MS Corrects Press Release on "Samba" Security Problem

Richard Charles Graves llurch at Networking.Stanford.EDU
Mon Nov 13 00:44:42 PST 1995


The Win95 product manager let me know yesterday that they'd corrected some
of the errors on their Web server. I'm sure Microsoft is planning to
publicize the changes in greater detail, so I'll just summarize them here. 

Load the original security bugfix news release at
gopher://quixote.stanford.edu/0R1271897-1279147-/win95netbugs side-by-side
with the corrected version now at
http://www.microsoft.com/windows/software/w95fpup.htm to see the changes. 
Notable corrections are:

1. Microsoft has retracted the puzzling allegation that SMBCLIENT sends
"illegal commands" across the network. 

2. Microsoft is now a bit more forthright in acknowledging that the 
problem applies to all language versions of Win95.

They didn't change the date, and they still say that Samba is shareware. 
And they still fail to give proper credit to the third parties that
actually found the problems for Microsoft. Oh well, can't have everything. 

Microsoft has also promised that localized (foreign-language) versions of
the "updated files that address the issue" will be made available within
two weeks. I still don't understand what the hold-up is, but a time frame 
is good.

In addition, Microsoft is reconsidering the position of the NE4100 and
certain NE2000- compatible PCMCIA cards like the EFA-207 on the hardware
compatibility list because, well, they aren't. 

Yusuf has given his imprimatur of Official Microsoft Response to the
discussion of the well-known IPX SAP routing and security issue saved at
gopher://quixote.stanford.edu/0R161799-178969-/win95netbugs. Previously
this had only been posted with the "speaking only for myself" disclaimer,.
Microsoft had acknowledged only the specific "server name conflict issue"
covered by PC Week, not the underlying general problem that has been
widely discussed on Usenet. Maybe we'll get a good article into the
Knowledge Base now. 

I'm still hoping they'll document the known and acknowledged ProviderPath 
problem with wsock32.dll.

Progress comes slowly.

-rich






More information about the cypherpunks-legacy mailing list