TMG-L Archives

Archiver > TMG > 2002-09 > 1031364080


From: Bob Velke <>
Subject: RE: [TMG] Visual FoxPro 6.0 security warning (TMG 5)
Date: Fri, 06 Sep 2002 22:06:56 -0400
References: <006301c254d0$bc320280$6401a8c0@BigBob><3D7732A5.1070603@swbell.net>
In-Reply-To: <3D7791EF.7395.145C60B@localhost>


>>>>>>> Does this warning affect TMG5 users?
>>>>
>>>> In a word, no.
>>
>> Can you elaborate on that? Is it because TMG don't use
>> Visual FoxPro 6 or is it because the patch comes together
>> with TMG 5? Or is there any other reason?

The warning was that, under some rare circumstances, a hacker's web page
could find and run a file with an APP extension on your computer without
your knowledge. If running that APP file performed any dangerous functions
(i.e., deleting files), then the hacker could conceivable do so without
your knowledge.

Even if your web travels took you to such a hacker's site, the warning does
NOT apply to TMG users for two reasons:

1) The risk only applies to APP files that are created in Visual Foxpro v6
and that use a particular file naming convention. Although parts of TMG5
are written in Visual Foxpro v6 and it does include some APP files (in the
APPS folder), they do not use the problematic file naming convention so
they cannot be executed remotely by hackers.

2) Even if those files could be executed remotely without your knowledge,
they don't do anything. In the case of TMG5, those files are only used to
hold libraries of other functions (import functions) that must be called
from within TMG. That is, the APP files were specifically designed so as
not to be executable directly. If you double-click on one of them in your
Windows Explorer, for instance, then you will see that it simply spins its
wheels for a few seconds and then shuts itself down.

(TMG4 didn't use Visual Foxpro v6 so the warning doesn't apply to its APP
files. And if it did, they don't do anything when executed directly either.)

so.......
****************************************************
There is NO NEED for TMG users to be
concerned or to apply any sort of patch
as a result of this security bulletin.
****************************************************

For what it is worth, Microsoft releases security bulletins all the time
for many programs that you probably have on your computer, including
Internet Explorer, Outlook, Word, and Excel, as well as other programming
languages like Visual Basic and Access, and the various operating systems
themselves.

For the more curious, the knowledgebase article to which this warning
refers is here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326568
You can subscribe to the Microsoft Security Notification Service here:
http://www.microsoft.com/securitynotification/
And you can find the archives for security bulletins here:
https://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp

-Bob


This thread: