Not quite ripped from today’s headlines, these are the stories of our readers, their close encounters with not-so-helpful tech support staffers, narrow escapes from would-be viruses, and humble opinions on unwelcome software features. These are uncut and uncensored accounts, straight from BugNet subscribers. As such, BugNet makes no claims regarding their validity, ownership, safety, or even usefulness. But we think you’ll enjoy their honest and candid approach to those software maladies we lovingly call bugs, and no, not these kinds of bugs.

• McAfee VirusScan Alert
• Me Crashes
• Apologies
• More Naming Names
• Old Computers Equal Slow Computers
• A Real Fix

ADOBE
FrameMaker 6
Point your browser to http://til.info.apple.com/techinfo.nsf/artnum/n5809 to find out whether or not your Macintosh computer supports the Energy Saver control panel. If it doesn’t, don’t try running Adobe FrameMaker 6.0, otherwise this message may pop up: “The application ‘FrameMaker 6.0′ could not be opened because ‘PowerMgrLib’ could not be found”. The fact of the matter: FrameMaker 6.0 doesn’t run on any Macintosh that doesn’t support the Energy Saver control panel feature.

APPLE
iMac
If you have an Apple iMac or Power Mac G4 Cube with a slot loading CD-ROM or DVD drive, you can only use standard-sized round disks. You should not try to insert smaller disks or odd-sized disks into these types of drives.

CALDERA SYSTEMS
OpenLinux eDesktop 2.4
Caldera reports that there is a vulnerability in the way sperl interacts with /bin/mail that can be exploited by any local user to gain root access. This vulnerability exists in OpenLinux eServer, eBuilder 2.3, and eDesktop 2.4. Desktop 2.3 is not vulnerable. Caldera recommends upgrading immediately.

DEBIAN
GNU/Linux 2.2
Debian reports that the Netscape Communicator shipped with all recent versions of GNU/Linux has a couple of security holes, one in the jpeg handling portion and the other in the java virtual machine. All users of GNU/Linux and Netscape Communicator are encouraged to upgrade Communicator. Debian deb packages are available for all platforms from the following URL: http://www.debian.org/security/2000/20000901.

DEBIAN
GNU/Linux 2.2
A root exploit has been found in sysklogd. Debian notes that this exploit affects both 2.1 and 2.2. Update packages are available here: http://www.debian.org/security/2000/20000919.

IBM
ThinkPad A20p
If you want to upgrade to Windows ME on your IBM ThinkPad A20, there is a BIOS upgrade for you. Go to http://www.pc.ibm.com/qtechinfo/MIGR-4MNN8Y.html to get BIOS update 1.02, with a release date of 8/16/2000.

INTERACT COMMERCE
ACT! 2000 – PC
Be forewarned! Updating to Act! 2000 5.0.2.353 may not display e-mail attachments in the inbox, and may be missing when the message is opened, says Interact Commerce. A fix wasn’t available at the time of this writing, but a couple of solid workarounds are worth trying.

INTUIT
Quicken 2001
Intuit says the import of Quicken for Macintosh data into Quicken 98, 99, 2000, and 2001 may deliver an “Invalid QIF” message if the process is stopped by an unrecognized or damaged group of transactions. Complete workaround details are posted at http://www.intuit.com/support/quicken/faqs/mac3/2576.html.

INTUIT
QuickPayroll
This error may pop up during the installation routine of the patch update in Intuit QuickPayroll if the settings in the SYSTEM.INI file aren’t right: “ptchinst cause a gpf in mmsystem.dll @ 000a:00000032″. Examples of incorrect settings, plus workarounds for Windows 95 and 98 are posted at http://www.intuit.com/support/quickpayroll/faqs/1134.html.

LOTUS
Notes
In Lotus Notes 5 if you went to your Calendar view and deleted a canceled or expired meeting, a “Decline” notice would be sent to the other participants. This has been fixed in the Notes Quarterly Maintenance Release 5.0.4a.

If you are a subscriber, read the alert here.

Notes 5.0.4

When you upgrade to Lotus Domino 5.0.4, the Master Address Book template, which is MAB45.NTF, is deleted. Lotus says that if you have made changes to this, and don’t want to lose them, you should copy the file to some safe location before upgrading.

Notes 5.0.4
If you are setting up Lotus Notes and Lotus Domino 5.0.4 Server on a Windows computer, the middle initial of the Administrator User is dropped from the user record for the Domino Directory. However, it is used to the administrator group. That means you may end up as LBJ in one place, and LJ in another. Lotus suggests that the administrator not use the middle initial during setup. At any time after that, the middle initial is used correctly, and shouldn’t be a problem.

Notes 5.0.4
Don’t click the Back button when you are recording a silent install for Lotus Notes and Lotus Domino 5.0.4 on a partitioned server. If you do, you may get an result code of -12, which means this error: “Dialogs are out of order.” Your silent install will not run. The only workaround is not to do it.

Notes 5.0.4
If you are installing Lotus Notes and Lotus Domino 5.0.4, you may have some screen problems when using Netscape Navigator to set up your Domino server. If you have your cache set up for “Document in cache is compared to document on network” and set to “Never”, Lotus says your status “%” icons will not be update. You will have to reload manually if you want to see your Congratulations at the end. As a workaround, set the cache to “Once per session”.

Notes 5.0.4
If you are using a browser in Lotus Notes 5.0.4 to check on “View Participant Status” when you are the chair or owner of a meeting, you should always refresh your browser before rescheduling. If not, the reschedule notice may not get sent, and the calendar may not get updated.

Notes 5.0.4
Some upgrades in the Internet Cluster Manager in Lotus Notes 5.0.4 introduce incompatibilities with earlier versions. Because of this, Lotus says you should upgrade the entire ICM cluster to 5.0.4 at the same time. Otherwise, older versions may not recognize some of the 5.0.4 name encodings.

Notes 5.0.4
Lotus says you will have to make up your mind about using MIME. If you have upgraded to Notes 5.0.4, and in your mail client you have been running with the Prefers MIME setting for awhile, you will lose Notes 4 compatibility if you switch to Prefers Notes Rich Text or No Preferences. If you send mail to a Notes 4 client with attachments, the attachments won’t launch, or they will only be in Base64. There is no workaround.

Exchange
You may not be able to install Microsoft Exchange Server 5.5 SP 3 on a Windows 2000 cluster server. Instead, you may see this error message in the Setup Wizard: “Overlapped I/O operation is in progress. ID no: 0xc00203e5.” To fix this, manually add the A records to the Windows NT Server 4.0 DNS service. Then, go to the DNS tab in the TCP/IP stack properties. Configure it to search the local DNS before searching the Internet service provider’s DNS. For more help on this workaround, see http://support.microsoft.com/support/kb/articles/q263/0/29.asp.

Exchange Server
When you are using the Microsoft Exchange Server 5.5, and using the Exchange Connector for Lotus cc:Mail, you may not be able to get the correct synchronization with cc:Mail 8.5. According to Microsoft, there are new versions of Import32.exe and Export32.exe included with this version of cc:Mail, which Exchange can’t handle. There is a workaround, where you have to edit the Registry. Since editing the Registry incorrectly can harm your system, please see the full details at http://support.microsoft.com

Exchange Server 5.5
Sometimes when a message cannot be delivered by the Microsoft Exchange Server 5.5 Internet Mail Service, the service may still try to hunt for an IP address. There may be no more addresses to try, but it will still look, and will generate a Dr. Watson error message. Microsoft is testing a fix for this, which will be in a future service pack. If you need the fix earlier, contact Microsoft Technical Support and ask for Msexcimc.exe 5.5.2652.66.

Exchange Server 5.5 Service Pack 1
If you are installing Microsoft Exchange Server 5.5 Service Pack 1 on a computer that is also running Seagate BackupExec 7.0 with the Exchange add-in, you may see a message saying these files couldn’t be updated: %winnt%\system32\edbbcli.dll; %winnt%\system32\emsmdb.dll; %winnt%\system32\escprint.dll; %winnt%\system32\libxds.dll. You will then be given the choice of Abort, Retry, Ignore. Microsoft says you need to stop all the Seagate BackupExec services, and then choose Retry. (You should already have all the Exchange services halted, or else your error message was probably longer.)

Exchange Server 5.5
If you install the Extensible Storage Engine fix to the Microsoft Exchange Server 5.5, you may find that you have broken many third-party backup programs, including Cheyenne ARCserve 6.5. Microsoft is testing a permanent fix, which will be in a future service pack. As a workaround, they suggest replacing EDBBCLI.DLL with the Exchange Server 5.5 Service Pack 3 version, which is 5.5.2650.17.

Exchange Server 5.5
When you are looking at the message queue for a particular post office connection in Microsoft Exchange Server 5.5, and press the ALT key while doing so, you may get a crash in the Microsoft Mail Connector, with an error message pointing to CONADMIN.DLL. As yet, there is no fix nor workaround, so keep your fingers off the ALT key.

Exchange Server 5.5
Microsoft says that the documentation included with Migration Wizard for Exchange Server 5.5 Service Pack 1 and later is in error. If you want to use this tool to migrate mailboxes and calendars from Lotus Notes, see the corrected documentation at

http://support.microsoft.com/kb/q263755/.

Exchange Server 5.5
When you try to connect two Microsoft Exchange Server 5.5 computers via an X.400 connector, you may have problems if you later remove one of the connectors on one of the servers. It may cause the other server to hang. Microsoft is testing a fix which will be in a future service pack. If you really need the fix earlier, contact Microsoft Technical Support and ask for Emsmta.exe 5.5.2652.37.

GroupWise 5.5
You need to be careful with the Vacation Rule setting in Novell GroupWise 5.5. You may set a “Vacation” message that responds automatically. But if a message comes from an Internet Mail Client, it may automatically send a message back to the vacationer, which will send a “Vacation” message, which will generate another reply, and so on. Pretty soon, you have a GroupWise system filling up with these messages. As an administrative fix, start NWADMIN and go to Groupwise View, GWIA, Access Control. Then edit the SMTP Outgoing service, and turn off ‘Allow rule generated messages’.

GroupWise 5.5
In Novell GroupWise 5.5, if users log on from multiple machines, and they have their archive path set locally, such as to C:\ARCHIVE, they will end up with multiple archives on the different computers. This didn’t happen in GroupWise 5.2, said Novell. As a fix: 1) Set your archive path to a networked drive; 2) Make sure you don’t lock down at a post office or domain level; 3) Set the users cleanup options to manual delete and archive, and set the archive path to a local drive.

GroupWise 5.5
When you run the Novell GroupWise Plug-In for Microsoft Outlook 98 or 2000, accepted appointments should move directly from your Mailbox to your calendar. However, Novell says that sometimes they move very slowly, almost appearing stuck. They do not offer a workaround.

GroupWise
After installing the Novell GroupWise Plug-In for Microsoft Outlook 98 or 2000, you may get a crash when you exit Outlook. An error message will say EMALSCAN.DLL is the guilty party. Novell says this will happen if Network Associates McAfee VirusScan is installed, and you also have the Outlook Exchange scan add-in enabled. You can get a fix from Network Associates, or you can disable the Outlook Exchange add-in.

GroupWise
Novell has released an updated GroupWise 5.2.8 client for the Macintosh. They optimistically state that “all” defects with the 5.2.7 Mac client have been fixed. Look for GM528ben.bin at

?http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956929.

A DOS device name bug that exploited a stability hole in Windows 9.x. By carefully crafting an HTML e-mail message, an attacker could create the dreaded blue screen of death (BSOD) when the message was read. Under certain conditions, if that gaffed e-mail were the first message in the Inbox, the BSOD would occur before Outlook had completely loaded, preventing the user from accessing any other messages in their Inbox. While this specific DOS device name bug was patched soon after, the problem with Outlook processing messages before the user selects them still remains.

Preview Pane Problems

The problem stems from Outlook’s ability to preview e-mail messages before the user opens them. If Preview Pane is enabled, then just highlighting the message will display its contents in the preview window. So if the first message in the list has a virus, or data corruption, Outlook will process it immediately — before the user has a chance to decide. This is especially annoying during the Outlook start up process, because Outlook will lockup, sometimes before it even has a chance to open the Inbox.

In our tests on Outlook 2000 running on a PC with Windows 2000, the freeze occurred during the opening Outlook splash screen. After launching the application, the Outlook welcome screen appeared and wouldn’t leave. In some cases, opening the task manager showed Outlook running but not responding. In others, Outlook is using more that 95% of the CPU. In all cases, we were never able to access the Inbox.

For the inexperienced user, this situation appears as though the Outlook programs is corrupted or is unable to find all of its pieces. When actually, Outlook has loaded but is getting stuck on a damaged e-mail message. This condition may look bleak, but there is something that the e-mail user can do to rifle through all that junk mail again.

Preview Panacea

Microsoft has acknowledged this problem in an older Knowledgebase article. They recommend that users start Outlook using a command-line switch that prevents auto-previewing. Command-line switches allow users to run applications with special options enabled (or disabled). To use the Outlook /nopreview switch, open the Windows Run dialog box (Ctrl-Esc, R) and type the complete path to Outlook.exe. We tried following Microsoft’s instructions by enclosing the path in quotes just as you see here:

“C:\Program Files\Microsoft Office\Office\Outlook.exe” /nopreview

However, this produced an error message on some of our machines that said, “Cannot start Microsoft Outlook. MAPI32.DLL is corrupt or the wrong version…” We did have luck using only 8.3 names in the path. So instead of the previous example, we typed the following:

C:\PROGRA~1\MICROS~2\Office>outlook /nopreview

This produced the desired results, by launching Outlook without the Preview Pane. The /nopreview startup switch will disable the Preview Pane and remove Preview Pane from the View menu option. Once we reached the Outlook Inbox, we were able to delete the offending e-mail message or move it to another folder. Once this was complete, we were able to restart Outlook normally (without the /nopreview switch) and everything worked fine.

Web site development packages like Dreamweaver, HoTMetaL, and HomeSite have brought HTML development to the masses. For the most part, these programs are able to hide the complexities of HTML code from untrained web site creators, allowing them to focus on the content more than the code. Protecting the user from HTML tags is a good thing as long as you can trust the web site development tool. But as BugNet reader Rajesh Dev discovered while using FrontPage, sometimes the development tool can be the problem instead of the solution. BugNet has confirmed a bug in Microsoft’s FrontPage 2000 that will have web masters wondering why some pages get arbitrarily assigned Cascading Style Sheets (CSS).

Cascading Style Sheets provide web developers with a convenient way to control formatting and appearance on multiple pages. Using style sheets instead of formatting each individual element allows developers to create a consistent look and feel. Changing a style attribute within a style sheet changes it for all pages that use that style sheet. So it’s a quick way to make the same change to multiple web pages. However, FrontPage 2000 inadvertently applies CSS to pages that were not supposed to have that particular style. This can be extremely frustrating for web site creators who spend hours getting the look of their web site just right, only to have FrontPage overwrite all of their changes.

Active Style

The problem manifests itself when the user creates Active Server Pages (ASP) in FrontPage. Microsoft introduced ASP with Internet Information Server 3.0 as a way to provide active web content that is browser independent. It is a server-side scripting environment used in creating interactive web server applications. However, when the user links to a CSS within an .asp file, FrontPage applies that style sheet to every page on the web site, even though the user specified a single page for the style. This phenomenon occurs on both .asp and on normal .htm (Microsoft’s extension for .html files) pages, even if those pages hadn’t originally specified a style sheet.

What this means is that after building a number of .htm pages and formatting them just the way you want, applying a .css file to a single .asp file will change the look and appearance of every other .asp and .htm page on your site. This strange behavior doesn’t occur when a style sheet is applied to a normal .htm file. In this case, the .css file is only inserted into the page that it was originally intended for.

Style Consultant

Fortunately, there are a couple of things that a user can do to prevent this problem. First, Microsoft has released a patch that is available in the latest Office 2000 Service Pack. This is a huge update so its size might discourage immediate download. For those wanting to wait before applying the patch, there are alternatives. First, you can avoid using style sheets with .asp pages. This is impractical, but will prevent style sheets from running amok on your web site.

Our recommendation is to apply the .css file by coding it directly into the HTML. You can do this by opening the .asp page in FrontPage and clicking on the HTML tab at the bottom of the screen. The link should look something like this:

<link rel=”stylesheet” type=”text/css” href=”StyleFileName.css”>

Where StyleFileName.css is the name of the cascading style sheet file that contains the format instructions that you want to apply to this page. This defeats the purpose of having a GUI-based web site development tool, but at least it will guarantee that all of your web pages display as intended.

Finally, you could upgrade to Office XP. We tested this version and found that it did not exhibit the same indiscriminate style sheets propagation.

But not all web sites behave that way. For example, if you enter a bad URL at Goggle.com (type a forward slash after the “.com” followed by a bunch of gibberish), you’ll get the expected “The page cannot be found” page. But try the same thing at Ipswitch.com, and you’ll never see a 404 error — instead you’ll be directed to the site’s home page. Microsoft.com escorts lost browsers to a linked Site Map.

Redirect Yourself

The HTTP at the beginning of web addresses stands for HyperText Transport Protocol. When something goes wrong with an HTTP address, it triggers a HyperText Transport Protocol error, which are numbered 100 through 505. Errors 400 through 505, of which 404 is the most common, are “configurable,” meaning the webmaster or system administrator can control how the web server responds to the error.

Apache, the most popular web server software, handles HTTP errors using a small text file, .htaccess, located in the public_html directory. The redirection syntax is straightforward:

ErrorDocument [error code] [url]

The URL following the error code can point to a valid page at any valid address. Usually, it points to a customized page in the site’s home directory:

ErrorDocument 404 /404error.html

But if you pointed the URL to the home page address (typically, index.html), then a 404 error would redirect the user to the site’s home page and no error page would be displayed. This is what Ipswitch.com does:

ErrorDocument 404 /index.html

Common HTTP Error Codes

Most common configurable HTTP errors:

400: Bad Request
The server does not understand the query sent by your browser.

403: Forbidden
You don’t have permission to access that address (URL) on this server.

404: Not Found
The address (URL) your are searching for was not found on the server.

412: Precondition Failed
The preconditions necessary to fulfill the request have not been met.

500: Server Error
The server was unable to fulfill the request because of an internal error.

501: Not Implemented
The functions required to fulfill the request have not been implemented on this server

503: Service Unavailable
The requested service is unavailable on this server.

Serve and Volley

The instructions above apply to Apache servers. The 404 error page on Microsoft IIS web servers can be changed by selecting the web site directory in Internet Information Services, clicking on Properties, selecting the Custom Errors property sheet, selecting the error message you would like to change, and then editing the path to the modified file. If your web hosting service uses a different program, your web host administrator should be able to provide the necessary details for modifying a 404 error page.

In fact, creating 404 error pages has become something of an art itself. Entire web sites have been devoted to inventive 404 error pages. A good place to start is the “404 Research Lab”.

Microsoft Gets Friendly

These days, the cost of running your own web site can be as low as $.10 a day, so anybody can be a webmaster. (ICANN registrar Catalog.com, for example, will host a minimal site for the cost of registering the domain.) All you need is a few free utilities (e.g., HTML-Kit, from Chami.com, WS-FTP LE, from Ipswitch.com), and you’re ready to put your digital presence online. So you edit the .htaccess file to direct bad URLs to your incredibly user-friendly 404 error page, FTP it to your site, test it out, and what happens?

“The page cannot be found”

“The page cannot be found” error is generated by Internet Explorer, not the web server. Microsoft’s rational is that the default HTTP error message is neither helpful nor useful, and they are right. The default 404 HTTP error message reads, in total:

404 Not Found
The requested URL was not found on this server

No other information is included. There is no redirection, and no other instructions. The Microsoft version is more helpful, though it looks like the small print in a legal document, and can turn people away as quickly as they arrive.

Late last night, Microsoft posted a Security Bulletin exposing a security risk that affects Microsoft SQL Server 7 and 2000. This security hole could allow a malicious user to commandeer a terminated, but cached, administrator connection. This would enable the hacker not only to execute queries in privileged mode, but could ultimately grant control of the server itself. Microsoft has posted a patch that eliminates this problem. With lab help from KeyLabs, BugNet was able to test the patch on both Windows NT 4 and Windows 2000.?

SQL Server, like many other server applications, caches connections as a way to boost performance. Every time a user connects to a server, the applications must expend resources in establishing and maintaining that connection. When a user terminates a connection with an application, eventually all the resources associated with the connection are returned to the system so that they can be used for other processes and connections. Sometimes connections are terminated unintentionally by client application errors, network failure, etc. By caching a terminated connection, server-based applications can eliminate the hassle of rebuilding a new link by reusing the resources of the cached connection.

Mixed Mode

This vulnerability doesn’t affect all installations of SQL Server. Specifically, this security lapse affects systems configured for Mixed Mode authentication, which is enabled by default. Systems configured for Windows Authentication Mode will not be affected. Mixed Mode allows the SQL Server to try to authenticate a client using Windows Authentication. If that doesn’t work, then the client is authenticated via SQL Server Authentication, using the username and password that are stored locally on the server. According to Microsoft, database administrators are “strongly recommended” to use Windows Authentication whenever possible.

Mixed Mode authentication, along with a faulty SQL query method, could allow an attacker to reuse a cached connection, presumably one that was created by an administrator. With this elevated privilege, the attacker could run any query against the database, including creating, modifying, or deleting records from the database. Using extended stored procedures, the attacker could essentially gain complete control over the server itself.

It’s important to note that in order to run a privilege-elevating query against the server, the user must already be authenticated. By limiting the potential risk to authenticated users, the offending query could conceivably be tracked and logged. Also, since the terminated connections are only cached for a short period of time, the attacker would only have a short window of opportunity to exploit this hole.

Patch Sequels

Microsoft’s 5 MB patch is available for SQL Server 7 with Service Pack 3 and SQL Server 2000. It eliminates this vulnerability by repairing the defective query method. The patch is currently available for download at Microsoft’s web site.

For those not wanting to patch their systems, there are workarounds available. The first is to disable Mixed Mode authentication. Since it is enabled by default, many users might have it enabled unintentionally, not knowing that it can be disabled.

A second workaround involves disabling ad hoc queries. To disable or disallow ad hoc queries, select the security tab under the SQL Server instance. Right click on the linked servers to bring up the general properties tab, and select the radio button next to “Other Data Source.” Choose “Microsoft OLE DB Provider for SQL Server” from the Provider Name drop down list, and click on the “Provider Options” button. Lastly, check the “disallow Ad Hoc queries” box.

One of the nicer aspects of tax preparation software is privacy — it’s just you, your checkbook and the IRS. A daunting enough prospect without worrying about anybody telling secrets out of school. Unfortunately, a glitch in TurboTax’s 1099 import feature came close to spilling the beans.

With the aim of making the investor’s life easier, Intuit partnered with seven financial institutions — Cititrade, Fidelity Investments, INVESCO Funds, Salomon Smith Barney, TD Waterhouse, T. Rowe Price, and The Vanguard Group — to automate the importing of 1099 information (i.e., from the sale of stocks and other financial instruments) into TurboTax. But as late as April 4, both the TurboTax 2000 Windows and Web versions contained glitches that resulted in the user’s brokerage account password and/or PIN information being sent to Intuit, or stored (without the user’s knowledge) on the computer’s local hard drive.

The bug affected TurboTax for the Web users who imported 1099 information before March 4, and TurboTax for Windows users who imported information between January 31 and March 4, and up to April 4 if they did not upgrade their software. TurboTax for Mac users are not at risk.

Intuit Responds

Intuit categorically states that any customer data sent them has not been “compromised,” and all user account information “inadvertently and temporarily saved to Intuit’s server” has been deleted, nor, claims Intuit, was any password or PIN information attached to the actual returns filed with the IRS or state agencies. Good enough, but if you don’t consider your computer’s hard drive a safe enough place to store unencrypted information, read on.

Those who saved their TurboTax for the Web information to their hard drive (before March 4) should delete the file (the default pathname is \Windows\Temporary Internet Files\Content.Ie5\Kps00ewz\Tax2000[1].Tax), and then go to http://www.turbotax.com, open their existing account, and resave the information. TurboTax for Windows users should likewise download the upgrade and resave their returns using the same filename. This will overwrite the older file that contained the password information.

Other Safeguards

We emphasize again that this problem concerns only those TurboTax users who imported 1099 information under the conditions described above (which Intuit estimates to constitute approximately one percent of its users). Nevertheless, Intuit recommends that those users contact their respective financial institutions in order to confirm what other steps they can take to guarantee the security of their accounts.

For example, according to James Gately, Managing Director of Direct Investor Services at The Vanguard Group, Vanguard has already disabled the passwords of shareholder members who utilized the 1099 import function. Vanguard members should have received a letter from the company describing the problem, the reasons for it, and how their passwords and PINs can be reset.

Intuit has also created a web page that addresses this problem in depth, and includes a toll-free phone number for customers who have any questions or concerns. Note that this page cannot be accessed from TurboTax for Windows online support, and it does not come up in a site search. The URL must be entered directly.

Letter From Vanguard to Their Customers

Dear Voyager Client:

Vanguard takes very seriously the security of our shareholders’ personal account information. That is why we are writing to you today. Recently, Intuit informed Vanguard and its other six financial institution partners about a potential security issue within the TurboTax(R) software program.

This issue has no impact on the accuracy of your 2000 tax return that you prepared using the software, and affects only those individuals who used the 1099 import process of Intuit’s TurboTax software (either the web version or the CD-ROM version). The import process permits Vanguard shareholders, along with clients of the other six financial institutions, to import their 1099 information directly into the TurboTax product.

During the 1099 import process, Intuit erroneously saved within the tax file your Vanguard.com password, as well as any of the other six financial institutions’ passwords, you entered for the import process. This was due to a programming error in the TurboTax software and was recently corrected.

Intuit has assured us that any saved passwords have been deleted. However, as a preventative measure, Vanguard has disabled the passwords of those shareholders who utilized the 1099 import function. To have your password reset, please contact us at 1-800-662-2739.

While we recognize that this action may be inconvenient, Vanguard is committed to protecting the sensitive information of our shareholders. As such, we have taken this step as a necessary precaution to safeguarding your personal data.

Additionally, if you are using the desktop application of the Intuit’s TurboTax software, we strongly encourage you to update the version you are using currently.

Handling of deductions and expenses is critical for business owners. According to the IRS (Section 179 expense deductions), a corporation may elect to expense part of the cost of tangible property that the corporation purchased. But what if you dispose of property you have already depreciated, or no longer use that property for business purposes? As the IRS has long recognized, deductions and expenses can be entered as negative as well as positive numbers. This may sound like a double negative, and it is: it comes out positive for the federal government.

For example, let’s say that in 1999 you took a one-time Section 179 expense deduction (Schedule K of 1140S, line 8). But in 2000 that same equipment was returned to the vendor for a refund. To “recapture” the deduction, you simply enter the negative amount. In essence, you are giving back to the IRS in the form of declared income the amount of the previously claimed deduction you no longer qualify for.

When an Error is not an Error

Intuit’s TurboTax program handles “negative deductions” well enough when dealing with normal Schedule A itemized deductions and other credits and expenses (such as Forms 8863 and 2441). However, when applying expense deductions to partnerships (Form 1065) and S-corporations (Form 1120S), the TurboTax K-1 worksheet does not allow recapture of a previously claimed deduction to be stated as a negative on line 8 –that is, if you intend to file electronically.

Nevertheless, TurboTax does tabulate the entry correctly. Your only recourse at this point, then, short of filling in Form 4979 (with supporting details), is to print out the return, apply the postage, and snail mail the wad of paper off to the IRS.

When an Error is an Error

There are firm grounds, however, to Intuit’s contention that they are following standard IRS practices and procedures. According to the “Instructions for Form 4797″ and “Instructions for Form 1120S,” when recapturing deductions under Sections 179 and 280F(b)(2), taxpayers should use Form 4797 (which TurboTax supports), and then report the Section 179 recapture on Line 23 in the Schedule K-1 worksheet (which TurboTax supports).

The question for the tax accountants and the IRS is whether skipping Form 4797 and directly entering a negative amount on line 8 constitutes “standard practices and procedures”; the question for Intuit is why a negative entry is flagged in this one area, and why it correctly calculates such an entry in a printout, but then does not accept it for electronic filing.