Date: Ср, 17 ноя 1999 08:38:20
От: Russ <Russ.Cooper@RC.ON.CA>
Кому: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Тема: Alert: Problems with SP6 and Winsock
--------------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Note: Please take the poll mentioned at the bottom of this article.
I have had several reports about problems with SP6. Some were related
to NIC or Video drivers not being compatible (not on-topic for
NTBugtraq), while others had to do with more serious issues that were
on-topic.
These messages have not been put through because they were, for the
most part, unsubstantiated. As the NTBugtraq List Charter states,
issues should be reproducible. In the case of a Service Pack, ever
since SP2 it has been fairly easy to create a huge amount of distrust
of a new SP by releasing, too quickly, reports of problems. I wanted
to try and get some facts nailed down before releasing something about
the problems.
Of course one problem has been widely reported, the issue that access
to a Lotus Notes server with SP6 applied can only be achieved if the
user is a member of the Administrators group. The brief story
available on it comes from;
although Sunbelt Software's Windows NTools E-Newsflash reported this
issue 11 days earlier than CNet.
The message we had on 11/10/99 from Paul Noah regarding winspool.drv
hinted at the issues, although it seemed to be resolved by replacing
the SP6 version with the SP5 version. On 11/11/99 Tore Holmstrom wrote
in and made the suggestion that a fix was possible by replacing the
SP6 version of AFD.sys with its SP5 version (not put through).
I continued to receive reports indicating, after applying SP6, that
Administrator privilege was needed to do a variety of things (I've
received 5 in total).
Obviously this hints at a security issue. Funny, though, that it is
failing to a more secure situation than we can actually achieve
through any tweaks or registry edits that we know about thus far.
Enough background, here's what I know;
Microsoft have acknowledged that SP6 introduces a problem with
Winsock-based applications such that Administrator privilege is
required for the application/service to function. Any less-privileged
user is unable to perform the Winsock functions.
Replacing the AFD.sys from SP5 *does* seem to resolve the problem,
however, Microsoft have released a Post-SP6 HotFix which contains,
only, a new AFD.sys. The KB article Q245678;
provides links to the binaries for the HotFix, and provides very
little insight into what the problem is (other than to acknowledge
there is a problem).
I believe this HotFix is a workaround, not a complete fix, although MS
does believe the HotFix will prevent the reported problems from
re-occurring. The reason I believe this is a workaround is because the
Post-SP6 HotFix for the TCPIP Initial Sequence Numbers has been
removed.
FYI, AFD.sys is the Ancillary Function Driver (other names have been
proposed...;-]) which, basically, acts as an entry point for Winsock
functions to get to TCPIP.sys.
I have a report that suggests that using the TCPISN-fix version of
TCPIP.sys also resolves the problem with Administrator privilege
requirements, however, Microsoft believes the problem may exist in
TCPIP.sys itself. Providing a modified version of AFD.sys was seen as
a quicker way of getting a workaround out. Meanwhile, work is on-going
to determine if there is a problem with TCPIP.sys, and if so, fix it.
Since the TCPISN-fix is a Post-SP6 HotFix, if there is a problem with
the SP6 version of TCPIP.sys, that same problem will likely exist in
the TCPISN-fix. Hence its removal.
Confused yet?
Bottom line is this, for now;
1. If you need better randomization of TCP ISNs you need to have the
TCPISN-fix already. If you have it already, it can be applied to SP5
or SP6. If you need SP6 applied, get the AFD HotFix mentioned above,
apply SP6, apply the TCPISN-fix, then apply the AFD HotFix. Otherwise,
apply SP5, then apply the TCPISN-fix, and *if* you get errors with
non-Administrator users, report it to me (russ.cooper@rc.on.ca).
2. If you're not going to apply the TCPISN-fix, or don't have it
already, and you need SP6, then apply SP6 and then apply the AFD
HotFix mentioned above. Otherwise, stick to SP5 until I report that
the issue has been resolved (i.e. MS figures out if, in fact, there's
a problem with TCPIP.sys).
3. If you haven't deployed SP6, but are thinking about it, hold off
until I report on the TCPIP.sys (potential) issue.
I have received only one report regarding the use of the TCPISN-fix.
Peter Sang reported on 11/11/99 what he believed to be a
multi-processor problem (something that didn't seem to happen on a
single processor machine which did happen on a MP box). His report
basically stated that using SP6, Winsock calls failed. He then applied
the TCPISN-fix and the Winsock calls worked. However, after applying
the TCPISN-fix, ODBC connection attempts failed (SQL-ADODB failures).
It could well be that Peter's tests encountered the same Administrator
privilege issues that MS has now acknowledged.
However, if anyone has any experience with systems with SP6 and the
TCPISN-fix applied, I would appreciate hearing them. Of course no
point in telling me your success stories if all of your processes are
running in an Administrator context, we already know that works fine.
One very interesting thing in all of this. It would seem that, either;
- - The vast majority of folks on the list have not upgraded to SP6
or
- - Most people run everything as a member of the Administrators group
Take my poll and tell me if you've deployed SP6, and if so, whether or
not you've encounter problems related to Winsock with it. If you've
applied SP6 and the TCPISN-fix, have you encountered problems with
Winsock also?
