Re: 2003 Cumulative Patch for Outlook Express (330994) TILDE THUMBNAIL

From: Frank Saunders, MS-MVP IE/OE (franksaunders_at_mvps.org)
Date: 07/10/04 

Date: Fri, 9 Jul 2004 21:45:35 -0500

"Louise" <anonymous@discussions.microsoft.com> wrote in message
news:2a0d601c46622$550fda40$a501280a@phx.gbl
> Is there a fix for the fix? I had problems with my OE
> and to recreate my profile. Whenever I make changes to
> my address book I get a "tilde" thumbnail on my desktop.
> According to the below MS article it's a back up of my
> address book because of the 2003 Cumulative Patch for
> Outlook Express (330994 fix and there was suppose to be a
> Patch that correct this?
>
> What is the Tilde (~) file that appears on Desktop
>
> What is this ~ file?
> The file appearing on your desktop with the filename ~,
> commonly known as a tilde, is a backup of your Windows
> Address Book. It is appearing as a result of the April
> 2003 Cumulative Patch for Outlook Express (330994). The
> patch is installed for Outlook Express 5.5 or 6 in
> response to a vulnerability that could allow an attacker
> to run code of the attacker's choice on a user's machine.
> To exploit the vulnerability, an attacker would have to
> be able to cause Windows to open a specially constructed
> MHTML URL, either on a web site or included in an HTML
> email message.
>
> Unfortunately, there is a bug in the patch.Whenever you
> make a change in your Windows Address Book file (*.wab
> file), Windows makes a backup of this file. Generally
> this backup is called username.wa~ , however after the
> patch is installed the backup gets renamed to just ~
> instead and saved in the directory where you start your
> Outlook Express. Most of the time, people start Outlook
> Express from a shortcut on their desktop, so the backup
> file gets placed there. This is how the tilde (~) file
> arrives on your desktop.
>
> Is the File a Virus and will Spyware or Anti-virus
> Utilities Find it?
>
> Because the file is simply a backup of your Windows
> Address Book, spyware searching utilities or anti-virus
> products wont flag it as anything suspicious.
>
> Can I Delete the ~ File?
>
> The simple answer is yes, the file can be deleted.
> However if it is deleted, you wont have a backup of your
> Windows Address Book if a virus or something else
> corrupts it or you accidentally delete the information in
> the address book. So I wouldnt necessarily delete the
> file without backing it up first. Personally, here are
> the steps I would take to remain safe in case you need
> the file again.
>
> Right click on the file and choose Rename
>
> Type in a name for the file and add the .wab extension to
> it
> For Example, you might want to rename it to
> addressbook.wab or something similar
>
> Now, put a blank, formatted floppy disk in your floppy
> drive and right-click on the newly named file
>
> Choose Send To, Floppy Drive (most likely A)
>
> Now the file is backed up in case of emergency, right-
> click on the file on your desktop and choose Delete
> Each time you make a change to your address book, this
> file will reappear so its a good idea to keep that floppy
> drive around and make a backup each time you make
> changes. This protects you from losing valuable email
> addresses in case of a disaster.
>
> An alternative to this would be to change the Start in
> option for Outlook Express. This has been suggested by a
> few visitors and works well.
>
> Find the shortcut to Outlook Express and right-click on
> it
> Click on Properties
> Make sure Read-only is unchecked on the General tab
> Click on the Shortcut tab
> In the "Start In" field, change it to an alternative path
> where the tilde file will appear, for example C:\
> Click on Apply
> Is There a Patch to fix this?
>
> Although Microsoft has indicated that it knows about this
> problem and intends to make a patch available, they have
> not released one yet, as of July 2003.
>
> Can I uninstall the April 2003 patch to fix it?
>
> Yes, you can uninstall the patch, this will fix the tilde
> (~) file from appearing, however you will not be
> protected from this security vulnerability either. If you
> want to uninstall the April 2003 (330994) patch, simply
> visit this link and follow the uninstall directions.
> Although I wouldn't advise anyone doing this.

It will be fixed in WinXP SP2 (probably). 

-- 
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup.  Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/