The BugBlog -- March 2003

BugBlog

	Rather than chopping the BugBlog up into weekly archives, I'm going to try monthly archives instead. So all the March bugs will remain on this page, and I'll slowly go back and combine the past blog pages into monthly entries as well. The BugBlog is free- but if you want to help support its existence, feel free to make a donation via PayPal using the button at left. Better yet, subscribe to the BugBlog Plus. A three month subscription is only $5.
3/31	If you are still using Novell NetWare 4.11 or 4.2,there is an NDS update for you. DS.NLM 6.17 takes care of some problems with synchronization with a server on a mixed ring. Look for it at http://support.novell.com/servlet/tidfinder/2963473. Apple has new firmware for the AirPort Extreme Base Station. Note that this is for the Extreme, and not for the Graphite (the original) or the Snow (dual-Ethernet) version. It fixes some problems that may be caused by interference in the 2.4 Ghz band (such as from your neighbor's wireless phone.) It doesn't lessen the interference, but it lets the base station recover better after the interference. Get it at http://docs.info.apple.com/article.html?artnum=120191. There is a new release of mod_python for the Apache HTTP Server. This is a bug fix release, taking care of the problems in the last release, which was 3.0.1. They don't specify what the fixes are in this version, which can be downloaded at http://httpd.apache.org/modules/python-download.cgi.
3/27	There hasn't been much blogging - not because there haven't been any new bugs. Instead, I was in Washington, listening to a bunch of economists, plus I'm spending too much time watching and reading war news. Anyway, here are some new ones. Apple says that iChat has compatibility problems with the Mac OS X 10.2 (and later) firewall. If the firewall is on, and in its default settings, you won't be able to send or receive a file. The current workaround from Apple is to go to the Sharing preference panel, in both computers, and turn off the firewall. They are probably not happy with this workaround, where you can get the details at http://docs.info.apple.com/article.html?artnum=107476. They say to check back for new information. Red Hat has updated their kernel package in Red Hat Linux 7.1, 7.2, 7.3, and 8.0. They did this to take care of a bug in ptrace, which an attacker may use to upgrade their privileges. The updates are at https://rhn.redhat.com/errata/RHSA-2003-098.html?tag=nl. Microsoft says that there is a bug in the Remote Procedure Call (RPC) endpoint mapper that may allow an attacker to launch denial of service attacks against Windows NT 4.0, Windows 2000, and Windows XP computers. Microsoft says that this protocol is "derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions." (Hmm, wonder which part has the bug?) In any case, users can follow links to the appropriate patch from http://www.microsoft.com/technet/security/bulletin/ms03-0010.asp. Microsoft credits jussi jaakonaho for finding this problem for them.
3/19	Yesterday's Microsoft problem only affected some Windows 2000 sites. Today's problem affects a whole lot more. There is a bug in the Windows Script Engine that affects Windows 98, 98 SE, ME, NT 4.0, NT 4.0 Terminal Server Edition, 2000 and Windows XP. (Only Windows 95 and Windows 3.1 are safe, apparently.) An attacker could exploit this security flaw either on a web page or in an HTML-formatted email message sent to the target, and run their own code on a target machine. Links to the patches for each edition of Windows can be found in the Microsoft Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms03-008.asp. Microsoft fixed another security-related bug today. This one is more limited in scope, affecting only the Internet Security and Acceleration Server 2000. A bug in the filter that screens incoming requests may make ISA Server vulnerable to a denial of service attack. The patch for this is at http://www.microsoft.com/isaserver/downloads/mostpopular.asp.
3/18	If you are running an Apple Macintosh OS X client, and using AFP to create shares on a Microsoft Windows 2000 Server, these shares may have the wrong permissions, so the Mac people won't be able to access these folders. If you are having problems sharing your shares, see the workaround from Apple at http://docs.info.apple.com/article.html?artnum=107481. Microsoft has a critical patch out for Windows 2000 System Administrators, to plug a security breach in WebDAV. There is an unchecked buffer that may allow an attacker to run their own code on the target computer. As a workaround, the IIS Lockdown Tool should block this attack. For more details, and links to the fix, see http://www.microsoft.com/technet/security/bulletin/ms03-007.asp. There is a better discussion of the technical issues involving the Windows 2000 vulnerability that is in Microsoft Security Bulletin 03-007, the WebDAV problem, over at NTBugTraq. There has also been some discussion there about problems some sites have had with the fix. Find out more at http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=74. Note that this is only for Windows 2000 system admins, ordinary computer users probably don't have to worry (unless they are running MS Internet Information Server.)
3/17	The latest version of Mozilla is 1.3, which you can get at http://www.mozilla.org/releases/. This release "includes fixes for performance, standards compliance and site compatibility" but it is a little difficult to pin down what they were. This version seems to be working fine here at the BugBlog. There is a problem with XPInstall in the Apple Mac OS X version of Mozilla 1.3. This feature has been disabled in this version, which means you won't be able to install extensions and themes. If you want extensions and themes, you will need to stick with an earlier release. You can follow the technical discussion at http://bugzilla.mozilla.org/show_bug.cgi?id=196959. If you upgrade to Mozilla 1.3, don't use older versions of the mozdev spellchecker. It will crash if you use it with Mozilla 1.3 or later. The latest version of the spellchecker should be at http://spellchecker.mozdev.org/, although as of 3/17/03, the version for 1.3 didn't seem to be ready yet. There is no MRJ Java plug-in for Mozilla 1.3. This means that LiveConnect isn't working. According to Mozilla's release notes, the Apple JavaApplet plug-in will be used instead. There will not be any XBL-based form controls in Mozilla 1.3, or in any trunk builds off 1.3. This won't affect the default settings of Mozilla, and will only affect users who had made a change in your Debug settings. As in previous versions, if you do a double right-click on a page in Mozilla 1.3, you run the risk of disabling your keyboard. This bug affects Mozilla in all operating systems and in all hardware platforms.
3/15	There is a security advisory for Mandrake Linux 8.1, 8.2, 9.0, Corporate Server 2.1, and Multi Network Firewall 8.2. The usermode package has a flaw in the /usr/bin/shutdown command, that may let a local user shut down all the running processes and drop down to the root shell. If you don't want local users to do that, you need to upgrade. This can be done automatically with MandrakeUpdate. Toshiba says that if you are using the Power Saver program on one of the Satellite laptops running Windows XP, the Critical Alarm Battery program may not work correctly. The alarm may go off when you reach the critical point, but the linked program that is supposed to pop up may not appear. Toshiba says this will happen if there is no user password set. They say this limitation is due to Windows XP security. All versions of Microsoft Money 2003 may give XML error messages when you try to view the Money 2003 Help files. The error message may look like: Unable to load topic. Click here to try again. The problem is corrupted files, however it is not the Help files that are corrupted. Instead, Microsoft says corrupted files in the Temporary Internet Files folder may be the problem. Delete them so you can see the Money 2003 Help files. If you install Microsoft Office XP and then activate it via telephone, the Office XP Web Components may only operate in view-only mode. Microsoft says that a workaround for this is to activate Office XP again by Internet. (See -- they are bound and determined to spy on you!) Or better yet, install Office XP Service Pack 1 or later.
3/14	No bugs today. Instead, I'll be replacing the power supply in my Dell desktop, which was still under warrenty, and whose fan was making horrible sounds. While it took about four calls to locate the right person to talk to about the replacement (three of whom were probably in India) they cheerfully sent a new power supply, which arrived three days ahead of schedule. Update: The surgery was successful, and there is a nice, quiet computer here again.
3/13	When asked why he robbed banks, Willie Sutton is supposed to have said "Because that's where the money is." Well, that's why the BugBlog looks at Microsoft Outlook, because that's where the bugs are. (That's the same reason the BugBlog doesn't use Outlook.) Here are some Outlook bugs: If you use Microsoft Outlook 2002 with Network Address Translation (NAT), you may not get notified that you have new email. The problem is NAT is interfering with the sending of the Universal Datagram Packets (UDP) that Outlook uses to check the server for new email. Microsoft says they fixed this in Office XP Service Pack 2. If you are using Microsoft Outlook 2002 alongwith a third-party OCX, and the Com Add-In is loaded, Outlook 2002 may crash. Microsoft said they fixed this in Office XP Service Pack 2. If Microsoft Outlook 2002 is configured so that a public folder has an Outlook Web Access (OWA) page set as its default home page, you may see this error message when the folder is opened: An Error has occurred in the script on this page. Line: 1028 Char: 2 Error: Unable to perform a security operation on this script code in this style sheet. Code: 0 Microsoft says this is due to an incompatibility between Outlook 2002 and Microsoft Internet Explorer 6. This has been fixed in Office XP Service Pack 2. In Microsoft Outlook 2002, running with Exchange Server 5.5 or Exchange Server 5.5 Service Pack 4, a corrupted First Day of the Week field in a recurring meeting may cause Outlook 2002 to hang. This was fixed first in a hotfix described in Knowledge Base article 281935, and then later in Office XP Service Pack 2. This bug may affect Microsoft Outlook 2000 and 2002, as well as Exchange Server 5.5 and Exchange 2000 Server. What happens is when a user starts Outlook, they may see this error message, even when they give the correct username and password: Your logon information was incorrect. Check your username and domain, then type your password again. If your account is new or if your administrator requested a password change you need to click Change Password then logon with your new password. This message may also pop up again and again when checking your Exchange mailbox, but may finally go away. According to Microsoft, this may be because of missing entries in this Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols. To see what the key should look like, and details on how to fix it, seehttp://support.microsoft.com/?kbid=321652. In Microsoft Outlook 2002, if there is a recurring meeting on the calendar, and one user updates only a single instance of the recurring meeting and then adds an attachment, some of the meeting attendees will get an error message: The operation failed. An object could not be found. Microsoft has a hotfix for this, which will be in a future Office XP service pack. If you need the fix right away, contact Microsoft Technical Support and ask for the hotfix described in Knowledge Base article 324918. Note that you may get charged for this call. When using Microsoft Outlook 2002 with Service Pack 1, changing the language on the task bar may cause Outlook to spike CPU usage to 100 percent. According to Microsoft, this happens on a dual processor computer. This has been fixed in Office XP Service Pack 2.
3/11	Sun ONE Meta-Directory 5.1 has compatibility with more than just ASCII characters, which was the case with earlier versions. According to Sun, this version will also synchronize attribute values with UTF-8 encoded Unicode characters too. If nothing else, that means it will understand the Euro character. Someone posted this on the Microsoft Windows XP newsgroup, and it worked on my version of XP. In Notepad, type in the following line, and save the file to dog cat pet Open the file, and all you will see are some Unicode "boxes". Some people speculate that its not the words, but the pattern. (Wonder who wrote that note anyway?" No big cosmic significance here. There is a new UNICON.NLM for Novell NetWare 5.0 that runs NFS 2.4 or UNIX Print Services 2.3J, with Support Pack 6a. It's also for NetWare 5.1 running UNIX Print Services 2.5. It's exactly the same as the beta version that was released earlier, according to Novell. If you have the beta, you don't need the upgrade, which fixes an abend that happened during login. If you don't have the beta, get the release version at http://support.novell.com/servlet/tidfinder/2959228.
3/10	Macromedia says that if you are going to install the Dreamweaver MX Updater, you need to take some preliminary steps. First, disable all the Dreavweaver MX extensions. Then disable virus protection. They say to do the second step before installing any Macromedia product, although I've installed quite a few without doing so, and it hasn't seemed to cause any problems. There is a security update for Apple's Mac OS X 10.2.4. It fixes the recently discovered bug in Sendmail, which is included in OS X although it is not turned on by default. It also includes an update in OpenSSL that improves security. Get the update at http://docs.info.apple.com/article.html?artnum=120195.
3/7	There is an update for Novell BorderManager Enterprise Edition 3.6 and 3.7. This is to fix a problem that Apple Macintosh computers, using the Microsoft Internet Explorer browser, were having with SSL authentication. Get the updated PROXY.NLM in bmmacssl1.exe at http://support.novell.com/servlet/tidfinder/2965091. If you have upgraded to Novell's NFS 3.0 Support Pack 1, you may have outdated documentation. Download the latest version of the NFS 3.0 Admin Guide in nfsadmn2.exe, available at http://support.novell.com/servlet/tidfinder/2958425. The file was updated 3/5/03. iPlanet Directory Server 5.1 Service Pack 2 stomps out a lot of bugs that were causing crashes and problems in replication. These include: delete operations not being propogated to the consumer; nsTombstone entries surviving purges; crashes after deleting attributes; the Directory crashing after replication was enabled; missing replication aggreement attributes causing directory crashes; and many more. If you try to change the configuration for Microsoft Visual Studio .NET, by changing the installed components, you may see this error message: A selected drive is no longer available. Please review your installation path settings before continuing with setup. Microsoft says this message will be triggered if you have less than 10 MB of free hard drive space. You need to get more free space on the drive -- the recommendation is to have 1.9 GB of space.
3/6	Microsoft says you may have a problem in Excel 2002 if you use a Range.Find operation within a Visual Basic for Application (VBA) program. Once you do it in a program, then a manual Find and Replace will not work. This has been fixed in Office XP Service Pack 2. Both Microsoft Data Access Components 2.6 and 2.7, with Service Pack 1, may have problems with remote stored procedures. If you run the procedure with output parameters on a linked server through an ODBC driver for SQL Server, it may not work. Instead, you may get this error message: ODBC SQL Server Driver]Restricted data type attribute violation Microsoft has a fix, which will be in a future MDAC service pack. If you need the fix right away, contact Microsoft Technical Support and ask for the hotfix described in Knowledge Base article 329964. When using Microsoft Access 2002 with the Microsoft Jet 4.0 Service Pack 4, AutoNumber fields may not work correctly. Delete the last record in a database, and then compact the database. Afterwards, an AutoNumber field will not start at the next highest number. Microsoft has two different lengthy workarounds for this. Once involves creating and importing tables, the other adds some code to the database. Get the details at http://support.microsoft.com/?kbid=287756.
3/5	Microsoft SQL Server 2000 Service Pack 2 includes the hotfix that was needed to squash the bug originally discussed in Microsoft Knowledge Base article 317619. The bug was preventing the Microsoft SQL Server 2000 Desktop Engine from being removed during an upgrade. This was causing one of two error messages: The instance name specified is invalid. Or Fatal error during installation. Microsoft SQL Server 2000 Service Pack 2 includes the hotfix that was issued to plug a handle leak that happened when there are many quick connections and disconnection in the SQL Server process. Apple has a firmware update 5.0.3 for AirPort Extreme. It fixes some problems that make the AirPort Extreme network unavailable, especailly due to interference on the 2.4 GHz radio band. This firmware also should fix the problem that was causing spontaneous re-starts. Get it at http://docs.info.apple.com/article.html?artnum=120191. Netscape 7.02 has been released. It includes the newest Macromedia Flash 6 r65 plugin for Windows computer, as well as a new Java 1.4.0_03 plugin for Windows. They also say that this release improves stability and enhances security, but they don't say what specific bugs have been squashed to achieve these goals. Well, you get what you pay for.
3/4	If something is labelled "Version 1a" most people would assume it is more advanced than something labelled "Version 1." However, that is not the case with Microsoft Windows XP Service Pack 1. While SP 1a was released after SP 1, you don't need to install it if SP 1 is already in place. The only difference between the two -- the Microsoft Virtual Machine, their implementation of Java -- has been removed from 1a. Of course, depending on how court decisions turn out, we may be seeing SP1b sometimes soon. Internet Security Systems found a serious security problem in the SendMail security package that may allow an attacker to get root access to a vulnerable system. This affects all the commercial releases of Sendmail, including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro. It also affects the Sendmail open source versions from 5.79 up to the most recent version, 8.12.7. Commercial users can get a patch from www.sendmail.com/security/. Open source users can get their fix from www.sendmail.org. Another security bug has been found in the Macromedia Flash Player. This bug may allow an attacker to use a buffer overflow to gain control over a computer. Macromedia has a cumulative security patch available for FlashPlayer at http://www.macromedia.com/go/getflashplayer/.
3/3	There is an updated Sun ONE Identity Server Policy Agent 2.0 for IBM HTTP Server 1.3.19, for both Solaris and Windows platforms. On Windows 2000, running Microsoft Internet Information Server 5.0, stopping an individual web site may trigger an error message warning of memory corruption. Sun says to ignore the messages and restart IIS. Debian syas that the mhc-utils package has a program, adb2mhc, that creates a default temporary directory with a name that is easy to guess. This may give a local attacker a clue in ways to attack a system by overwriting files. This has been fixed in Debian GNU/Linux 3.0. For more information, see http://www.debian.org/security/2003/dsa-256. When using Apple iMovie 3 or iDVD 3, including any 12-bit audio in your project may cause the audio and video to get out of sync. For now, 12-bit audio is incompatible.