Jump to content

Patch for IE spoofing problems released

nlinecomputers

By nlinecomputers
in Security & Networking

 Share

Recommended Posts

linuxdude32

linuxdude32

Posted
Posted

About bleep-ing time of them! Glad they released it for 98 as well. I didn't know what it was for until it was mentioned here, only that it was another IE security fix.

Link to comment
Share on other sites
striker

striker

Posted
Posted

Installed the update this morning,so far no problems.Ricardo : see http://www.microsoft.com/technet/treeview/...in/MS04-004.aspMS :

This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:http(s)://username:password@server/resource.extFor more information about this change, please see Microsoft Knowledge Base article 834489.Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP.Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP and we will provide more information in this bulletin when the update becomes available.
BTW : in that article are some workarounds mentioned . HTH
Link to comment
Share on other sites
Ricardo

Ricardo

Posted
Posted

For anyone who's interested in restoring the http://username:password@www.mysite.com/webstats/ behaviour after installing the latest patch you need to add 2 DWORD registry values:-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore.exeandHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore.exeSet both values to 0.I had to add the 2 keys after "Main". Close regedit, close any open IE windows, reopen IE and the username/password embedded links work again.This, of course, also makes the spoofed URLs function again but protects you from the other 2 vulnerabilities the patch addressed. The choice is yours.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Whether you switch to Mozilla and/or Firebird, you will still have some sites that you need IE for. There are a couple I really HAVE to use IE for. Also for those who use things like Quicken, and other programs which are making use of IE, this could also be an issue. And of course there is the Windows Update site as well.I personally would rather login and go to the page rather than break the patch. This spoofing thing is a dangerous item, but that's just me. I also use Thunderbird and my default browser is Mozilla Firebird. I rarely use IE, but I do have the patch in place. Never know when it will come in handy to protect you.Don't forget that as easy as it makes it for you to get to your webstats, it's just that easy to embed a link on a webpage that does the same thing.Just not worth it to me.

Link to comment
Share on other sites
striker

striker

Posted
Posted
Whether you switch to Mozilla and/or Firebird, you will still have some sites that you need IE for. There are a couple I really HAVE to use IE for. Also for those who use things like Quicken, and other programs which are making use of IE, this could also be an issue. And of course there is the Windows Update site as well.
Yes, you're right Fran .
I personally would rather login and go to the page rather than break the patch. This spoofing thing is a dangerous item, but that's just me. I also use Thunderbird and my default browser is Mozilla Firebird. I rarely use IE, but I do have the patch in place. Never know when it will come in handy to protect you.
...right again !IE was not patched "just for the fun",there was a good reason for it. So IMHO the breaking of the patch with these 2 registrykeys is not a smart thing to do if you ask me.
Link to comment
Share on other sites
Cluttermagnet

Cluttermagnet

Posted
Posted
If you do not like the Update Feature.Link to download file on this  page:Link to:  Microsoft Security Bulletin MS04-004..
I'm running Win98SE on a 2.4GHz P4, 512M RAMI never update IE as supplied in Win98 for a number of reasons.Therefore I have IE 5.00.2614.3500 in my system.According to the MS info page referenced, the earliest systems supported are, if I remember right, Win2000 running IE 5.01 SP2. So what do I do? If I put this patch on my system, do I just choose the 'oldest' one, Win2000 IE 5.01 SP2?I rarely use IE- usually only to view the online catalog of Win98 patches and occasionally download a few of them. I already have a lot of the Win98 patches saved on my HD and various removable media for possible use later (after total expiration of legacy online support/ downloads).
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

One of my clients had the same problem Cluttermagnet ... I installed IE 5.1 from my MS Office 2000 Pro disk on their system since it's only MS Office that's not free.Then I was able to get the next upgrade off the web and went from there.I would check with friends close by to see if they might have MS Office 2000 install disks and just install IE from the disk.

Link to comment
Share on other sites
ibe98765

ibe98765

Posted
Posted
Whether you switch to Mozilla and/or Firebird, you will still have some sites that you need IE for. There are a couple I really HAVE to use IE for. Also for those who use things like Quicken, and other programs which are making use of IE, this could also be an issue. And of course there is the Windows Update site as well.
Some good points Bambi. There are a lot of apps that hook into the IE engine behind the scenes. Have you ever accessed the net through a help file (.chm)? That is using IE, just like Quicken and others. Any browser instance that is driven through an application likely uses the IE engine. That is why you should keep IE security patches up-to-date.
Link to comment
Share on other sites
Cluttermagnet

Cluttermagnet

Posted
Posted

Thanks, guys-Two very good answers.Redmaledeer, that evolt site is something I didn't know about. I had briefly considered upgrading IE to 5.5 just so I could try out Norton 2003. 2002 would put up with only having IE 5.00, but not 2003. I got a good enough chance to have a look at 2003 on a friend's machine, so I never upgraded my IE. Now I'm having the same debate with myself but I think I will end up installing the IE patch, so if that forces me to upgrade to 5.01 SP2, then I may do that. I never use the IE browser anyway, unless forced to do so, mainly for looking at the MS Win98 patches and occasionally downloading copies of them from MS for later install.LilBambi, thanks for the comments about Office 2000. Well, it so happens I have the "Full product Premium edition" CD. Whether or not this is the "Pro" edition you are referring to is not clear to me. I looked and sure enough it has IE. And there is nothing in that folder but tons of .cab files, a few .exe's, and an .ini file. They didn't have the common decency to put a simple readme in there. Gee, thanks. So I have no idea which version of IE my CD carries. I suppose I could poke around in the .exe's Properties and pull up a version number that way- but it shouldn't be that hard to do. I guess I will go with the download from the Evolt site, under the circumstances.Now one more question for both of you or for anybody- are there any traps and snares for the unwary with this 'upgrade'? Do I just click on the executable for the 5.01 install and have confidence that the upgrade will be installed correctly over top of my 5.00?Edit: Ooops! Just looked at 5.01 SP2 and it is a 79.66M download. I'm on dialup and am lucky to get 28.8K. There is no way I'm going for it that way. Can you say "bloatware", boys and girsl? Man, I'm sticking with Firebird for my 'real' browser, that's for sure! Sheesh!

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

ClutterMagnet,If your version of Office includes SP1, then it should have the right version of IE.

IE 5.0x - minimum supported version is 5.00.2919.6307 (IE 5.01, included in Office 2000 SR1).
http://www.bris.ac.uk/is/services/computer...auth/iever.htmlMore info on Office 2K SP1:http://www.winsupersite.com/reviews/office2k_sr1.aspArhhh! I just found this info on your Microsoft Office 2000 Premium Full:http://software.reviewindex.co.uk/reviews_...B00004U7GC.htmlFrom the looks of the requirements here at Amazon in the UK, I'd say it was the first Full version of Office 2000 and would not likely have SP1 in it, UNLESS the disk actually says it on the face of it which the version of Office 2000 Professional that I have does have stamped right on the face of the disk:http://www.amazon.co.uk/exec/obidos/ASIN/B...0756362-9282026Sorry Cluttermagnet....however, if you find out it does have SP1, let us know :thumbsup:
Link to comment
Share on other sites
linuxdude32

linuxdude32

Posted
Posted

The AOL CDs use IE behind the scenes so you can probably get a more recent version of IE that way. No need to install AOL, just look on the CD using Windows Explorer and look for the IE subfolder. It'll have the AOL logo on it probably, but that can be removed by using registry hack software like X-Setup (in fact, that lets you put anything in place of that logo you like!).Regardless of whether you use IE or not, you should use the most recent version because MS doesn't care about updating older versions of IE anymore. If a patch works on older versions, they'll release it, but I don't think they'll put any extra effort into it. I have IE 6 on W98SE and it runs fine, though I do hardly ever use it (usually use Firebird). I can't believe how Microsoft sticks popups in on their own msn site now. No wonder they're so slow to put popup blocking in their browser!

Link to comment
Share on other sites
redmaledeer

redmaledeer

Posted
Posted

Cluttermagnet - I took the evolt route to download IE5.5 SP2 (84Mb). It took four or five hours on my nominally 56K dialup modem but went uneventfully. Someone smarter than I might use a download manager to speed it up or to be able to resume the download if the connection broke, but I just did it in one swell foop. I have unlimited phone and ISP time. I don't remember all the details, but with some thought the rest went all right. One double=clicked on the .exe file which had been downloaded, and that yielded another file. That file had every conceivable IE component in it, and then you were presented with a menu or wizard to pick which of those components you wanted in your installation. A "customary" menu selection was available, so you could rely on that a lot.This seemed to need a lot of room. I would expect it to use at least double the size of the download, but it seemed like more than that. Other than that, I used IEradicator to get rid of the old IE before commiting myself to the new, and also poked around manually to get rid of any leftovers I could find. (I am indebted to a Scott's Forums contributor for the information about IEradicator.)Then I went to the MS Windows Update Page and put in the patches that had been in the old IE but hadn't come with the download, and that was it.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted
The AOL CDs use IE behind the scenes so you can probably get a more recent version of IE that way. No need to install AOL, just look on the CD using Windows Explorer and look for the IE subfolder. It'll have the AOL logo on it probably, but that can be removed by using registry hack software like X-Setup (in fact, that lets you put anything in place of that logo you like!).Regardless of whether you use IE or not, you should use the most recent version because MS doesn't care about updating older versions of IE anymore. If a patch works on older versions, they'll release it, but I don't think they'll put any extra effort into it. I have IE 6 on W98SE and it runs fine, though I do hardly ever use it (usually use Firebird). I can't believe how Microsoft sticks popups in on their own msn site now. No wonder they're so slow to put popup blocking in their browser!
Here's how to easily get rid of the branding if you have to use AOL CD, Earthlink etc.Go to Start|Run and type in:
rundll32.exe iedkcs32.dll,Clear

Voila! No more branding. :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...