Spyware Sucks : Internet Explorer

ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time

sandi — Tue, 16 Dec 2008 21:14:56 GMT

Announcement here:
http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx

The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx

Problems with SiteMeter crashing Internet Explorer

sandi — Sun, 03 Aug 2008 03:53:35 GMT

I'm sure many of you have heard by now that SiteMeter made some changes to their tracking code, which led to their site counter crashing Internet Explorer 6 and 7 (and 5.5?). SiteMeter updated their code to fix the problem, but a side effect of the fix is, apparently, that the SiteMeter icon does not appear on web pages.

The worst of this incident is pretty much over now bar the shouting, but I do have to ask...

Why the heck didn't SiteMeter test their code changes before going live???

That, gentle reader, is what all this boils down to.

I don't expect those behind SiteMeter to have known of the existence of the bug described in MS KB927917, but I *do* expect them to test changes before sending them live.

Mark Russinovich: The Case of the Random IE and WMP rashes

sandi — Wed, 04 Jun 2008 04:50:00 GMT

I have just finished glancing over Mark Russinovich's latest blog entry, in which he described how he tracked down the cause of, and fix for, crashes affecting Internet Explorer on his Vista x64 gaming system, as well as crashes affecting Windows Media Player.

The diagnostic steps that Mark uses make for fantastic reading for the geeks amongst us - heck, all of his articles make for fantastic reading (especially his "The Case Of" blog entries).

I admit that I am not surprised that nVidia were at fault. Back in the days of IE5 (and to a lesser extent IE6) video card drivers were notorious for causing problems for Internet Explorer. It was standard operating procedure, especially for crashes involving kernel32.dll, to recommend updating video drivers and reducing hardware acceleration, and nuking a potentially corrupt IE cache (or, more precisely, a problematic index.dat file).

You can read Mark's article, "The Case of the Random IE and WMP rashes", here:
http://blogs.technet.com/markrussinovich/archive/2008/06/02/3065065.aspx

Important information about Windows XP SP3 for Internet Explorer users

sandi — Tue, 06 May 2008 05:00:00 GMT

You will be unable to remove IE8 Beta or IE7 after installing Windows XP SP3 because Microsoft wants to make sure that you do not encounter a problem commonly known as "DLL Hell".

IE8 Beta 1 users

You will NOT be offered Windows XP SP3 unless and until you remove IE8 Beta 1. This is because if you install windows XP SP3 without removing IE8 Beta 1, then you will no longer be able to remove IE8 Beta 1 and the Remove option will be greyed out in Add/Remove Programs.

Internet Explorer 7 Users

You will be offered Windows XP SP3 as a high priority update BUT if you install it you will not be able to remove IE7 without removing Windows XP SP3 first. It is recommended that you remove IE7, then install Windows XP SP3 then re-install IE7.

Internet Explorer 6 Users

You will be offered Windows XP SP3 as a high priority update. Windows XP SP3 ships with an updated version of IE6. No need to do anything else.

Problem - unable to change Internet Explorer's home page

sandi — Mon, 05 May 2008 00:22:00 GMT

Another cry for help received via email...

"You are my last best hope... I am just a regular guy from NY (not the city) with a problem. My homepage in IE7 is locked on a page I dont want. I try to change it in Internet options and it even says the homepage I want but it always goes to this other page. I set the page a month ago and now it wont go back. I even reinstalled IE7 but no luck. Any ideas? I can even send you a few bucks if you can help me out..."

Manufacturer/ISP Locking

Some computer manufacturers and suppliers of internet access set IE to their choice of home page and lock this setting via the registry. Hijackers use the same trick. The locking is done using registry settings as per the following:

Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting (Q320159)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q320159

Specific registry settings affected are:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] - DWORD "HomePage"=dword:00000001 (grays out the whole section)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] - DWORD "NoSetHomePage"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] - DWORD "NoSetHomePage"=dword:00000001

Protective software

Check your protective software (especially antispyware and antivirus). Spybot Search and Destroy, for example has a feature that will lock your home page. Other products that may lock your home page including Ad-aware's Ad-Watch, SpywareBlaster, SpySweeper, Norton AntiVirus, McAfee VirusScan and Antispyware, and both versions of Zone Alarm.

If you are using Spybot S&D, check your 'Immunize' settings which may be locking your home page.

Malware and viruses

If your computer home page is set to about:blank against your wishes, or any other page, you have a malware problem. For advice on fighting malware, check out the link below - the page is a little old, and probably needs updating, but overall the advice is still good:
http://inetexplorer.mvps.org/tshoot.html

The April Security Updates have been released by Microsoft

sandi — Wed, 09 Apr 2008 00:42:00 GMT

Details here:
http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx

The Cumulative Security Update for Internet Explorer is also available - details here:
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx

Note that this month's cumulative update includes the IE Automatic Component Activation (IE ACA) update (which means no more "click to activate" prompts). The update replaces the previews released in December 2007 and February 2008.

More information about the IE ACA can be found here:
http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx

Also, an IE8 Beta 1 For Developers is now available in Chinese (Simplified) and German:

Chinese (simplified) http://www.microsoft.com/china/windows/products/winfamily/ie/ie8/getitnow.mspx
German http://www.microsoft.com/germany/windows/products/winfamily/ie/ie8/getitnow.mspx

New Internet Explorer KB articles

sandi — Sun, 16 Mar 2008 11:52:00 GMT

A script may not run as expected in IE when you open an HTML page and the HTML page contains an element that has injected HTML code

This issue occurs because Internet Explorer sets the security of an element as "about:blank" if the following conditions are true:

• A Web page inserts code into the element.
• The element is not included in the markup tree.

http://support.microsoft.com/default.aspx/kb/948550

-----

Certain characters in a file name may be converted to underscores when a user downloads a file by using IE7

This problem occurs because the Wininet.dll file resolves certain file stream issues when users download files by using Internet Explorer 7. To resolve this problem, do not use "Content-Disposition: Attachment; filename=" HTTP header.

http://support.microsoft.com/default.aspx/kb/949197

Microsoft Security Bulletin Advance Notification for February 2008

sandi — Fri, 08 Feb 2008 22:56:00 GMT

12 patches, including a critical patch for Internet Explorer:
http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx

Internet Explorer Knowledgebase articles

sandi — Mon, 21 Jan 2008 13:45:00 GMT

HOTFIX: The exception handler may not catch an exception in Internet Explorer 7 or in Internet Explorer 6 when you view a Web page that throws an exception from a function that is called through the expando property

You develop a Web page that throws an exception from a function. The function is called through the expando property of a DHTML object. When you use Windows Internet Explorer 7 to view the Web page, the exception handler may not catch this exception.

Note This problem also occurs in Windows Internet Explorer 6 when at least one parameter is passed to the function from which the exception is thrown. To work around this problem in Internet Explorer 6, see the "Workaround" section.

Source: http://support.microsoft.com/default.aspx/kb/944397

-----

HOTFIX: After you reapply Internet Explorer Maintenance Group Policy settings on a computer that has Internet Explorer 7 installed, a pop-up blocker exception site that you manually added is missing

Consider the following scenario:

• On a computer that has Internet Explorer 7 installed, you apply the Internet Explorer Maintenance Group Policy settings to add a pop-up blocker exception site.
• In the Internet Options dialog box, you manually add a new pop-up blocker exception site.
• You reapply the Group Policy settings on the computer.
In this scenario, you the new pop-up blocker exception site that you manually added in the Internet Options dialog box is missing from this dialog box.

Note This problem does not occur on computers that have Internet Explorer 6 installed.

http://support.microsoft.com/default.aspx/kb/944520

-----

The "Intranet Sites: Include all local (intranet) sites not listed in other zones" policy setting does not function as expected in Internet Explorer 7

Consider the following scenario:

• You are running Windows Internet Explorer 7 on a Windows-based computer.
• In a workgroup environment, you use Group Policy to disable the Turn on automatic detection of the intranet setting and to enable the Intranet Sites: Include all local (intranet) sites not listed in other zones setting.
• You use Internet Explorer 7 to access a local intranet site.

In this scenario, the local site is displayed through the Internet zone instead of through the "Local intranet" zone as expected.

Source: http://support.microsoft.com/default.aspx/kb/941001

Fix: problems after installing IE's December cumulative update

sandi — Wed, 19 Dec 2007 07:15:00 GMT

As we know, there have been reports of some IE6 users running Windows XP SP2 having problems accessing web pages after installing the December IE Cumulative Update - IE stops responding.

The problem has apparently been restricted to some customised installations.

A Knowledgebase article has been released that discusses the problem, and the fix (modifying the registry).

http://support.microsoft.com/kb/946627

HOTFIX: Internet Explorer 6 may crash under certain circumstances, such as when you open and close a Web page modal dialog box several times

sandi — Mon, 17 Dec 2007 23:15:00 GMT

You use Microsoft Internet Explorer 6 to browse to a Web page. However, Internet Explorer 6 may crash under certain circumstances, such as when you open and close a modal dialog box several times.

http://support.microsoft.com/KB/944435

New IE knowledgebase articles...

sandi — Sat, 15 Dec 2007 14:17:00 GMT

Just catching up on the paperwork here...

IE6 and IE7: Proxy server settings are not set correctly in IE6 afer you download a proxy script that uses chunk encoding

Install IE update MS07-069 then enable the fix by editing the registry

http://support.microsoft.com/default.aspx/kb/843289

----------

MS07-069: Cumulative security update for Internet Explorer

http://support.microsoft.com/default.aspx/kb/942615

---------

Some customized security settings for the Trusted sites zone in Internet Explorer 7 are reset to the default values on a Windows Vista-based computer

On a Windows Vista-based computer, you customize the following security settings for the Trusted sites zone in Windows Internet Explorer 7:

• Automatic Prompting for ActiveX controls
• Download signed ActiveX controls
• Automatic prompting for file downloads
• Allow Script-initiated windows without size or position constraints

However, after you install Internet Explorer cumulative security update 931768 (MS07-027) or security update 933566 (MS07-033), the security settings are reset to the default values.

Fix: Install the December update MS07-069.

http://support.microsoft.com/default.aspx/kb/943141

After you install and uninstall some toolbar items in Internet Explorer 6, toolbar names may become blank, or unrelated toolbar items may appear

sandi — Wed, 12 Dec 2007 00:02:00 GMT

IE6 has a problem wherein if you uninstall some toolbar items the following may occur:

• On the View menu of Internet Explorer 6, when you point to Toolbars to show the toolbar items, the toolbar names may become blank.

• In some cases, when you click to select one toolbar item, a different toolbar item may appear.

Microsoft advises that an update is available to resolve this problem and is available from the Windows Update Web site.

http://support.microsoft.com/default.aspx/kb/942202

An Internet Explorer Automatic Component Activation (IE ACA) Update Preview is available

sandi — Tue, 11 Dec 2007 22:35:00 GMT

The EOLAS lawsuit and its side effects continue their death throes. As part of the process, a preview of the update that will remove the changes forced by the EOLAS lawsuit is available for download here: http://support.microsoft.com/kb/945007/en-us

Note that the download is only a *preview* and for testing purposes only. Formal release is scheduled for April 2008.

Another important thing to note is that when the update (not the preview) is finally released, it *must* be installed on any system with MS07-069 installed. Likewise, you should not install the ACA update without MS07-069.

Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure

sandi — Tue, 04 Dec 2007 10:36:00 GMT

Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

Source: http://www.microsoft.com/technet/security/advisory/945713.mspx

HOTFIX: GIF images may not appear when you refresh a Web page in Internet Explorer 6

sandi — Fri, 30 Nov 2007 11:35:00 GMT

When you view a Web page by using Microsoft Internet Explorer 6, a GIF image that is located on the Web page appears as expected. However, if you press F5 to update the display, or if you click Refresh to update the display, the GIF image no longer appears. Instead, a red "X" appears as an image placeholder.

You experience this problem if the following conditions are all true:

• You visit the Web site over a Secure Sockets Layer (SSL) connection.
• You use a proxy server to connect to the Web site.
• The Web site uses NTLM authentication to access the Web page.

A hotfix is available to address this problem. Note that you must edit the registry after installing the Hotfix or it will not work.

Source: http://support.microsoft.com/default.aspx/kb/936994

IE6 and IE7 VPC images

sandi — Wed, 28 Nov 2007 23:07:00 GMT

Pete L reports that new builds of the IE6 and IE7 VPC images may be released as early as Monday or Tuesday.

Error message in Internet Explorer when you click a hyperlink that links to a file whose name contains UTF-8-encoded characters: "The page cannot be displayed"

sandi — Thu, 08 Nov 2007 23:31:00 GMT

This issue occurs if the following conditions are true:

• The hyperlink is a uniform resource identifier (URI) that links to a file.
• The file name contains UTF-8-encoded characters.

In the URI, the UTF-8-encoded characters are interpreted as a byte according to the current codepage. The meaning of the UTF-8-encoded characters in non-US-ASCII varies, depending on the locale in which the document is viewed.

To work around this issue, do not use percent-encoded octets to represent non-US-ASCII characters. To represent a non-US-ASCII character, you must use that non-US-ASCII character directly in the encoding of the document in which you write the URI.

http://support.microsoft.com/default.aspx/kb/941052

EOLAS: important changes soon

sandi — Thu, 08 Nov 2007 22:54:00 GMT

Well well well, isn't this interesting.

Microsoft have licensed the technologies that are covered by the infamous Eolas patent, and will be removing the “click to activate” requirement in Internet Explorer.

Regular readers of this blog will remember that a recent US High Court decision cast doubt on whether the original award to EOLAS of $521 would stand. The potential was there for the award to be reduced to $187 million.

The change that has now been announced by the IE team will require no modifications to existing webpages, and no new actions for developers creating new pages. IE will revert to its original behaviour.

There will be a "preview release" incorporating the changes called the "Internet Explorer Automatic Component Activation Preview", which will be available in December 2007 via the Microsoft Download Center. The change will also be made part of the next pre-release versions of Windows Vista SP1 and Windows XP SP3. It is anticipated that the change will be released to the general public as part of IE's April 2008 Cumulative Update.

Announcement: http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx

Internet Explorer 6 Knowledge Base articles

sandi — Sat, 20 Oct 2007 09:13:00 GMT

When you IE6 to move from a Web site on an XP SP2-based computer, IE may crash On a Windows XP Service Pack 2 (SP2)-based computer, you use Microsoft Internet Explorer 6 to move from a Web site that contains a reference to a style sheet. In this case...(read more)