COMMAND

    Taskpads

SYSTEMS AFFECTED

    - Microsoft Windows 98 Resource Kit, Microsoft Windows 98
    - Resource Kit Sampler (included as part of Windows 98 but not installed by default)
    - Microsoft BackOffice Resource Kit, second edition

PROBLEM

    Following is based on Microsoft Security Bulletin.  Taskpads is  a
    feature  provided  by  several  Microsoft  Windows  Resource   Kit
    products, as detailed below in Affected Software Versions.  It  is
    part of the Resource  Kits' Tools Management Console  Snap-in, and
    allows users to view and run  Resource Kit Tools via an HTML  page
    rather than through  the standard Large  Icon, Small, Icon,  List,
    and  Detailed  Views.   A  vulnerability  exists  because  certain
    methods provided by Taskpads  are incorrectly marked as  "safe for
    scripting" and  can be  misused by  a web  site operator to invoke
    executables  on  a  visiting  user's  workstation  without   their
    knowledge or permission.   The affected products are,  by default,
    not  installed  on  Windows  95,  Windows  98  or Windows NT.  The
    Windows  98  Resource  Kit  and  Resource  Kit Sampler can only be
    installed  on  Windows  98.   The  BackOffice  Resource Kit can be
    installed on  Windows 95,  Windows 98  or Windows  NT, but is most
    commonly installed on Windows  NT servers, which, per  recommended
    security  practices,  usually  will  not  be used for web surfing.
    Originally this was found by Adrian O'Neill.

SOLUTION

    Microsoft has  released patches  that fix  the problem identified.
    Microsoft highly recommends  that all affected  customers download
    the appropriate  patch to  protect their  computers.   The patches
    can be found at (depending of vulnerable program):

        ftp://ftp.microsoft.com/reskit/win98/taskpads/tmcpatch.exe
        ftp://ftp.microsoft.com/reskit/nt4/x86/taskpads/itmcpatch.exe
        ftp://ftp.microsoft.com/reskit/nt4/alpha/taskpads/atmcpatch.exe