COMMAND

    kernel

SYSTEMS AFFECTED

    Plus! 98 and Windows Me

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-019.
    Plus! 98, an optional package that extends Windows 98 and  Windows
    98 Second  Edition, introduced  a data  compression feature called
    Compressed Folders  that was  also included  in Windows  Me.   For
    interoperability with  leading third-party  compression tools,  it
    provides a password protection  option for folders that  have been
    compressed.    However,   due   to   a   flaw   in  the  package's
    implementation,  the  passwords  used  to  protect the folders are
    recorded in a file  on the user's system.   If an attacker  gained
    access to an affected machine on which password-protected  folders
    were stored, she could learn the passwords and access the files.

    It  is  important  to  understand  that,  although  this flaw does
    constitute  a  security  vulnerability,  the  password  protection
    feature  is  not  intended  to  provide  strong  security.  It was
    included  in   the  products   to  enable   interoperability  with
    password-protection features in other third-party data compression
    products,  and  is  only  intended  to  provide protection against
    casual inspection.  Customers who need strong protection for files
    should use Windows(r) 2000.

    The password at issue here is not related in any way to the user's
    network logon password.  It is used solely for password-protecting
    compressed folders.

    Considering how  frequently most  people tend  to reuse passwords,
    this is a  pretty strong statement.   Since Microsoft states  that
    the  folder  password  is  "not  related  in any way to the user's
    network logon password" with  such confidence, that would  seem to
    imply a mechanism that prohibits password reuse when  establishing
    the folder compression password.   Is that the case, or  does this
    statement merely promote a false sense of security?

    An attacker would  require physical access  to an affected  system
    in order  to recover  the password,  or the  owner of  the machine
    would need to have deliberately shared out the c:\windows folder.

SOLUTION

    The patch will prevent passwords from being written to the  user's
    system in  the future.  However, as  discussed in  the FAQ,  after
    applying   the   patch,   it   is   important   to   also   delete
    c:\windows\dynazip.log,   in    order   to    ensure   that    all
    previously-recorded passwords are deleted.

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms01-019.asp

    for information on obtaining this patch.