Yes... That stupid bug that wasn't actually critical for 9x/ME is closed now. By me. Without lockups or something like.

It was already fixed in 98 Revolutions Pack, but i've separated fix from it and proud to release it here. Spread it worldwide.

Download
(do not link directly please!!!)

Gape: notice that it's 98 user32.dll 4.10.0.2231 version hacked; it's version changed to 4.10.0.2232 to supress errors after installation.
USER.EXE remains unchanged; it's included only for user32.dll compatibility.

If you will include it to Service Pack (hope so), note that Windows won't work propertly without Ti891711.DLL.

Revolutions Pack users: you don't need that update.

Nice one. Gonna test it for use with Dutch SP

Silently updated it to add qfecheck entries for compatibility with original hotfix.

Too bad it's for W98SE only since you modified the user32.dll file to v4.10.2232.
I will use this ONLY under a Win98se system.

As for the W98fe and WME machines that I have, I'll just wait for revised KB891711 patches to be posted by Microsoft. The user32.dll file Tihiy modified is NOT compatible with Win98fe and WinME and can break those versions of Windows.

Have you tested?

without risking sounding too dumb... what is 98fe (hay, gotta learn somewhere)?

FE : First Edition

Good job, Tihiy.

But I have a question. What about compatibility? If the user firstly install SP 2.0 with your fix, and secondly Revolutions Pack, everything will be OK?

Of course. How can I do not care about RP users?!
That version will simply have no effect if installed on Revolutions Pack.

You're right.

Hi Tihiy,
It looks like there is a fix from Windows Update for this. It came out today. I downloaded it a few minutes ago and rebooted. It looks like it is no longer running as a service. It still shows up in Add/Remove Programs, but not in the Task Manager as it did before.

bUMBLES

Yeah, looks like they released new version.
But seems it still present as [hidden] task! (Maybe check msconfig?)

Somebody tested? [i'm still thinking my version is better]

Tihiy. How do you know your patch is working? Simply copy-past hexcode will not do the trick I guess

Did you test it?

BTW, if Microsoft's new patch solves the issue I'll stick with that one for Dutch SP.

Simple. I've just read technical CAN buletin mentioned in article.

It says integer overflow occurs in LoadImage() function when dwResSize value (4-bit) exceeds maximal word (2-bit) value. If dwResSize will be ~FFFFFFFF (-1) then malicious code can be executed.

So, hacked version of user32.dll has patched import table which LoadImage() points to loader written in "unused" space. It loads Ti......DLL and gives it control.

Check function in Ti......DLL opens icon file and checks if dwResSize>maximal word value. If it is, function fails (so virus won't be executed). If it does not, it transfers control to User32.dll original LoadImage() pointer hardcoded.

[If i had Windows sources i believe it's just 1 line of code to add
But, because Win9x developer team is killed, ( ) stupid NT developers trying to write a 16-bit memory hook which do the same, but:
- It will consume 16-bit handles, bad
- It won't protect machine until loaded
- When unloaded, will crush everything]

So... if ^^ that was you wanted ? As I as said before, this update isn't critical.
AND MY UPDATE SHOULD BE TESTED WELL IF WILL BE INCLUDED SOMEWHERE.

It does show up in MSConfig as KB891711 in C:\windows\system\KB891711\KB891711.exe

It seems to be running fine on the 3 machines here at work that I updated a couple of hours ago. Although to be honest, we never really had problems with the original update.

Tihy,
When I get home for work, I will post about my experience with your update.

BumBlEs

I NOW recommend AGAINST using any unofficial patch like Tihiy's as MDGx recently gave me the links to download the newly revised KB891711 updates from Microsoft.

Link to get Windows 98 KB891711 Update V2:
http://download.windowsupdate.com/msdownlo...443b0208e0e.EXE

Link to get Windows ME KB891711 Update V2:
http://download.windowsupdate.com/msdownlo...9a9d05d2eed.EXE

Use these updates instead as the kb891711.exe and q891711.dll files are now version 4.10.2223 instead of 4.10.2222.

erpdude8, don't p*** of Tihiy. Let's see what his patch does, see what Microsoft patch does and I will choose for one or other.
However Windows 98 isn't my daily base system so I'll have to test it yet.

The only problem I have with Tihiy's UNofficial 891711 patch is that it has user32.dll file version 4.10.2232. This is for Win98 SE ONLY. darn it! Using
this one on Win98 FE is a BIG MISTAKE and can corrupt Win98 FE systems. Tihiy's patch should have TWO versions of user32.dll files. One specifically for Win98 FE [Gold] and one for Win98 SE. back to the drawing board!

HEY! The Q291362 patch for Win98 has TWO versions of user.exe & user32.dll files. Read MS support article 291362:
http://support.microsoft.com/kb/291362

Q291362 has v4.10.2001 of user.exe & user32.dll files for Win98 FE Gold and v4.10.2231 of user.exe & user32.dll files for Win98 SE. Tihiy should modify the Win98 FE version of user32.dll from Q291362 so that it'll be v4.10.2002 when implementing KB891711.

AVOID Tihiy's patch if using WinME [unless he can make a specific ME version]. The user.exe/user32.dll files in WinME are 4.90.300x.

UH, what was it you're trying to say to me??? you're pathetic, hp38guser!

...and Tihiy's 891711 patch is missing an uninstall feature while Microsoft has the uninstall feature of their KB891711 patches for W98/WME & they DO show up in the Add/Remove programs control panel app.

dont give up Tihiy! your 891711 patch needs improvement. it took Microsoft to get things right the second time around with KB891711 for W98/WME.

*EDITED* ok, found out the differences in version:

Old, V1 Update:
New, V2 Update:

Seems that Windows Update no longer looks on the KB891711 registry entries but for the existance of the KB891711.exe and Q891711.dll file inside the System\KB891711 directory.

BTW, patch seems to work fine here, even if you got accidentely the KB891711.exe patch installed. The patch is included in Dutch SP now

a newer but unofficial 891711 patch has been created by an anonymous user that is mentioned here:

http://www.msfn.org/board/?showtopic=58780

it's called U891711. If successful, U891711 can put Microsoft's KB891711 security update for Win98/ME AND Tihiy's TI891711 patch out to pasture.

author of U891711 says that TI891711 is "no real replacement since it offers only limited protection" and that 16-bit programs [like the ones from the Windows 3.x days] can "bypass TI891711.DLL completely." so this means that 16bit programs can circumvent the TI891711 fix. another black eye for TI891711.

Tihiy might want to visit the above site and test out the U891711 patch.

to be fair and not be all negative about Tihiy's TI891711 patch, it did work okay under win98se systems as i've tested it on one 98se machine. when I installed it under other Windows 9x platforms like 98fe and ME, I got different results. TI891711 was useless under winme and it gave a few BSODs under win98fe. TI891711 was meant for 98 SE only and wasnt flexible enough to work under other win9x systems. it offered protection against rogue 32-bit apps but not 16-bit apps.

I've tried the official one old and new
Tihiy's TI891711
and now U891711
I'm sure U891711 is better than MSN's
But it still slows my system down(less responsive).
I think is the fact that KB891711.exe is running as a service(always)

Tihiy's TI891711 doesn't run KB891711.exe upon bootup.

So i will continue to use use Tihiy's TI891711, I'm a gamer and I need the resources.

PIII 450MHz 256MB
WIN 98SE, sesp21a-en.exe, 98SE2ME.EXE(ver 3.7), TI891711, 98KRNLUP.EXE

U891711 is better than both MS's KB891711 and TI891711 fixes as U891711 has more thorough protection
than the two patches.

--gaming with a PIII 450mhz? -YEOWTCH!... -is that possible at all? (maybe original Tetris )
[...and I thought I had it tough, gaming with a P4 Celeron (ew!) 1.8g (128k cache! yuk)]
-my heart goes out to ya, man...

Annoying
Please show me 16-bit app which you use and it loads icons from Internet.

-tihiy: granted, it's not likely, but any possible security hole can/will eventually be exploited, and should be plugged... (of course, people on very old/slow rigs may be willing to take that chance, if it means better performance, so there will always be a use of and appreciation for your fix... not to mention, I'm still a bit "iffy" about using ANY program/fix from someone who's "anonymous"; my paranoia has kept me completely infection-free all these years... )

Uh oh.... Maybe not.

MS05-002: Vulnerability in cursor and icon format handling could allow remote code execution
Article ID : 891711
Last Review : May 15, 2006
Revision : 3.0
Technical update April 12, 2005:

• Security update 891711 Microsoft Windows Millennium Edition, Windows 98 Second Edition, and Windows 98 packages were re-released on April 12, 2005.
• When you install the security update 891711 original packages on a computer that is running Windows Millennium Edition, Windows 98 Second Edition, or Windows 98, the computer may stop responding. This issue has been corrected in the April 12, 2005, release.
• The April 12, 2005, release runs as a system service on Windows Millennium Edition, Windows 98 Second Edition, and Windows 98. The Close Program dialog box does not list Kb891711.exe.
The following known issues only apply to the packages that were re-released on April 12, 2005:
• Uninstalling security update 891711 removes the entries from the registry and deletes the files from the system. However, uninstalling security update 891711 leaves an empty folder on the system.
• On a computer that is running Windows Millennium Edition, Microsoft System Information (MSINFO32) does not list security update 891711. The Windows 98 and Windows 98 Second Edition version of MSINFO32 does list security update 891711 (Kb891711.exe). Most third-party applications that display processes will list Kb891711.exe.
• On a computer that is running Windows Millennium Edition, Windows 98 Second Edition, or Windows 98, System Configuration Utility (MSCONFIG) only shows Kb891711.exe on the Startup tab.
• If you disable the previous release through MSCONFIG, MSCONFIG may have two entries of Kb891711.exe after you install the version of security update 891711 that was re-released on April 12, 2005. One of these entries is selected, and one of these entries is not selected. When you select the entry that is not selected, MSCONFIG prompts you to restart the computer. After you restart the computer, only one entry is listed, and the one entry is selected. This behavior occurs because of the behavior of MSCONFIG and does not affect the ability of security update 891711 to help protect the computer as long as one of the entries is selected.

http://support.microsoft.com/default.aspx?...kb;en-us;891711

Everyone's "unofficial" patch seems to be from March, and therefore would not be correct.
There MUST be an official M$ release, for I got it via WU yesterday, but can NOT find a standalone .EXE to archive!

Anyone have a link to the official MS post-April update download?

See my quote, emarkay, for the links to "official" KB891711 V2 updates for Win98/ME:

All available Q891711 patches [MS official + unofficial] are here:
- Win98 FE + 98 SE:
http://www.mdgx.com/web.htm#9SU
- WinME:
http://www.mdgx.com/web.htm#MEU
Look for "Cursor + Icon Handling Security Vulnerability Fixes".

Unofficial U891711 is the newest [updated February 14 2006] and the best fix for fixing this issue decribed in MS05-002:
http://www.microsoft.com/technet/security/...n/ms05-002.mspx
More details:
http://www.msfn.org/board/?showtopic=58780
More details:
http://www.mdgx.com/files/U891711.TXT

HTH