Heysoft Security Bulletin -------------------------------------------------------------------- Title: Bug in EventSave and EventSave+ Date: 01 November 2002 Software: EventSave prior to version 5.3 EventSave+ prior to version 5.3 Vendor: Frank Heyne Software http://www.heysoft.de/ Impact: Loss of events Max Risk: Critical HTML version: http://www.heysoft.de/nt/eventlog/hsb01e.htm -------------------------------------------------------------------- Introduction: ============= EventSave is a popular Freeware program. It moves all events from the current Windows NT (all versions) event logs into backup files. Independant of how often the software is run, it moves all events from the same month and type from a machine into the same destination file. Actually, moving the events is done by a copy, followed by cleaning the current logs. EventSave+ is part of the Shareware "Report Event", a suite of 9 tools for managing Windows NT event logs. It works as EventSave, but does allow to move only the events of certain types of logs. The bug: ======== When the program is not run for the first time in a month, it appends events to the (already existing) target file. But as long as the target file is opened by Microsoft's Event Viewer, no other program can write into this file. EventSave(+) did miss to check whether it successfully could append the events or not. There was no error returned, and the current log was cleaned. Events which should have been moved into the evt file opened by Microsoft's Event Viewer got lost. Mitigating Factors: =================== Using a non blocking Event Viewer, like Elwiz from www.heysoft.de, for viewing evt files does allow EventSave(+) to write to the file which is currently opened by this viewer. (Actually, because we prefer Elwiz over Event Viewer, we did not find this bug earlier.) Patch Availability: =================== Version 5.3 of the Freeware program EventSave is available from http://www.heysoft.de/nt/eventlog/ep-es.htm This version will give a hint if the target file is not writable, and it will write the events to a spare file in such a case. One could use MER, which is also part of the "Report Event" suite, to merge the events from the spare file into the correct target file later. Information about "Report Event" is available from http://www.heysoft.de/nt/eventlog/ep-re.htm Version 5.3 of EventSave+ is available for all registered users of "Report Event". Customers with a valid Support Pack already received an information where to download the new version. Customers without a valid Support Pack should contact support@heysoft.de and provide their registration number to receive the update. Acknowledgment: =============== The person who reported the bug said: "I am not looking for publicity..." Anyway, you know who you are, thanks for bringing the problem to my attention. Final remark: ============= I am sorry for the bug beeing there for so long. I don't know whether there was a loss of events anywhere (except for the customer who informed me about the bug). But because I am a firm believer in the idea of full disclosure, I think it is necessary to make the bug public. There seems to be a piece of truth in the saying that a software without a bug will never exist. Now you know why the documentation of my programs always tells you "Use this program on your own risk." Frank Heyne Greetings Frank Heyne
