Microsoft Patches Allow Safer Surfing

In case you missed it, Microsoft recently got caught with its proverbial pants down: The phrase "Netscape engineers are weenies!" was found embedded backward in the Web server software included in Windows 95 and 98, Windows NT 4.0 Option Pack, and FrontPage 98.

Some security experts feared that the phrase (included in a file named Dvwssr.dll) opened a back door to Web servers running Microsoft software. The company denies that the prank itself made the software vulnerable. But Microsoft confirmed that coincidentally the .dll file opens two security holes, though these holes affect only Web servers. The fix? Find all instances of Dvwssr.dll by conducting a search for the file on your PC, and delete each occurrence of the file. The only feature you lose by getting rid of this file is the ability to create "link views" or maps of your Web site to check for invalid links.

Meantime, Microsoft has been busy patching two other security holes that threaten users who surf the Web and use e-mail.

BUG: Beware file attachments from unknown sources, including Excel files. Normally, Excel warns you before you open a file that contains a macro. But an attacker can defeat the Excel 97 and 2000 warning system by embedding Excel 4.0 macro language commands in an external text file. If you receive one of these spreadsheets, opening the file or clicking an internal link could allow a destructive Excel macro to run without warning, altering or deleting files on your hard drive.

FIX: The patch won't let macros run unannounced. Excel 2000 users need to update to Microsoft Office Service Release 1. For a link to a 2.8MB fix for Excel 97, with installation info, hop to Microsoft Office Service Release 1a Update.

BUG: You could find yourself staring at the "blue screen of death" simply because you read an HTML e-mail message or visited a Web site, due to a flaw in the way all versions of Windows 95 and 98 handle file path names. To leave you feeling (and seeing) blue, an attacker need only embed a file link that includes more than one DOS device name, such as C:\COM1\COM1. When Windows comes across a path name that contains a single DOS device name, it ignores the path name and treats it as invalid. Unfortunately, Windows doesn't simply discard multiple DOS device names in the same way. Because your system chases after path names that don't exist, it ends up crashing.

FIX: The patch makes Windows recognize file path names with more than one DOS device name as invalid. If you use Windows 98 or Windows 98 Second Edition, download a 228KB fix. A 267KB fix for Windows 95 is also available.

Office Update Gets Another Cleaning

Microsoft's first service release (SR-1) for Office 2000 is supposed to solve problems for users of the popular suite. But as we reported last month, installing SR-1 caused problems for some users. Microsoft has promised to post a revised version of the release (named SR-1a) to address the most serious problem. Users who installed SR-1 after upgrading from Windows NT 4.0 to Windows 2000 experienced a variety of glitches, like nonworking hyperlinks. Windows 2000 users who have already installed the SR-1 update and have endured the resulting hassles can download a fix from FileWorld. For additional information, go to www.free.msn.com.