Spyware Sucks : Internet Explorer 7

ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time

sandi — Tue, 16 Dec 2008 21:14:56 GMT

Announcement here:
http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx

The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx

Vista x64 and Internet Explorer

sandi — Sat, 25 Oct 2008 02:13:10 GMT

I received this email today:

"I bought a 64 bit HP PC with Vista Home Premium and ie7 installed. When I was at a website to view something today it said I needed an Adobe plugin and directed me to Adobe. But Adobe said it did not have a 64 bit version and to use a 32 bit browser. After a bit of searching on the internet I finally got back to looking at programs on the new PC and found that there are 64 bit programs in the Prigram folder and 32 bit programs in the Program (x86) folder. And in each program folder there were ie7 programs. I suspect the desktop ie7 is 64 bit. So can I install a 32 bit version of ie7 from the x86 folder and thus have two versions of ie7?"

Vista x64 comes with two versions of Internet Explorer, a 32 bit version and a 64 bit version. The No Add-Ons version is simply the 32 bit version with a special switch added to the target path.

There is no need to install anything to get access to the 32 bit (x86) version of Internet Explorer. Simply run the correct executable. These are the target paths:

Vista (32 bit) = "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Vista (64 bit) = "C:\Program Files\Internet Explorer\iexplore.exe"
Vista (No Add-Ons) = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff

I have also created a special shortcut that opens Internet Explorer in InPrivate mode:

Vista (32 bit) InPrivate = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private

I have added a shortcut for each version of IE, as well as a shortcut with the -extoff switch and the -private switch to my QuickLaunch bar.

My correspondent was right when he pointed out that there is no x64 version of Flash - Flash is not unique when it comes to this restriction.

Internet Explorer Security levels compared... courtesy of Steve Riley

sandi — Mon, 22 Sep 2008 03:53:16 GMT

I've wanted to do this for ages ... never did get around to it ... ;o)

Steve has put together a chart listing the default settings for each Internet Explorer security level (IE7 on Vista SP1) - you can find it here:
http://blogs.technet.com/steriley/archive/2008/09/16/internet-explorer-security-levels-compared.aspx

Problems with SiteMeter crashing Internet Explorer

sandi — Sun, 03 Aug 2008 03:53:35 GMT

I'm sure many of you have heard by now that SiteMeter made some changes to their tracking code, which led to their site counter crashing Internet Explorer 6 and 7 (and 5.5?). SiteMeter updated their code to fix the problem, but a side effect of the fix is, apparently, that the SiteMeter icon does not appear on web pages.

The worst of this incident is pretty much over now bar the shouting, but I do have to ask...

Why the heck didn't SiteMeter test their code changes before going live???

That, gentle reader, is what all this boils down to.

I don't expect those behind SiteMeter to have known of the existence of the bug described in MS KB927917, but I *do* expect them to test changes before sending them live.

FIX: msfeedssync.exe crashes (RSS synchronization - IE7 and IE8)

sandi — Thu, 31 Jul 2008 02:02:46 GMT

I have over 400 RSS Feed subscriptions that I keep an eye on, and which need to be checked regularly, sometimes every 15 minutes. A couple of days ago, msfeedssync started crashing every time a synchronization was due. The errors were:

Faulting application msfeedssync.exe, version 8.0.6001.17184, time stamp 0x47ccc712, faulting module msfeeds.dll, version 8.0.6001.17184, time stamp 0x47ccc720, exception code 0xc00000fd, fault offset 0x00002046, process id 0x1c98, application start time 0x01c8f1484814c945.

Faulting application msfeedssync.exe, version 8.0.6001.17184, time stamp 0x47ccc712, faulting module msvcrt.dll, version 7.0.6000.16386, time stamp 0x4549bd61, exception code 0xc00000fd, fault offset 0x00009bb2, process id 0x1ec0, application start time 0x01c8f1471a9905e9.

Faulting application msfeedssync.exe, version 8.0.6001.17184, time stamp 0x47ccc712, faulting module WININET.dll, version 8.0.6001.17509, time stamp 0x481c0708, exception code 0xc00000fd, fault offset 0x00004062, process id 0x2604, application start time 0x01c8f146dc893df3.

Faulting application msfeedssync.exe, version 8.0.6001.17184, time stamp 0x47ccc7a5, faulting module kernel32.dll, version 6.0.6000.16386, time stamp 0x4549d328, exception code 0xc00000fd, fault offset 0x0000000000037b93, process id 0xe94, application start time 0x01c8efbadb2c6b9a.

Faulting application msfeedssync.exe, version 8.0.6001.17184, time stamp 0x47ccc7a5, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549d372, exception code 0xc00000fd, fault offset 0x00000000000529c5, process id 0x10f4, application start time 0x01c8ef973bc855f2.

As you can see, things were a real mess. These are the troubleshooting and diagnostic steps that I used to solve the problem:

Check if the Feed Task is corrupt by running the following command:

schtasks /query | findstr /i "user_feed"

Results:
User_Feed_Synchronization-{C73963F9-62BB-4 27/07/2008 10:15:00 Could not start

Ok, that is not good.
Stop and restart the Feeds Task:

C:\Windows\system32>msfeedssync disable
C:\Windows\system32>msfeedssync enable
Check Feed Task status again:

schtasks /query | findstr /i "user_feed"

Results:
User_Feed_Synchronization-{B70B1824-595E-4 27/07/2008 10:14:00 Ready
User_Feed_Synchronization-{C73963F9-62BB-4 27/07/2008 10:15:00 Could not start

Ok, not good - now I have two tasks - there is definitely an issue with the original task which is unable to start.
Disable the Feeds Task:

msfeedssync disable
Check to make sure that both Feed Tasks are gone:

schtasks /query | findstr /i "user_feed"

Results:
No tasks running - that is good
Restart the Feeds Task and check to see what we have got:

msfeedssync enable

schtasks /query | findstr /i "user_feed"

Results:
User_Feed_Synchronization-{B70B1824-595E-4 27/07/2008 10:23:00 Ready

Ok, this is good.. the bad Feed Task is gone, but msfeedssync is still crashing - something else is wrong.

Tried disabling Antivirus - that didn't fix the problem.
Tried running IE in "no add-ons" mode - msfeedssync is still crashing.
I fired up Fiddler, which records RSS activity. It turns out msfeedssync was crashing on the same feed every time - I deleted that feed but the subscription was cached somewhere that wasn't updating properly because IE8 continued to check the same feed despite it being deleted (and IE shut down and restarted, and the computer being restarted as well).
Ok, the fact that IE continues to check a feed that I have deleted from my Feeds subscriptions indicates that we are most likely dealing with a corrupt file, but which one?

I exported my list of feeds to an OPML file, then deleted the file "FeedsStore.feedsdb-ms" that is located in \Users\%username%\AppData\Local\Microsoft\Feeds. Next, I ran "msfeedssync forcesync".

Results:
msfeedssync continued to crash, but now it was crashing immediately instead of when it hit a particular feed :o( Ok, I just made things worse.
Using Process Monitor, I could see that msfeedssync was crashing immediately after it (apparently successfully) closed this file:

\USERS\%username%\AppData\Local\Microsoft \Feeds Cache\index.dat

I deleted the entire contents of that folder, including index.dat.

Results:
msfeedssync stopped crashing - YAY!!

Process Monitor is a free Sysinternals program available from Microsoft. You can download it here:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx?PHPSESSID=d926

Important information about Windows XP SP3 for Internet Explorer users

sandi — Tue, 06 May 2008 05:00:00 GMT

You will be unable to remove IE8 Beta or IE7 after installing Windows XP SP3 because Microsoft wants to make sure that you do not encounter a problem commonly known as "DLL Hell".

IE8 Beta 1 users

You will NOT be offered Windows XP SP3 unless and until you remove IE8 Beta 1. This is because if you install windows XP SP3 without removing IE8 Beta 1, then you will no longer be able to remove IE8 Beta 1 and the Remove option will be greyed out in Add/Remove Programs.

Internet Explorer 7 Users

You will be offered Windows XP SP3 as a high priority update BUT if you install it you will not be able to remove IE7 without removing Windows XP SP3 first. It is recommended that you remove IE7, then install Windows XP SP3 then re-install IE7.

Internet Explorer 6 Users

You will be offered Windows XP SP3 as a high priority update. Windows XP SP3 ships with an updated version of IE6. No need to do anything else.

Problem - unable to change Internet Explorer's home page

sandi — Mon, 05 May 2008 00:22:00 GMT

Another cry for help received via email...

"You are my last best hope... I am just a regular guy from NY (not the city) with a problem. My homepage in IE7 is locked on a page I dont want. I try to change it in Internet options and it even says the homepage I want but it always goes to this other page. I set the page a month ago and now it wont go back. I even reinstalled IE7 but no luck. Any ideas? I can even send you a few bucks if you can help me out..."

Manufacturer/ISP Locking

Some computer manufacturers and suppliers of internet access set IE to their choice of home page and lock this setting via the registry. Hijackers use the same trick. The locking is done using registry settings as per the following:

Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting (Q320159)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q320159

Specific registry settings affected are:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] - DWORD "HomePage"=dword:00000001 (grays out the whole section)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] - DWORD "NoSetHomePage"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] - DWORD "NoSetHomePage"=dword:00000001

Protective software

Check your protective software (especially antispyware and antivirus). Spybot Search and Destroy, for example has a feature that will lock your home page. Other products that may lock your home page including Ad-aware's Ad-Watch, SpywareBlaster, SpySweeper, Norton AntiVirus, McAfee VirusScan and Antispyware, and both versions of Zone Alarm.

If you are using Spybot S&D, check your 'Immunize' settings which may be locking your home page.

Malware and viruses

If your computer home page is set to about:blank against your wishes, or any other page, you have a malware problem. For advice on fighting malware, check out the link below - the page is a little old, and probably needs updating, but overall the advice is still good:
http://inetexplorer.mvps.org/tshoot.html

Problems with website certificates - IE7

sandi — Mon, 05 May 2008 00:17:00 GMT

Over the past few days I have seen a spike in the number of emails asking for help with website certificates. For example, two correspondents have written:

"Thanks for providing the information about problems with certificates of IE7 in your website. I tried to follow your instructions to access a secured site in IE 7 which I used to trust. I clicked on the Certificate Error button, and then the View Certificate link, but I could not find the Install Certificate link or button. Please advise."

and

"I admin a Citrix site that uses a SSL cert from verisign. We just renewed our cert. and I have a user running Vista and IE 7 who cant remove the old cert because the button is grayed out. After looking over your IE support site I was going to try lowering security to see if that works. The user claims he has admin rights to the PC."

Both users should run IE7 with Administrator rights (which is different to logging in to the computer as a local administrator). This is achieved by right clicking the IE7 icon, then selecting "Run as Administrator".

The April Security Updates have been released by Microsoft

sandi — Wed, 09 Apr 2008 00:42:00 GMT

Details here:
http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx

The Cumulative Security Update for Internet Explorer is also available - details here:
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx

Note that this month's cumulative update includes the IE Automatic Component Activation (IE ACA) update (which means no more "click to activate" prompts). The update replaces the previews released in December 2007 and February 2008.

More information about the IE ACA can be found here:
http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx

Also, an IE8 Beta 1 For Developers is now available in Chinese (Simplified) and German:

Chinese (simplified) http://www.microsoft.com/china/windows/products/winfamily/ie/ie8/getitnow.mspx
German http://www.microsoft.com/germany/windows/products/winfamily/ie/ie8/getitnow.mspx

New Internet Explorer KB articles

sandi — Sun, 16 Mar 2008 11:52:00 GMT

A script may not run as expected in IE when you open an HTML page and the HTML page contains an element that has injected HTML code

This issue occurs because Internet Explorer sets the security of an element as "about:blank" if the following conditions are true:

• A Web page inserts code into the element.
• The element is not included in the markup tree.

http://support.microsoft.com/default.aspx/kb/948550

-----

Certain characters in a file name may be converted to underscores when a user downloads a file by using IE7

This problem occurs because the Wininet.dll file resolves certain file stream issues when users download files by using Internet Explorer 7. To resolve this problem, do not use "Content-Disposition: Attachment; filename=" HTTP header.

http://support.microsoft.com/default.aspx/kb/949197

Microsoft Security Bulletin Advance Notification for February 2008

sandi — Fri, 08 Feb 2008 22:56:00 GMT

12 patches, including a critical patch for Internet Explorer:
http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx

Unable to uninstall IE7 if Service Pack 2 is installed later on Windows Server 2003

sandi — Thu, 24 Jan 2008 13:32:00 GMT

In order to uninstall Internet Explorer 7 from this system, you can follow the steps below:

1. Uninstall Service Pack 2 for Windows Server 2003 and restart the computer.

2. Uninstall Internet Explorer 7.0 and restart the computer.

3. Reinstall Service Pack 2 for Windows Server 2003.

http://support.microsoft.com/default.aspx/kb/948093

Windows Internet Explorer 7 to be distributed via WSUS February 12, 2008; May require administrator action to manage the rollout

sandi — Wed, 23 Jan 2008 00:57:00 GMT

It is important to highlight the change highlighted in the Knowledgebase article below because of the brouhaha that occured when, if my memory serves me right, Windows Desktop Services (Windows Desktop Search) was released as an Update Rollup. Because of a combination of circumstances (including a non-default approval setting), WDS was auto-approved on some networks, sometimes leading to severe system slowdowns.

Some WSUS administrators started screaming blue murder, it was picked up by the popular press and Microsoft was the target of heavy criticism.

Microsoft have learned from that incident, and are warning administrators via the KB article that if they have changed their auto-approve settings for Update Rollups then their users may receive IE7.

Source: http://support.microsoft.com/default.aspx?scid=kb;EN-US;946202

"If you have configured WSUS to "auto-approve" Update Rollup packages (this is not the default configuration), Windows Internet Explorer 7 will be automatically approved for installation after February 12, 2008 and consequently, you may want to take the actions below to manage how and when this update is installed. You will need to take action if:

• You use WSUS 3.0 to manage updates in your organization.

• You have Windows XP Service Pack 2 (SP2)-based computers or Windows Server 2003 Service Pack 1 (SP1)-based computers that have Internet Explorer 6 installed.

• You do not want to upgrade Internet Explorer 6 machines to Windows Internet Explorer 7 at this time.

• You have configured WSUS to auto-approve Update Rollups for installation."

Ok, we have been warned. Fingers crossed there won't be screaming from the battlements this time...

Internet Explorer Knowledgebase articles

sandi — Mon, 21 Jan 2008 13:45:00 GMT

HOTFIX: The exception handler may not catch an exception in Internet Explorer 7 or in Internet Explorer 6 when you view a Web page that throws an exception from a function that is called through the expando property

You develop a Web page that throws an exception from a function. The function is called through the expando property of a DHTML object. When you use Windows Internet Explorer 7 to view the Web page, the exception handler may not catch this exception.

Note This problem also occurs in Windows Internet Explorer 6 when at least one parameter is passed to the function from which the exception is thrown. To work around this problem in Internet Explorer 6, see the "Workaround" section.

Source: http://support.microsoft.com/default.aspx/kb/944397

-----

HOTFIX: After you reapply Internet Explorer Maintenance Group Policy settings on a computer that has Internet Explorer 7 installed, a pop-up blocker exception site that you manually added is missing

Consider the following scenario:

• On a computer that has Internet Explorer 7 installed, you apply the Internet Explorer Maintenance Group Policy settings to add a pop-up blocker exception site.
• In the Internet Options dialog box, you manually add a new pop-up blocker exception site.
• You reapply the Group Policy settings on the computer.
In this scenario, you the new pop-up blocker exception site that you manually added in the Internet Options dialog box is missing from this dialog box.

Note This problem does not occur on computers that have Internet Explorer 6 installed.

http://support.microsoft.com/default.aspx/kb/944520

-----

The "Intranet Sites: Include all local (intranet) sites not listed in other zones" policy setting does not function as expected in Internet Explorer 7

Consider the following scenario:

• You are running Windows Internet Explorer 7 on a Windows-based computer.
• In a workgroup environment, you use Group Policy to disable the Turn on automatic detection of the intranet setting and to enable the Intranet Sites: Include all local (intranet) sites not listed in other zones setting.
• You use Internet Explorer 7 to access a local intranet site.

In this scenario, the local site is displayed through the Internet zone instead of through the "Local intranet" zone as expected.

Source: http://support.microsoft.com/default.aspx/kb/941001

New Internet Explorer KB articles

sandi — Wed, 02 Jan 2008 09:09:00 GMT

SAP Help shows only empty sections or blank pages

Internet Explorer Release 7 is not completely compatible as release 6. SAP GUI uses Internet Explorer in the HTML control to display the help documents. To resolve this issue, you need to either apply one of the SAP GUI patches mentioned below (or the latest one which is available from the SAP Market place):

SAP GUI for Windows 6.20 Patchlevel 64
SAP GUI for Windows 6.40 Patchlevel 20
SAP GUI for Windows 7.10

or uninstall Internet Explorer 7.0 (only applies to Windows XP or earlier OS).

If you are experiencing this issue with Internet Explorer 6, you need to add "MaxAllowedZone" registry DWORD value in the following key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions\"

http://support.microsoft.com/default.aspx/kb/556050

-----

DOWNLOAD: IE6 crashes after you install security update 942615 on a computer that is running XPSP2

On a computer that is running Windows XP Service Pack 2 (SP2), Microsoft Internet Explorer 6 crashes when you try to a visit a Web site. This problem occurs after you install security update 942615 (MS07-069).

Additionally, you may receive an error message that resembles the following:

Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to help us improve Internet Explorer. We will treat this report as confidential and anonymous.
To see what data this error report contains, click here.

The error report contains the following error-signature information. Application Name Application Version Module Name Module Version Offset

iexplore.exe 6.0.2900.2180 urlmon.dll 6.0.2900.3231 0003b5ce

http://support.microsoft.com/default.aspx/kb/946627

-----

An HTML application that uses the "onbeforeunload" event closes unexpectedly in IE7 when you click "cancel"

This issue occurs because of how the Shdocvw.dll file handles the IOleCommandTarget::Exec method. This problem does not occur when you start the HTA in Microsoft Internet Explorer 6.

http://support.microsoft.com/default.aspx/kb/946214

-----

Values from the "Additional Settings" page in the IEAK 7 Customization Wizard are written to the IE7 configuration files even though you do not change the values

To work around this problem, close the IEAK 7 Customization Wizard when you reach the Additional Settings page. When you close the wizard at this point, you avoid adding unintentional changes to the Internet Explorer 7 configuration files.

http://support.microsoft.com/default.aspx/kb/945003

-----

IE7 does not send you any notification if it cannot obtain the Certificate Revocation List

This behavior is by design. However, you can use the method that is described in this Knowledge Base article to receive a notification when Internet Explorer 7 cannot obtain the CRL.

http://support.microsoft.com/default.aspx/kb/946323

Get confident, and be in the running to win a $10,000 Paypal shopping spree

sandi — Wed, 19 Dec 2007 23:34:00 GMT

Microsoft has launched a $250,000 Sweepstakes competition to show users how Internet Explorer can enhance online trust and confidence. The interactive site quickly demonstrates IE7's Phishing Filter and EV Certificates (the green address bar). Once the demonstration is finished, the visitor is given the opportunity to enter the Sweepstakes.

Note: The competition is only open to residents of the 50 United States and District of Columbia. You must be 18 years of age or older at the time of entry.

Entries close 31 January 2008

New IE knowledgebase articles...

sandi — Sat, 15 Dec 2007 14:17:00 GMT

Just catching up on the paperwork here...

IE6 and IE7: Proxy server settings are not set correctly in IE6 afer you download a proxy script that uses chunk encoding

Install IE update MS07-069 then enable the fix by editing the registry

http://support.microsoft.com/default.aspx/kb/843289

----------

MS07-069: Cumulative security update for Internet Explorer

http://support.microsoft.com/default.aspx/kb/942615

---------

Some customized security settings for the Trusted sites zone in Internet Explorer 7 are reset to the default values on a Windows Vista-based computer

On a Windows Vista-based computer, you customize the following security settings for the Trusted sites zone in Windows Internet Explorer 7:

• Automatic Prompting for ActiveX controls
• Download signed ActiveX controls
• Automatic prompting for file downloads
• Allow Script-initiated windows without size or position constraints

However, after you install Internet Explorer cumulative security update 931768 (MS07-027) or security update 933566 (MS07-033), the security settings are reset to the default values.

Fix: Install the December update MS07-069.

http://support.microsoft.com/default.aspx/kb/943141

An Internet Explorer Automatic Component Activation (IE ACA) Update Preview is available

sandi — Tue, 11 Dec 2007 22:35:00 GMT

The EOLAS lawsuit and its side effects continue their death throes. As part of the process, a preview of the update that will remove the changes forced by the EOLAS lawsuit is available for download here: http://support.microsoft.com/kb/945007/en-us

Note that the download is only a *preview* and for testing purposes only. Formal release is scheduled for April 2008.

Another important thing to note is that when the update (not the preview) is finally released, it *must* be installed on any system with MS07-069 installed. Likewise, you should not install the ACA update without MS07-069.

HOTFIX: The text size that you specify is not applied to all IE7 windows that you open on a Windows Vista-based computer

sandi — Sun, 09 Dec 2007 00:15:00 GMT

This problem occurs if the following conditions are true:

• Protected mode is enabled in Internet Explorer 7.
• The window in which you specify the text size contains Web pages that use an encoding type other than UTF-8 encoding, such as Shift-JIS character encoding.

Note this problem does not affect Windows XP or Windows Server 2003

http://support.microsoft.com/default.aspx/kb/939944

HOTFIX: After you use the Internet Explorer Customization Wizard to remove the default elements of some features in Internet Explorer 7, these elements still exist in Internet Explorer 7

sandi — Sat, 08 Dec 2007 09:45:00 GMT

On a computer that has Windows Internet Explorer 7 installed, you run the Internet Explorer Customization Wizard. You use this wizard to create an Internet Explorer 7 customized package. In the wizard, you remove the default elements of the following features:

• Favorites
• Feeds
• Links

Note The Internet Explorer Customization Wizard is a component of the Internet Explorer Administration Kit (IEAK).

You build the customized package, and you install the package on a destination computer. However, the default elements of the features that you removed still exist.

Source: http://support.microsoft.com/default.aspx/kb/941938

I know of some people who are going to be real pleased about this - they found it very irritating that they could not remove default MS resource links and RSS feeds without jumping through all sorts of hoops...