-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= AL-95.04 AUSCERT Alert October 24, 1995 Resource Sharing Vulnerability in Windows 95 - ----------------------------------------------------------------------------- Auscert has received an alert released by Microsoft detailing possible security problems for those who are using Windows 95 and sharing file systems and printer access across their network. It particularly involves those sites which share files and printers with users over the network using the NetWare network drivers. It also concerns all those who share a LAN, Internet or Dial-Up connection with a UNIX-based computer running SAMBA's SMBCLIENT software. If you are using Windows 95, and think that you may be affected, Auscert recommends that you read this document. A copy of the release is attached below, and for more information on this issue, see Microsoft's WWW page at: http://www.microsoft.com/windows/software/w95fpup.html - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is the Australian Computer Emergency Response Team, funded by the Australian Academic Research Network (AARNet) for its members. It is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA - -------------------------------------8<-------------------------------------- ===================================================== Microsoft(R) WinNews Electronic Newsletter Special Issue, October 20, 1995 *********************************************************** Here is some important information on Windows 95 that may affect some of you. Please make certain to read it. UPDATED DRIVERS FOR WINDOWS 95 FILE AND PRINTER SHARING SECURITY ISSUE - October 20, 1995 Microsoft wants its customers to know that it has discovered and fixed a potential security problem with file and printer sharing in Windows 95. Only customers who have enabled file and printer sharing - a non-default option - may have been at risk, and, to the best of our knowledge, no users have been harmed. Nevertheless, Microsoft regards this potential problem with the greatest seriousness and, we have worked hard over the past week to resolve it. Microsoft recommends customers using File and Printer Sharing upgrade to the newer drivers. How do I know if I am affected? Only customers that use the File and Printer Sharing option to share their files with other users on a network are affected. This option is not enabled by default so unless you have manually enabled it, you are not affected by this issue. To determine if File and Printer Sharing is enabled, choose the Networks Option in the Control Panel. If file and printer sharing is enabled, you will see either "File and Printer Sharing for Microsoft Networks" or "File and Printer Sharing for NetWare Networks" in the list of installed network components. What are the issues? File and Printer Sharing for NetWare Networks Microsoft was recently made aware of an issue with File and Printer sharing for NetWare Networks which may affect data security for corporate users. Only users whose environments meet both of the following conditions may be affected: 1. They configure their machine to share files and printers with other users on the network using File and Printer Sharing for NetWare networks (This option is not turned on by default) 2. They enable remote administration or install Microsoft Remote Registry Services (These options are not turned on by default) If your configuration matches that listed above, it is possible for another user on the network to gain read-only access to your machine after the administrator has logged off the machine and until you restart your computer. To correct this problem, Microsoft has issued an updated driver for File and Printer Sharing for NetWare Networks. The updated driver ensures that only valid administrators have access to the computer's drive. File and Printer Sharing for Microsoft Networks (not MSN: The Microsoft Network online service) Microsoft is also issuing an update for a known problem with File and Printer Sharing for Microsoft Networks and a certain UNIX shareware network client (Samba's SMBCLIENT). The update corrects a problem with share-level security documented in the Microsoft Knowledge Base on October 9th. The update also includes a correction for a similar problem with user-level security that Microsoft recently discovered as part of its internal testing of the new driver. Customers whose environments meet all of the conditions below, may have their data susceptible to network or Internet hackers: 1. They configure their machine to share files and printers with other users on the network using File and Printer Sharing for Microsoft Networks (This option is not turned on by default) 2. They share a LAN, Internet, or Dial-Up connection with a UNIX-based computer running Samba's SMBCLIENT software 3. The network administrator does not disable peer services using System Policies The Samba SMB client allows its users to send illegal networking commands over the network. The Samba client is the only known SMB client at this time that does not filter out such illegal commands. SMBCLIENT users do not automatically have access to the Windows 95 drive, and must know the exact steps to send these illegal commands. The updated driver prevents these illegal commands from being executed, preventing SMBCLIENT users from accessing the drive on which sharing is enabled. With the updated driver, the SMBCLIENT user will only have access to those shared folders that the Windows 95 user has designated. How do I get the Updated Drivers? (Please note that this only affects English language versions of Windows 95.) Both drivers are available for immediate download from the Internet (http://www.microsoft.com/windows), The Microsoft Network online service, and is being made available to other online services including CompuServe, America Online, and Prodigy. The updated drivers will also be mailed to any user free of charge if they call Microsoft's FastTips line, 800-936-4200, beginning Monday, October 23rd. Microsoft is committed to providing safe connectivity solutions for customers. Microsoft takes this responsibility seriously and has worked, and will continue to work, with great speed to provide solutions for customer issues. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMI1e5Sh9+71yA2DNAQE5JgQAjpjqO8/WLNecOZ0QMPDGl2qqWkoZ0GUA OKtgAJI7LODl/ZVrO0do/7B0UFv9PPTtIrz9I2Aaapmae6jmL4fd3M+NM5ULp9Tr JRJzJcXz21ewAydJJPIqAD6a6UsLzGdenXUCU+xYwDg6BpV+Qa+xXJrS1z4AoIKX NPnReddu8Sc= =HspS -----END PGP SIGNATURE-----