nlinecomputers Posted February 3, 2004 Share Posted February 3, 2004 Microsoft SecurityWell it about 6 weeks to long in getting to us but Microsoft has finally coughed up a patch for the spoofing problems found in IE about 2 months ago.Hit Windows update and patch your systems. Quote Link to comment Share on other sites More sharing options...
havnblast Posted February 3, 2004 Share Posted February 3, 2004 link dont work Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted February 3, 2004 Author Share Posted February 3, 2004 Sorry 'bout that. A stray ' got put into the link. Fixed. Link should work now. Quote Link to comment Share on other sites More sharing options...
JackR Posted February 3, 2004 Share Posted February 3, 2004 If you do not like the Update Feature.Link to download file on this page:Link to: Microsoft Security Bulletin MS04-004.. Quote Link to comment Share on other sites More sharing options...
epp_b Posted February 3, 2004 Share Posted February 3, 2004 Thanks, NLine, all patched up ...and Wow! Microsoft is actually keeping with their promise to update Win98 (for now) Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 3, 2004 Share Posted February 3, 2004 :thumbsup:Got mine today too! Quote Link to comment Share on other sites More sharing options...
linuxdude32 Posted February 3, 2004 Share Posted February 3, 2004 About bleep-ing time of them! Glad they released it for 98 as well. I didn't know what it was for until it was mentioned here, only that it was another IE security fix. Quote Link to comment Share on other sites More sharing options...
havnblast Posted February 3, 2004 Share Posted February 3, 2004 Any problems with this patch? Sometimes a patch can be scarey to apply - I've heard any bad things yet, but it is early yet. Quote Link to comment Share on other sites More sharing options...
Ricardo Posted February 3, 2004 Share Posted February 3, 2004 I applied the patch and found that a few Internet shortcuts I had didn't work anymore such as:-http://username:password@www.mysite.com/webstats/anyone know how to get around this or is it just the price of increased security? Quote Link to comment Share on other sites More sharing options...
striker Posted February 3, 2004 Share Posted February 3, 2004 Installed the update this morning,so far no problems.Ricardo : see http://www.microsoft.com/technet/treeview/...in/MS04-004.aspMS : This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:http(s)://username:password@server/resource.extFor more information about this change, please see Microsoft Knowledge Base article 834489.Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP.Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP and we will provide more information in this bulletin when the update becomes available. BTW : in that article are some workarounds mentioned . HTH Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted February 3, 2004 Author Share Posted February 3, 2004 FWIW that use of the @ sign in URLs doesn't work in Mozilla which implies that it is non standard(W3C) Quote Link to comment Share on other sites More sharing options...
Ricardo Posted February 3, 2004 Share Posted February 3, 2004 For anyone who's interested in restoring the http://username:password@www.mysite.com/webstats/ behaviour after installing the latest patch you need to add 2 DWORD registry values:-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore.exeandHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore.exeSet both values to 0.I had to add the 2 keys after "Main". Close regedit, close any open IE windows, reopen IE and the username/password embedded links work again.This, of course, also makes the spoofed URLs function again but protects you from the other 2 vulnerabilities the patch addressed. The choice is yours. Quote Link to comment Share on other sites More sharing options...
striker Posted February 3, 2004 Share Posted February 3, 2004 Why don't you just use Mozilla instead of IE ? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 3, 2004 Share Posted February 3, 2004 Whether you switch to Mozilla and/or Firebird, you will still have some sites that you need IE for. There are a couple I really HAVE to use IE for. Also for those who use things like Quicken, and other programs which are making use of IE, this could also be an issue. And of course there is the Windows Update site as well.I personally would rather login and go to the page rather than break the patch. This spoofing thing is a dangerous item, but that's just me. I also use Thunderbird and my default browser is Mozilla Firebird. I rarely use IE, but I do have the patch in place. Never know when it will come in handy to protect you.Don't forget that as easy as it makes it for you to get to your webstats, it's just that easy to embed a link on a webpage that does the same thing.Just not worth it to me. Quote Link to comment Share on other sites More sharing options...
striker Posted February 3, 2004 Share Posted February 3, 2004 Whether you switch to Mozilla and/or Firebird, you will still have some sites that you need IE for. There are a couple I really HAVE to use IE for. Also for those who use things like Quicken, and other programs which are making use of IE, this could also be an issue. And of course there is the Windows Update site as well.Yes, you're right Fran .I personally would rather login and go to the page rather than break the patch. This spoofing thing is a dangerous item, but that's just me. I also use Thunderbird and my default browser is Mozilla Firebird. I rarely use IE, but I do have the patch in place. Never know when it will come in handy to protect you....right again !IE was not patched "just for the fun",there was a good reason for it. So IMHO the breaking of the patch with these 2 registrykeys is not a smart thing to do if you ask me. Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted February 3, 2004 Share Posted February 3, 2004 If you do not like the Update Feature.Link to download file on this page:Link to: Microsoft Security Bulletin MS04-004..I'm running Win98SE on a 2.4GHz P4, 512M RAMI never update IE as supplied in Win98 for a number of reasons.Therefore I have IE 5.00.2614.3500 in my system.According to the MS info page referenced, the earliest systems supported are, if I remember right, Win2000 running IE 5.01 SP2. So what do I do? If I put this patch on my system, do I just choose the 'oldest' one, Win2000 IE 5.01 SP2?I rarely use IE- usually only to view the online catalog of Win98 patches and occasionally download a few of them. I already have a lot of the Win98 patches saved on my HD and various removable media for possible use later (after total expiration of legacy online support/ downloads). Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 3, 2004 Share Posted February 3, 2004 One of my clients had the same problem Cluttermagnet ... I installed IE 5.1 from my MS Office 2000 Pro disk on their system since it's only MS Office that's not free.Then I was able to get the next upgrade off the web and went from there.I would check with friends close by to see if they might have MS Office 2000 install disks and just install IE from the disk. Quote Link to comment Share on other sites More sharing options...
ibe98765 Posted February 3, 2004 Share Posted February 3, 2004 Whether you switch to Mozilla and/or Firebird, you will still have some sites that you need IE for. There are a couple I really HAVE to use IE for. Also for those who use things like Quicken, and other programs which are making use of IE, this could also be an issue. And of course there is the Windows Update site as well.Some good points Bambi. There are a lot of apps that hook into the IE engine behind the scenes. Have you ever accessed the net through a help file (.chm)? That is using IE, just like Quicken and others. Any browser instance that is driven through an application likely uses the IE engine. That is why you should keep IE security patches up-to-date. Quote Link to comment Share on other sites More sharing options...
redmaledeer Posted February 3, 2004 Share Posted February 3, 2004 Cluttermagnet and LilBambi - If it's IE 5.01 that you want, that can also be downloaded from evolt:http://browsers.evolt.org/?ie/32bitI originally learned about evolt from Scott's Forums, and thanks to all for being such a helpful group of people. Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted February 4, 2004 Share Posted February 4, 2004 Thanks, guys-Two very good answers.Redmaledeer, that evolt site is something I didn't know about. I had briefly considered upgrading IE to 5.5 just so I could try out Norton 2003. 2002 would put up with only having IE 5.00, but not 2003. I got a good enough chance to have a look at 2003 on a friend's machine, so I never upgraded my IE. Now I'm having the same debate with myself but I think I will end up installing the IE patch, so if that forces me to upgrade to 5.01 SP2, then I may do that. I never use the IE browser anyway, unless forced to do so, mainly for looking at the MS Win98 patches and occasionally downloading copies of them from MS for later install.LilBambi, thanks for the comments about Office 2000. Well, it so happens I have the "Full product Premium edition" CD. Whether or not this is the "Pro" edition you are referring to is not clear to me. I looked and sure enough it has IE. And there is nothing in that folder but tons of .cab files, a few .exe's, and an .ini file. They didn't have the common decency to put a simple readme in there. Gee, thanks. So I have no idea which version of IE my CD carries. I suppose I could poke around in the .exe's Properties and pull up a version number that way- but it shouldn't be that hard to do. I guess I will go with the download from the Evolt site, under the circumstances.Now one more question for both of you or for anybody- are there any traps and snares for the unwary with this 'upgrade'? Do I just click on the executable for the 5.01 install and have confidence that the upgrade will be installed correctly over top of my 5.00?Edit: Ooops! Just looked at 5.01 SP2 and it is a 79.66M download. I'm on dialup and am lucky to get 28.8K. There is no way I'm going for it that way. Can you say "bloatware", boys and girsl? Man, I'm sticking with Firebird for my 'real' browser, that's for sure! Sheesh! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 4, 2004 Share Posted February 4, 2004 ClutterMagnet,If your version of Office includes SP1, then it should have the right version of IE. IE 5.0x - minimum supported version is 5.00.2919.6307 (IE 5.01, included in Office 2000 SR1). http://www.bris.ac.uk/is/services/computer...auth/iever.htmlMore info on Office 2K SP1:http://www.winsupersite.com/reviews/office2k_sr1.aspArhhh! I just found this info on your Microsoft Office 2000 Premium Full:http://software.reviewindex.co.uk/reviews_...B00004U7GC.htmlFrom the looks of the requirements here at Amazon in the UK, I'd say it was the first Full version of Office 2000 and would not likely have SP1 in it, UNLESS the disk actually says it on the face of it which the version of Office 2000 Professional that I have does have stamped right on the face of the disk:http://www.amazon.co.uk/exec/obidos/ASIN/B...0756362-9282026Sorry Cluttermagnet....however, if you find out it does have SP1, let us know Quote Link to comment Share on other sites More sharing options...
linuxdude32 Posted February 5, 2004 Share Posted February 5, 2004 The AOL CDs use IE behind the scenes so you can probably get a more recent version of IE that way. No need to install AOL, just look on the CD using Windows Explorer and look for the IE subfolder. It'll have the AOL logo on it probably, but that can be removed by using registry hack software like X-Setup (in fact, that lets you put anything in place of that logo you like!).Regardless of whether you use IE or not, you should use the most recent version because MS doesn't care about updating older versions of IE anymore. If a patch works on older versions, they'll release it, but I don't think they'll put any extra effort into it. I have IE 6 on W98SE and it runs fine, though I do hardly ever use it (usually use Firebird). I can't believe how Microsoft sticks popups in on their own msn site now. No wonder they're so slow to put popup blocking in their browser! Quote Link to comment Share on other sites More sharing options...
redmaledeer Posted February 5, 2004 Share Posted February 5, 2004 Cluttermagnet - I took the evolt route to download IE5.5 SP2 (84Mb). It took four or five hours on my nominally 56K dialup modem but went uneventfully. Someone smarter than I might use a download manager to speed it up or to be able to resume the download if the connection broke, but I just did it in one swell foop. I have unlimited phone and ISP time. I don't remember all the details, but with some thought the rest went all right. One double=clicked on the .exe file which had been downloaded, and that yielded another file. That file had every conceivable IE component in it, and then you were presented with a menu or wizard to pick which of those components you wanted in your installation. A "customary" menu selection was available, so you could rely on that a lot.This seemed to need a lot of room. I would expect it to use at least double the size of the download, but it seemed like more than that. Other than that, I used IEradicator to get rid of the old IE before commiting myself to the new, and also poked around manually to get rid of any leftovers I could find. (I am indebted to a Scott's Forums contributor for the information about IEradicator.)Then I went to the MS Windows Update Page and put in the patches that had been in the old IE but hadn't come with the download, and that was it. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 8, 2004 Share Posted February 8, 2004 The AOL CDs use IE behind the scenes so you can probably get a more recent version of IE that way. No need to install AOL, just look on the CD using Windows Explorer and look for the IE subfolder. It'll have the AOL logo on it probably, but that can be removed by using registry hack software like X-Setup (in fact, that lets you put anything in place of that logo you like!).Regardless of whether you use IE or not, you should use the most recent version because MS doesn't care about updating older versions of IE anymore. If a patch works on older versions, they'll release it, but I don't think they'll put any extra effort into it. I have IE 6 on W98SE and it runs fine, though I do hardly ever use it (usually use Firebird). I can't believe how Microsoft sticks popups in on their own msn site now. No wonder they're so slow to put popup blocking in their browser!Here's how to easily get rid of the branding if you have to use AOL CD, Earthlink etc.Go to Start|Run and type in:rundll32.exe iedkcs32.dll,Clear Voila! No more branding. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.