Month: May 2005

The Gatekeeper Test was an entertaining test of wits for security pros: A series of progressively trickier multiple choice questions (two per working day) were to be offered between 2 to 14 May, culminating in an open question tie-breaker question at the end. Security experts from 20 countries in Europe, the Middle East and Africa were to compete with their compatriots, with a Tablet PC awarded to the the best in each country. The overall winner was to get a VIP trip to Microsoft’s TechEd conference in Amsterdam this July. There were even league tables so you could compete with your mates.

The test attracted more than 20,000 IT pros, according to Microsoft, but right from the off things went awry. The system failed to accept to correct answer on some occasions, as Reg reader Stuart Antcliff discovered: “After pressing submit with, what I hope was, the correct answer it took me to their nice file not found page; I was even using IE because I figured it wouldn’t work with other browsers. A quick test shows this happens with enough browsers to make it funny (I didn’t find one that worked). Is this a cunning plan to lure us into working out what is wrong?
Is it all part of the test?”

Elsewhere, competitors learned they if they answered incorrectly they could press backspace and re-answer questions without any scoring penalty. Similar tricks allowed the unscrupulous to artificially inflate their scores.

“After two days some people already at 1,750 points, when the maximum they could have achieved was 350 points per day,” one anonymous participant told South African site ITWeb.

Microsoft tried to discount earlier results (involving the equivalent of the £2,000 question on Who Wants to be a Millionaire?) but after three days of headache, suspended the competition, as iexplained in its test blog. In a statement, Microsoft said it plans to re-start the game at unspecified time. It blames technical issues for problems with the game, which, we note, was never meant to be particularly serious, anyway.

“The Gatekeeper Test experienced an intermittent ViewState clustering issue on the live environment. This means that certain servers in the cluster lost session state information due to data stored in the ViewState. Consequently, intermittent user scores were not being stored, resulting in a compromised scorecard for some participants.” Microsoft has decided to close the game immediately to avoid any disadvantage to certain participants.

The Gatekeeper Test registration site has been reinstated and participants can continue to take advantage of the education tools which are provided on the site, in preparation for the test re-start.

New participants also have the opportunity to register for the test ahead of the re-start date,” it said.

http://www.theregister.co.uk/2005/05/11/ms_gatekeeper_test_fiasco/

The monthly security bulletin addresses a vulnerability found in Windows 2000 Service Pack 3 and 4, which the company ranks as “important,” its second-highest severity rating. The flaw also appears in the older Windows 98, Windows 98 Second Edition and Windows Millennium Edition. “A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields,” Microsoft said in its bulletin. “By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged-on user.” That attacker could install programs and view, change or delete data, or create new accounts with full user rights, Microsoft said.

Security company Symantec has rated the risk from the flaw as “medium,” noting that some user interaction is required for it to be used for an attack. For example, the PC user would have to download a corrupt document or save the document from an e-mail attachment, then browse to the document using Windows Explorer. “It would be fairly easy for an attacker to create a malicious document that could compromise a system and circulate this document through email or websites,” Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement on Tuesday. “In order to combat this new and other security risks, users should always avoid opening files from unknown sources or following links to unverified sites. In addition, all users should deploy Internet security solutions such as antivirus software and firewall technology.”

More recent versions of the operating system are not affected by the flaw. Microsoft said it has tested Windows XP Service Pack 1 and 2, Windows XP 64-Big Edition Service Pack 1 and Version 2003 for Itanium, XP Professional x64 Edition, Windows Server 2003 and its Service Pack 1, Windows Server 2003 for Itanium-based systems and its related Service Pack 1 for the vulnerability.

Microsoft is urging people with Windows SP3 and SP4 to download the security update. For the older versions, Microsoft noted on its Web site that it does not offer security patches to older versions of its software that it no longer supports, unless the vulnerability is rated “critical.”

The software giant did not offer any workarounds. A Microsoft representative referred questions regarding what actions Windows 98 users should take to the company’s Microsoft Lifecycle Support site.

The software giant also released two security advisories of problems that do not necessarily require a patch from Microsoft. One notes a default setting in Windows Media Player Digital Rights Management could allow a user to open a Web page without requesting permission. The second is a clarification of Microsoft’s simple mail transfer protocol (SMTP) Tar Pit feature in Windows Server 2003 Service Pack 1 for Exchange Server 2003.

“Microsoft does not require or recommend that all customers implement this (Tar Pit) feature. It has been provided as an option for reducing the effectiveness of certain attacks that utilize standard features of the simple mail transfer protocol,” the advisory notes.

http://news.com.com/Fix+in+for+Windows+flaw/2100-1002_3-5701804.html?part=rss&tag=5701804&subj=news