Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in EventSave

From: "Frank Heyne" <fh () heysoft de>
Date: Fri, 1 Nov 2002 21:38:57 +0100
Heysoft Security Bulletin
--------------------------------------------------------------------

Title:          Bug in EventSave and EventSave+ 

Date:           01 November 2002

Software:       EventSave prior to version 5.3
                EventSave+ prior to version 5.3

Vendor:         Frank Heyne Software 
                http://www.heysoft.de/

Impact:         Loss of events

Max Risk:       Critical

HTML version:   http://www.heysoft.de/nt/eventlog/hsb01e.htm

--------------------------------------------------------------------

Introduction:
=============
EventSave is a popular Freeware program. It moves all events from the 
current Windows NT (all versions) event logs into backup files. 
Independant of how often the software is run, it moves all events from 
the same month and type from a machine into the same destination file. 
Actually, moving the events is done by a copy, followed by cleaning 
the current logs.

EventSave+ is part of the Shareware "Report Event", a suite of 9 tools 
for managing Windows NT event logs. It works as EventSave, but does 
allow to move only the events of certain types of logs.


The bug:
========
When the program is not run for the first time in a month, it appends
events to the (already existing) target file. But as long as the target 
file is opened by Microsoft's Event Viewer, no other program can write 
into this file. EventSave(+) did miss to check whether it successfully 
could append the events or not. There was no error returned, and the
current log was cleaned. Events which should have been moved into the
evt file opened by Microsoft's Event Viewer got lost.


Mitigating Factors:
===================
Using a non blocking Event Viewer, like Elwiz from www.heysoft.de, for
viewing evt files does allow EventSave(+) to write to the file which 
is currently opened by this viewer. (Actually, because we prefer Elwiz 
over Event Viewer, we did not find this bug earlier.)


Patch Availability:
===================
Version 5.3 of the Freeware program EventSave is available from
http://www.heysoft.de/nt/eventlog/ep-es.htm
This version will give a hint if the target file is not writable,
and it will write the events to a spare file in such a case.
One could use MER, which is also part of the "Report Event" suite,
to merge the events from the spare file into the correct target file 
later. Information about "Report Event" is available from
http://www.heysoft.de/nt/eventlog/ep-re.htm

Version 5.3 of EventSave+ is available for all registered users of 
"Report Event". Customers with a valid Support Pack already received
an information where to download the new version. Customers without 
a valid Support Pack should contact support () heysoft de and provide 
their registration number to receive the update.


Acknowledgment:
===============
The person who reported the bug said: 
"I am not looking for publicity..."
Anyway, you know who you are, thanks for bringing the problem to my 
attention.


Final remark:
=============
I am sorry for the bug beeing there for so long. I don't know whether 
there was a loss of events anywhere (except for the customer who 
informed me about the bug). But because I am a firm believer in the 
idea of full disclosure, I think it is necessary to make the bug public. 
There seems to be a piece of truth in the saying that a software without 
a bug will never exist. Now you know why the documentation of my 
programs always tells you "Use this program on your own risk."

Frank Heyne


Greetings

Frank Heyne
Previous By Date Next
Previous By Thread Next

Current thread: