COMMAND

    printer share

SYSTEMS AFFECTED

    Win 95, 98

PROBLEM

    Jiva DeVoe found following.  In Windows95 and Windows98 sharing  a
    printer creates a share called  PRINTER$  This share is  READ-ONLY
    but requires NO  password to access  it.  It  would be less  of an
    issue if the user were warned, or if the printer password  applied
    to the share,  but it doesn't.   This share is  a FILE share  that
    points to  your SYSTEM  directory.   So what  this means  is that,
    sharing a printer on a win95/98 machine connected to the  internet
    gives READ ACCESS  to your system  directory with NO  PASSWORD and
    NO OPTION TO DISABLE IT.

    This was  tested and  confirmed this  to be  an issue in Windows95
    version A but not OSR2 or with any patches installed.  Also, it is
    confirmed  that  Release  to  Manufacturing  version  of  Win98 is
    vulnerable too.

    To reproduce  it:   Just share  a printer,  then have someone else
    connect to \\yourmachine\printer$ and watch your system  directory
    come up in all it's glory.

SOLUTION

    Obviously, the answer here is not to put anything remotely private
    in \windows\system.