New Security Hotfixes

Microsoft released six security hotfixes in June. The hotfixes eliminate minor to major security vulnerabilities in Microsoft Internet Explorer (IE), Internet Security and Acceleration (ISA) Server, Proxy Server, SQL Server 2000, IIS 4.0 and 5.0, the RAS Phonebook service, and MSN Chat. The RAS flaw has the greatest affect and is the most crucial. Security Bulletin MS02-029 (Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution) contains details about the vulnerability, which exists on Windows 2000 and Windows NT Terminal Server systems. The vulnerability lets a user who can log on locally to crash a system or run code with full system privileges. If you haven't installed this hotfix, I recommend you do so immediately. You can read the details about the Phonebook flaw and find download links for all affected platforms online.

The second most crucial hotfix is also a buffer overrun vulnerability. The flaw affects systems on which you have installed Microsoft Chat, MSN Messenger service, or Microsoft Exchange Instant Messenger. A malicious user can exploit the Chat vulnerability to run code with user privileges. Be advised that if you update systems at Windows Update, and you select all the updates, not just the critical updates at the top of the list, you might have inadvertently installed either Chat or MSN Messenger. Read Security Bulletin MS02-022 (Unchecked Buffer in MSN Chat Control Can Lead to Code Execution) online for more details and to download this security patch.

Windows Update Can't Upgrade Terminal Server Systems
Now that Microsoft is encouraging small shops to keep systems current and secure using the company's online service, be advised that you can't update either Windows 2000 Server Terminal Services or Windows NT Terminal Server Edition systems at the Windows Update site. When you direct a terminal server system to http://www.windowsupdate.com, the site offers a list of needed patches, but any attempt to install the updates will fail. You can successfully update Terminal Services at the Terminal Services Web site and TSE at the NT Server download site. For more details, read the Microsoft article "WINUP - Cannot Install Updates Using Terminal Server".

More USB Device Problems
Some day, the USB driver will function properly, but not yet. If you have a machine that contains older USB 1.x devices and a USB 2.x controller, you'll experience problems with all the USB devices (e.g., 3.5" disk drive, CD-ROM drive, or hard disk) when the machine resumes from a suspend state. When you access a USB 3.5" disk drive or CD-ROM drive, you see an error message stating that the "drive is not accessible" and that "the request could not be performed because of an I/O device error." The error message occurs repeatedly until you either disconnect and reconnect the device or reboot. You have three potential solutions: First, wait at least 10 seconds after the machine resumes before accessing the older USB device. Second, if your machine doesn't have any 2.0 devices, you can disable the USB 2.0 controller in Device Manager. Third, you can download and install the most recent USB driver, usbhub.sys. Sadly, the new driver doesn't solve all the problems; even after you install the new usbhub.sys, the machine might generate an erroneous "Unsafe Removal of Device" error when it resumes. Likewise, you'll see the "drive not accessible" error once if you don't wait 10 seconds, but the device will be available the next time you access it. Windows 2000 Service Pack 3 (SP3) will include this patch. Read the Microsoft article "Error Message When You Access a USB Storage Device After Resuming from Suspend".

SP2 Image Cannot Join Domain During Setup
Here's the explanation for why a pre-built Windows 2000 Service Pack 2 (SP2) system can't join a domain the first time you bring up a new system. When you build an image with Sysprep or Microsoft Remote Installation Services (RIS), you typically include a dummy computer name in the image. The first time you boot the image on a new machine, Setup prompts you to enter the machine's permanent name and to join a domain. Even when you're logged on with a valid domain account and password, the system is unable to join the domain, and you see an error message stating that you have entered an invalid password.

The authentication failure occurs because of a bug in how Kerberos forwards account credentials. Instead of passing the username and password you log on with, Kerberos incorrectly substitutes the machine name for the username. You can work around the problem by rebooting after you define the machine's permanent name and paging through the setup prompts a second time. Because the original and permanent computer names match after you reboot, Kerberos correctly forwards the domain username and password credentials. If you don't have time to wade through two setup passes, you can solve the problem permanently by installing the extensive pre-SP4 code fix that contains updates to 32 OS components, most of which have a file release date of June 5. Read the Microsoft article "You Must Restart the Computer After Joining a Domain with Service Pack 2".