feature, Microsoft immediately 
  recommended that concerned users turn off password caching. Microsoft
  has now released a free update to Windows 95 that substantially 
  increases security.

- -rich

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMNeLII3DXUbM57SdAQErKQQA3WuAAnphzOt8zZQP/wwMoUL2qt9ZocDd
9ozHfKW8FBwnLktQXMGfCIXpNPFqWlM2NtPeci7pcN4DdcyR463aTeKSEEe60fJD
tpnBJBztlGYSTOlMyxJiI+nFCBodkAG0NRA9GkHi6gAW9Rds3tZW9VTozvQq+2Ba
2F9BrVbwass=
=co1m
-----END PGP SIGNATURE-----





Thread