-----BEGIN PGP SIGNED MESSAGE----- I was thinking about copying this to Yves and Yusuf, but I figure it will get to them anyway. The WinNews #22 mass mailing (by the way, there seems to have been no #21) has this to say about the .PWL bug: NEW POSTINGS TO WINDOWS 95 WEB SITE AND FORUMS * Under "WINDOWS 95 SOFTWARE LIBRARY" * In "Windows 95 Updates" - "Enhanced Password Cache Security Update" - an enhanced security component that substantially strengthens the encryption used for the Microsoft Windows 95 password cache. The update comes with no ReadMe -- it's a self-contained installer only. No details on how it works appear to be available anywhere. There seems to be no way to ensure that you have received a patch without viruses or other modifications. I will not recommend or distribute this archive to anyone until these problems are fixed. I also just noticed how WinNews #19 was censored: Free Software "Updated Drivers for Windows 95 File and Printer Sharing" - has a single readme. The files are self-extracting executables located at: FreeSoftware|Windows 95 Updates The correct name for this page and patch is "Updated Drivers for Windows 95 File and Printer Sharing Security Issue." WinNews gave no indication what this patch did. A "WinNews Special Issue" with some details on the SMB bug (including incorrect information that has been quietly corrected, but not retracted on WinNews or elsewhere) was sent to at least some WinNews subscribers in late October. This "Special Issue" is not archived on Microsoft's Web site, however -- it's the only issue that isn't. One month, ten days after the Windows 95 Product Manager assured me that they would be made available "within two weeks," there are still no international versions of the SMB or C$ security patches available on Microsoft's Web site. All non-English copies of Win95 are still vulnerable. Most of the major PC magazines are going to carry something on the SMB and .PWL bugs next month. Windows Magazine's story is going to be unambiguously positive: In response to a posting on the Internet questioning the security of Windows 95's optional password caching feature, Microsoft immediately recommended that concerned users turn off password caching. Microsoft has now released a free update to Windows 95 that substantially increases security. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNeLII3DXUbM57SdAQErKQQA3WuAAnphzOt8zZQP/wwMoUL2qt9ZocDd 9ozHfKW8FBwnLktQXMGfCIXpNPFqWlM2NtPeci7pcN4DdcyR463aTeKSEEe60fJD tpnBJBztlGYSTOlMyxJiI+nFCBodkAG0NRA9GkHi6gAW9Rds3tZW9VTozvQq+2Ba 2F9BrVbwass= =co1m -----END PGP SIGNATURE-----