[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MS Corrects Press Release on "Samba" Security Problem
- To: Cypherpunks Lite <[email protected]>
- Subject: MS Corrects Press Release on "Samba" Security Problem
- From: [email protected] (Richard Charles Graves)
- Date: 10 Nov 1995 19:21:53 -0800
- Apparently-To: <[email protected]>
- Followup-To: comp.os.ms-windows.win95.misc
- Newsgroups: comp.protocols.smb,comp.os.ms-windows.networking.misc,comp.os.ms-windows.win95.misc,alt.security,comp.security.misc,comp.os.ms-windows.networking.tcp-ip
- Organization: Stanford University, CA 94305, USA
- Sender: [email protected]
- Xref: uci.uci.com comp.protocols.smb:1138 comp.os.ms-windows.networking.misc:3833 comp.os.ms-windows.win95.misc:31150 alt.security:9933 comp.security.misc:16393 comp.os.ms-windows.networking.tcp-ip:12822
The Win95 product manager let me know yesterday that they'd corrected some
of the errors on their Web server. I'm sure Microsoft is planning to
publicize the changes in greater detail, so I'll just summarize them here.
Load the original security bugfix news release at
with the corrected version now at
http://www.microsoft.com/windows/software/w95fpup.htm to see the changes.
Notable corrections are:
1. Microsoft has retracted the puzzling allegation that SMBCLIENT sends
"illegal commands" across the network.
2. Microsoft is now a bit more forthright in acknowledging that the
problem applies to all language versions of Win95.
They didn't change the date, and they still say that Samba is shareware.
And they still fail to give proper credit to the third parties that
actually found the problems for Microsoft. Oh well, can't have everything.
Microsoft has also promised that localized (foreign-language) versions of
the "updated files that address the issue" will be made available within
two weeks. I still don't understand what the hold-up is, but a time frame
In addition, Microsoft is reconsidering the position of the NE4100 and
certain NE2000- compatible PCMCIA cards like the EFA-207 on the hardware
compatibility list because, well, they aren't.
Yusuf has given his imprimatur of Official Microsoft Response to the
discussion of the well-known IPX SAP routing and security issue saved at
this had only been posted with the "speaking only for myself" disclaimer,.
Microsoft had acknowledged only the specific "server name conflict issue"
covered by PC Week, not the underlying general problem that has been
widely discussed on Usenet. Maybe we'll get a good article into the
Knowledge Base now.
I'm still hoping they'll document the known and acknowledged ProviderPath
problem with wsock32.dll.
Progress comes slowly.