Microsoft Security Bulletin MS01-019

Technical description:

Plus! 98, an optional package that extends Windows 98 and Windows 98 Second Edition, introduced a data compression feature called Compressed Folders that was also included in Windows Me. For interoperability with leading third-party compression tools, it provides a password protection option for folders that have been compressed. However, due to a flaw in the package's implementation, the passwords used to protect the folders are recorded in a file on the user's system. If an attacker gained access to an affected machine on which password-protected folders were stored, she could learn the passwords and access the files.

It is important to understand that, although this flaw does constitute a security vulnerability, the password protection feature is not intended to provide strong security. It was included in the products to enable interoperability with password-protection features in other third-party data compression products, and is only intended to provide protection against casual inspection. Customers who need strong protection for files should use Windows® 2000.

The patch will prevent passwords from being written to the user's system in the future. However, as discussed in the FAQ, after applying the patch, it is important to also delete c:\windows\dynazip.log, in order to ensure that all previously-recorded passwords are deleted.

Mitigating factors:

• The password mechanism at issue here is not related in any way to the network authentication mechanism. It is used solely for password-protecting compressed folders.
• An attacker would require physical access to an affected system in order to recover the password, or the owner of the machine would need to have deliberately shared out the c:\windows folder.

Vulnerability identifier: CAN-2001-0152

Tested Versions:

Microsoft tested Windows Me and Plus! 98 to assess whether they are affected by these vulnerabilities. The data compression feature did not exist prior to these products.

What's the scope of the vulnerability?
Windows Me and Plus! 98 (an add-on package for Windows 98 and Windows 98 Second Edition) provide an optional feature that can be used to password-protect folders after they have been compressed. This vulnerability could divulge the passwords used to protect these folders. If an attacker had access to the password-protected folders on an affected machine, she could use the vulnerability to read or change them.
Although the passwords should clearly not be available on the system, it is important to keep this issue in perspective. The passwords at issue here are involved solely with password-protecting compressed files - they are are not related in any way to the user's logon password. Also, the password protection protection feature is not intended to act as an access control mechanism - it is provided for solely for compatibility with third-party products' password mechanisms. Even after applying this patch, the password protection feature here only provides protection against casual scrutiny. Customers who need strong security, including strong access controls, should consider using Windows 2000.

What causes the vulnerability? 
Windows Me and Plus! 98 provide a data compression feature that allows a compressed folder to be password-protected. However, under certain conditions, the password can be recorded in a file on the user's system.

What's Plus! 98? 
Plus! 98 is an optional package that provides additional functionality to Windows 98 and Windows 98 Second Edition. In addition to including the data compression feature at issue here, it also provide a virus scanner, a disk cleaning feature, several games, and other features.

What's the data compression feature, and how is password protection related to it? 
Both Plus! 98 and Windows Millenium provide a feature called Compressed Folders, that can be used to compress folders and the files within them as a way of saving disk space. The Compressed Folders feature uses the same algorithm as several popular third-party utilities. However, it is more convenient than third-party tools - the user can select whether or not a folder should be compressed via the Properties page.
The feature also allows the user to password-protect compressed folders, and this is where the vulnerability lies. By design, the passwords should never be recorded. However, in actuality, the passwords are logged in a file on the user's system.

How could an attacker exploit this vulnerability? 
If an attacker had physical access to a machine, she could read the passwords and access any password-protected compressed folders on the system.

Would this password enable the attacker to log onto my network? 
The password at issue here is used solely by the Compressed Folders feature. It is completely separate from any other password, including the network logon password. It is possible for a user to choose any desired value for this password, but it's extremely bad practice to use the same password in multiple places.

How serious is this vulnerability? 
Although storing the passwords on the system clearly is a security vulnerability, it's important to understand that the password protection feature is not intended to provide strong security. It's only intended to protect the contents of the file against casual inspection. By design, Windows 98 and Me do not provide an access control mechanism, and this feature not intended to function as one. Customers who need strong access control should consider Windows NT® or Windows 2000.

If the option isn't intended to provide strong security, why is it provided? 
One of our primary design goals for the Compressed Folders feature was interoperability with leading third-party compression tools. To accomplish this, we chose to implement the same feature set as they do, using compatible compression and password algorithms.

I haven't installed Plus! 98, but I use Windows 98. Could I be affected by this vulnerability? 
No. The data compression feature isn't included in Windows 98 or Windows 98 Second Edition. Customers using these products could only be affected if they've installed the Plus! 98 package on their systems.

I use Windows 95. Could I be affected by the vulnerability? 
No. The Compressed Folders feature was not included in Windows 95.

Is Plus! 95 affected by the vulnerability? 
No. The data compression feature doesn't ship as part of Windows 95, nor as part of Plus! 95.

Would it be possible for a Windows 95 user to install Plus! 98? 
No. Plus! 98 will only install on a system running Windows 98 or Windows 98SE.

Who should use the patch? 
Microsoft recommends that customers who use Windows Me or Plus! 98 and who use the password protection feature on compressed folders consider applying the patch.

What does the patch do? 
The patch eliminates the vulnerability by preventing the passwords from being written to the disk.

After applying the patch, is there anything else I need to do? 
Yes. Applying the patch will prevent future passwords from being stored on the system, but you'll still need to remove any that have previously been stored. To do this, use Windows Explorer to delete the file c:\windows\dynazip.log.

Download locations for this patch

• Microsoft Plus! 98

  http://download.microsoft.com/download/win98/update/14715/w98/en-us/252694usa8.exe

• Microsoft Windows Me

  http://download.microsoft.com/download/winme/update/14715/winme/en-us/252694usam.exe