WinInfo Daily UPDATE—brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
http://www.winnetmag.com


THIS ISSUE SPONSORED BY

Microsoft Mobility Tour


SPONSOR: MICROSOFT MOBILITY TOUR

THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU!
Brought to you by Windows & .NET Magazine, this outstanding seven-city event will help support your growing mobile workforce! Industry guru Paul Thurrott discusses the coolest mobility hardware solutions around, demonstrates how to increase the productivity of your "road warriors" with the unique features of Windows XP and Office XP, and much more. There is no charge for these live events, but space is limited so register today!
http://www.winnetmag.com/seminars/mobility


December 19, 2002—In this issue:

1. NEWS AND VIEWS

  • XP Shell Vulnerability Threatens Systems

2. ANNOUNCEMENT

  • Did You Miss SQL Server Magazine's Web Seminars?

3. CONTACT US
See this section for a list of ways to contact us.


1. NEWS AND VIEWS
(contributed by Paul Thurrott, thurrott@winnetmag.com)

  • XP SHELL VULNERABILITY THREATENS SYSTEMS

  • A security vulnerability in the Windows XP shell could compromise user systems, letting attackers take over machines and run malicious code. The vulnerability affects all XP versions—XP Home Edition, XP Professional Edition (including the 64-bit version), XP Media Center Edition, and XP Tablet PC Edition—and takes advantage of an XP feature that lets the system extract information from audio files in MP3 and Windows Media Audio (WMA) formats.

    "An unchecked buffer exists in one of the functions used by the Windows Shell to extract custom attribute information from audio files," a Microsoft security bulletin that describes the vulnerability reads. "A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw."

    An attacker could use the vulnerability to create a bogus or compromised audio file that contains executable code that's accessible through the file's metadata information. A user can trigger the code by retrieving the file from a file-sharing service, through email, or from some other online location, then holding the cursor over the file in the Windows Explorer shell. Malicious code in the file could crash the shell or unleash an attack that creates, modifies, or deletes data; reconfigures the system; or reformats the hard disk. Although security researchers originally viewed this problem as a Windows Media Player (WMP) vulnerability, Microsoft says the vulnerability is in the XP shell, not in the player.

    XP users who have enabled Auto Update are already protected against this vulnerability. Other XP users can download a fix from Windows Update. For more information and a downloadable version of the patch, visit the Microsoft Web site.
    http://www.microsoft.com/technet/security/bulletin/ms02-072.asp

    2. ANNOUNCEMENT
    (brought to you by Windows & .NET Magazine and its partners)

  • DID YOU MISS SQL SERVER MAGAZINE'S WEB SEMINARS?

  • No worries! They're still accessible right at your desktop! Kalen Delaney discusses SQL Server internals; Brian Moran identifies performance problems; Rich Rollman teaches about XML for database professionals; and Morris Lewis instructs on high availability and security. Valuable online desktop training that saves you time and money! Get the details at
    http://www.sqlmag.com/sub.cfm?code=wnei322kau

    3. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT NEWS AND VIEWS — thurrott@winnetmag.com
    • ABOUT THE NEWSLETTER IN GENERAL — jfeuerbacher@winnetmag.com
      (please mention the newsletter name in the subject line)
    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR WinInfo Daily UPDATE SUBSCRIPTION?
      Customer Support — wininfoupdate@winnetmag.com
    • WANT TO SPONSOR WinInfo Daily UPDATE?
      emedia_opps@winnetmag.com