MICROSOFT BUG OPENS WINDOW TO THE WORLD 

By SIMSON L. GARFINKEL 
Special to the Mercury News 

SOME computer users have discovered that the network software inside both Microsoft's Windows 95 and Windows for Workgroups operating systems seems to ''network'' just a little too well.

A variety of computer flaws inside the two operating systems can potentially allow millions of people to read files residing on a Windows-based PC that is connected to the Internet, according to Rich Graves, a network consultant at Stanford University.

''The effect of the bugs (is that) when you think you are sharing any folder on your hard drive, you are actually sharing your entire hard drive,'' Graves said.

The flaws, which Microsoft is aware of and has issued software ''patches'' or repairs for, underscores the problems of keeping sensitive information private in a world that increasingly relies on corporate computer networks or the Internet to share and exchange information.

Computer users and corporations want both the ability to trade documents and information when it suits them, but to keep personal data stored on the same computer inaccessible to prying eyes. These seemingly divergent needs have created nightmares for software programmers trying to accommodate both requirements, with flaws such as this latest one with Microsoft shows.

DISCOVERED LAST APRIL  

Graves said the Windows 95 flaw was discovered in April 1995 by people using Samba, a freely available software program that allows Windows-based computers to share files and printers attached to UNIX-based computers.

Samba also includes a program that allows UNIX users to access files stored on Windows 95 computers that share the same network. Using that program, UNIX users were able to read files on computers running the Windows 95 operating system. The flaw is not apparent when one Windows 95 computer is accessing files stored on another, which is why it may have been missed during the Windows 95 testing cycle. (For more information on Samba, check out its site on the World Wide Web at http://lake.canberra.edu. au/pub/samba/.) Another flaw inside the systems' network software makes it possible to obtain a list of passwords used by a Windows-based computer for connecting to network printers, disks and Internet services.

''Any program (can) get any password,'' Graves said, adding that it is possible for a computer virus or a hacker-designed program to obtain a list of users' passwords and then transmit them over the Internet.

Shortly after the bug was discovered, Graves said, a program was posted on the Internet which would decrypt, or decipher, the passwords stored on a Windows 95 computer. Essentially, it allowed users to steal other people's passwords.

FIXES APPLIED  

Microsoft has developed fixes for both the file-sharing bug and the password problem, said Rob Bennett, a product manager in Microsoft's Personal Systems Division.

''It's weird that this is coming up (now),'' he said. ''This issue was resolved in October. We were extremely proactive in making sure that our corporate customers and users got the updated drivers.''

But Microsoft has not fully fixed the problem. The company has not repaired versions of Windows 95 that are being sold on CD-ROM or already loaded on new computers. Thus, a computer purchased today running Windows 95 probably contains the flaws.

Bennett said many people in the industry who are using the Windows 95 networking features know about the problem and know how to obtain the necessary fixes.

''All of our corporate accounts were notified,'' he said, adding that Microsoft made telephone calls to analysts and sent electronic mail to every user of The Microsoft Network. The notice told Windows users of the problem and advised them to obtain the necessary software update if they needed the file-sharing capabilities. The patches are available on the Microsoft Network and on Microsoft's Web site:  http://www.microsoft.com . More than 10 million copies of Windows 95 had been shipped as of November, said Bennett, who acknowledges most Windows 95 users have probably not obtained the patch. At the time the electronic mail was sent out, there were only 200,000 people signed up.

Later this month, Microsoft plans to distribute a CD-ROM called ''Service Pack for Windows 95.'' Among other things, the CD-ROM will contain updated drivers and the security fixes. That CD-ROM will be provided for free to Microsoft's corporate customers. Home users will be able to obtain it from Microsoft for a small fee.

Graves said he is upset that Microsoft has claimed credit for ''discovering'' the security flaws, when in fact the flaws were discovered by readers of his Windows 95 Net Bugs mailing list and brought to Microsoft's attention. But he concedes Microsoft has now addressed most of the problems.


IF YOU'RE INTERESTED

For more information, See the Windows 95 Net Bugs Frequently Asked Questions or FAQ, at http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html


MERCURY CENTER ID: me27021m


Transmitted:  96-01-22 05:32:29 EST