Of Bugs and Viruses

Bug bash

More holes in Windows Media Player 7

After previously discovered security holes in Windows Media Player (for more on these, refer to Security Alert, page 152, PCQuest February 2001), another vulnerability has been discovered in using skins to customize the looks of Windows Media Player 7.

Media player skins are built from a skin definition (a WMS file) and a set of controls written in Microsoft JScript. Both of these are compressed into a Windows Media Zipped (WMZ) file. When this file is played, Windows Media Player loads the skin and the IE Java Virtual Machine handles the JScript code. However, because the default location of a WMZ file is known to be C:\Program Files\Windows Media Player\Skins, a malicious JAR (Java Archive) file can be included in the WMZ file, and extracted and executed independent of Windows Media Player. When executed by JVM, such a malicious applet could do various things, for example, read the contents of your hard drive.

The patch issued by Microsoft to fix previous vulnerabilities in Windows Media Player doesn’t fix this hole, but there’s a workaround. Disabling Java from IE will prevent the applet from executing. In IE, go to Tools>Internet Options>Security> Custom Level, and go to the Java permissions subheading under Java. Click on ‘Disable Java’ to prevent all Java code from running. You can work with this until a patch for the vulnerability becomes available.

E-mail errors while using Norton AntiVirus 2000/2001

While scanning your e-mail before it reaches your inbox is one of the best methods to prevent your system from getting infected, it can sometimes lead to problems too. One such problem happens if you use Norton AntiVirus (NAV) 2000 or 2001. In this case, you might sometimes see an error message that says, ‘The connection to the server has failed’, when you’re trying to download mail.

To enable scanning your e-mail before it comes to your inbox, the NAV e-mail protection module inserts itself between your e-mail application and the ISP’s mail server. To do this, it installs a built-in POP3 proxy server on your PC. To see this on a Windows machine, press Ctrl-Alt-Delete to bring up a list of running programs, and you’ll find a program called Poproxy running on your system. This is NAV’s proxy server. If your mail client is Outlook Express or Outlook, go to Tools>Accounts> Properties>Servers, and you’ll find that your incoming POP3 mail server address is not that of your ISP, but ‘pop3.norton.antivirus’ or ‘127.0.0.1’, which is Norton’s built-in proxy server.

The error mentioned above happens when Poproxy stops working due to some reason, and the e-mail client can’t connect to the e-mail server. Since the server it’s connecting to (which is the NAV proxy server) is not responding, the e-mail client behaves as if the ISP’s server is down. 

Poproxy can stop working due to some other system process conflicting with it. In this case, you can reboot your machine, and if that doesn’t work, a quick workaround is to restart Poproxy manually by using Windows Explorer to go to C:\Program Files\Norton Antivirus and double-clicking Poproxy.exe. Another workaround is to load Poproxy from the Windows StartUp folder. Details of how to do this are available at:

For Norton AntiVirus 2000: http://service1.symantec.com/SUPPORT/nav.nsf/decid/199909301342 5706

For Norton AntiVirus 2001: http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000121914360606

You may sometimes also need to turn off real-time virus scanning, for example, when you’re installing some software. In this case, closing the e-mail program and disabling NAV’s e-mail scanning should automatically restore your ISP’s settings in your mail program. When you enable e-mail protection again, the Poproxy settings should automatically replace your ISP’s settings. If this doesn’t happen, or if the system conflict with Poproxy persistently prevents it from running, contact Symantec Technical Support at
www.symantec.com /techsupp.

Compiled by Pragya Madan