Windows Security Patch Issued February 13, 2007
by Microsoft Can Cause Text Truncation
with BarTender v7.10, 7.50 and v7.51
Summary
Microsoft released a Windows Security Patch on February 13, 2007 that actually
changes the way a Windows-provided text component works. As a result, two
very-well tested and long-used past versions of BarTender will now "cut off"
keyboard-entered data in certain situations. The problem and four available
workarounds are discussed below.
Latest BarTender Versions Not Affected
BarTender 7.7x is not affected by this problem. This includes version 7.70
(first released in July of 2005) through 7.75 service release 2 (first released
in January of 2007).
Details about the Windows Patch from Microsoft
From time to time, Microsoft issues minor Windows Security Patches to address
bugs and possible security vulnerabilities. These patches can be installed
automatically by internet-equipped Windows workstations, or they can be
installed manually by an I.T. manager or technician.
Windows patches typically only correct problems. Unfortunately, Windows Security
Patch KB918118, released by Microsoft on February 13, 2007, also changes the
functionality of the "DLL" named RICHED20.DLL, which is
provided for programmatic use by Windows software for editing text. The change
to the DLL, which has been a standard part of Windows since the release of
Windows XP, adversely affects the versions of BarTender listed below.
More details about the patch are available from Microsoft at
http://support.microsoft.com/?kbid=918118.
Affected BarTender Versions and Operating Systems
The Microsoft patch was evaluated by Seagull and found to cause the text
truncation problem on the following Windows operating systems:
-
Windows XP (SP2 was tested)
-
Windows 2003 Server (SP1 was tested)
The problem was not seen with Windows 2000 (SP4 was tested).
BarTender 7.10, 7.50 and 7.51 each exhibited the problem on one or both of
Windows XP and Windows 2003 Server. (Only v7.75 SR2 is approved for use on
Windows Vista.)
-
BarTender v7.10 (First shipped by Seagull in June of 2003):
Text truncation was seen on both XP and 2003 Server.
-
BarTender v7.50:
Text truncation was seen on Windows XP only.
-
BarTender v7.51 (Last shipped on July 4th, 2005):
Text truncation was seen on Windows XP only.
Symptoms
BarTender users that are simply printing existing label formats will not
experience any problems.
The problem occurs only when the Modify dialog is used to make
any changes to a label object that is also configured to print Screen Data of
more than 9 characters. ("Screen data" is static data that you enter at the
keyboard when using the Modify dialog, in contrast to the changing data read
from a database.) The symptom, which is the loss of all screen data beyond the
9 allowable characters per screen data "sub-string," affects both text and bar
code objects.
You will experience this truncation of anything beyond 9 Screen
Data characters if you double-click on a text or bar code object to bring up
the Modify dialog, then make any changes to the object, and then click
"Ok."
Character strings read from a database or a text file are not affected
and can therefore continue to be any length. Also, users that have a label
object set to "Prompt at Print Time" can enter in any length of text into the
prompt screen without truncation.
About Seagull’s Software Testing and Development Philosophies
We only release software after extensive testing on numerous "current" versions
of Windows. In addition, we follow "best practices" development standards to
maximize the likelihood of our products being compatible with future Windows
service releases and even new versions of Windows. Unfortunately, not all
events and trends can be anticipated in advance, which prevents us from
guaranteeing future compatibility. In this case, the DLL in question was first
released in the year 2002 and we have offered four possible workarounds. Only
paid software upgrades will be available.
Upgrading BarTender
BarTender v7.70 through v7.75 does not have the problem. Further more, because
v7.75 service release 2 is also
Windows Vista compatible, this may be a particularly good opportunity
to upgrade to the latest version of BarTender. Please see the appropriate
White Papers regarding details on what is new in the various versions
of 7.7x. You can also find details on
How to Upgrade on our web site. Alternatively, there are four
workarounds available for the text truncation problem.
Four Available Workarounds
Option 1: Use the I-Bar Edit Tool for Editing Screen Data
The problem is limited to use of the Modify dialog. You can still modify your
screen data without problems by using the I-Bar edit tool 
in the main BarTender toolbar. Anytime you simply must use the Modify dialog to
change a label object, the quickest way to put back any truncated Screen Data
is by using the I-Bar edit tool.
Option 2: Use Print-Time Data Prompts
If you are frequently changing the Screen Data for a label object, you may wish
to take advantage of BarTender's customizable pop-up dialogs for data prompting
at print-time. The text entered into print-time data prompts may be of any
length. For more information, search on "prompt at print time" in BarTender's
help system.
Option 3: Copy the Original DLL into the BarTender Folder
Seagull Scientific has made the original RICHED20.DLL file
available on its web site (please see link below). By copying it into your
BarTender folder, you regain the original text editing functionality in
BarTender while retaining the patched DLL provided by Microsoft for use by the
rest of Windows.
We feel comfortable describing this option not because the original DLL has been
in use since the year 2002, but because we cannot define a scenario under which
BarTender could be "tricked" into exploiting the vulnerability as described by
Microsoft. However, we must mention that we cannot simply rule out the
possibility of an unknown vulnerability to the DLL.
As has been described by Microsoft, the potential vulnerability has to do with
users attempting to open virus-infected RTF (rich text) files using the DLL.
However, BarTender only uses the DLL for editing text on screen and
simply does not programmatically use it to load files. This is why we
cannot come up with a theoretical method by which the exploitation mechanism
would be possible through use of BarTender.
The original DLL can be downloaded from:
ftp://ftp.seagullscientific.com/BarTender/Hotfix/MS918118_BarTender_Patch/riched20.dll.
The tables below list the folders into which the various editions of BarTender
were installed by default. (We recommend that you download the original DLL
directly into the appropriate BarTender application folder in order to
eliminate the possibility of getting the two versions of the DLL confused with
each other.)
BarTender Version 7.10
| Edition |
Install Directory |
| Trial |
C:\Program Files\Seagull\BarTender 7.10\Trial |
| Basic |
C:\Program Files\Seagull\BarTender 7.10\Basic |
| Professional |
C:\Program Files\Seagull\BarTender 7.10\Professional |
| Professional Print-Only |
C:\Program Files\Seagull\BarTender 7.10\Professional
Print-Only |
| Standard |
C:\Program Files\Seagull\BarTender 7.10\Standard |
| Standard Print Only |
C:\Program Files\Seagull\BarTender 7.10\Standard Print
Only |
| Enterprise (Domestic/International) |
C:\Program Files\Seagull\BarTender 7.10\Enterprise |
| International (Determined by key) |
C:\Program Files\Seagull\BarTender 7.10\International |
| UltraLite |
C:\Program Files\Seagull\BarTender 7.10\UltraLite |
BarTender Version 7.50
| Edition |
Install Directory |
| All editions |
C:\Program Files\Seagull\BarTender\7.50 |
BarTender Version 7.51
| Edition |
Install Directory |
| All editions |
C:\Program Files\Seagull\BarTender\7.51 |
| UltraLite |
C:\Program Files\Seagull\BarTender UltraLite\7.51 |
| UltraLite Plus |
C:\Program Files\Seagull\BarTender UltraLite Plus\7.51 |
| OEM Print Module |
C:\Program Files\Seagull\BarTender Command Print Only\7.51 |
Option 4: Uninstall the Windows Patch
Lastly, you can uninstall a Windows security patch by using the Add/Remove
Programs utility of the Windows Control Panel. This is quick and easy, but it
leaves your Windows system more vulnerable to an attack by a virus-infected RTF
file.
|
