Help - Search - Members - Calendar
Full Version: Latest critical IE vulnerability
MSFN Forums > Microsoft Software Products - Discussion & Support > Windows 95/98/98SE/ME > Windows 9x Member Projects

   
Google Internet Forums Unattended CD/DVD Guide
eidenk
Jul 13 2005, 03:17 PM
QUOTE
Microsoft Security Bulletin MS05-037

Impact of Vulnerability: Remote Code Execution

Affected Components:

Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition.

Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE or on Microsoft Windows Millennium Edition.

Does this update contain any changes to functionality?

No. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. To help protect customers who have this object installed, this update prevents it from being instantiated in Internet Explorer. For more information about kill bits, see Microsoft Knowledge Base Article 240797 . The class identifier (CLSID) for this object is ‘03D9F3F2-B0E3-11D2-B081-006008039BF0’.

As always there is no download available for 98 and ME users so this should be the fix (Copy and save as whatever.reg. Double-click to merge in the registry) :

CODE
REGEDIT4

;July 12, 2005
;Vulnerability in JView Profiler (Javaprxy.dll) Could Allow Remote Code Execution (903235)
;http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}]
"Compatibility Flags"=dword:00000400
Petr
Jul 13 2005, 03:29 PM
QUOTE (eidenk @ Jul 13 2005, 11:17 PM)
As always there is no download available for 98 and ME users so this should be the fix


No, this time there is download available:

http://www.microsoft.com/downloads/details...&displaylang=en

QUOTE
System Requirements

    * Supported Operating Systems: Windows 2000 Service Pack 4; Windows 98; Windows 98 Second Edition; Windows ME; Windows XP Service Pack 1

This update applies to Internet Explorer 6 Service Pack 1 (SP1) with the following operating systems:

    * Windows XP SP1
    * Windows 2000 SP4
    * Windows 98
    * Windows 98SE
    * Windows Millennium

In fact, this update tests the version of IE:

1=#S\BROWSEUI.DLL:5.0.3502.1000-6.0.2899.0:%Warn1%ohmy.gifk

it means that all IE versions between IE 5.01 SP3 and 6.0 SP1 are supported.

Petr
eidenk
Jul 13 2005, 03:33 PM
QUOTE
No, this time there is download available:


My bad then.
Petr
Jul 13 2005, 04:03 PM
QUOTE (eidenk @ Jul 13 2005, 11:33 PM)
QUOTE
No, this time there is download available:


My bad then.
*



It is incorrectly written in MS05-037.

Petr
miko
Jul 13 2005, 05:45 PM
anytime a critical update like this one appears on windows update type the KB number into the advanced search at
http://v4.windowsupdate.microsoft.com/catalog/en/default.asp
9 times out of 10 there will be a downloadable version for system admins
at least until 98SE support runs out (sometimes there's a day or two 'lag')
MDGx
Jul 15 2005, 01:22 AM
Sorry for the delay, but all MS05-037 links are now posted here:
http://www.mdgx.com/ietoy.htm#JPX
and here:
http://www.msfn.org/board/?showtopic=46581
including the manual REG fix, which doesn't require any downloads.

FYI:
MS05-037 Security Vulnerability Fix Bulletin was formerly published by MS as Advisory Bulletin 903144:
http://www.microsoft.com/technet/security/...ory/903144.mspx

Hope this helps.
erpdude8
Jul 15 2005, 06:08 AM
QUOTE (Petr @ Jul 13 2005, 04:03 PM)
QUOTE (eidenk @ Jul 13 2005, 11:33 PM)
QUOTE
No, this time there is download available:


My bad then.
*



It is incorrectly written in MS05-037.

Petr
*



Actually, IE 5.01 SP3 from Win2k SP3 is no longer supported. Microsoft ended extended security support for IE 5.01 SP3/Win2000 SP3 on june 30, 2005. expand the Frequently Asked Questions related to this security update section in security bulletin MS05-037. miko is right on about this critical patch being available for 98se; search for 903235 at the Windows Update Catalog site & select either Win98 or WinME as the operating system and you should find it there.
eidenk
Jul 15 2005, 06:47 AM
Those ActiveX Killbit fixes are valid in fact for any version of IE I think. Even if the specific vulnerable files do not exist on the system. They could be automatically downloaded by IE from a corrupt webpage for example.

Has anyone information about the signification of other flags under this ActiveX Compatibility key ?
MDGx
Jul 18 2005, 02:20 AM
Petr,

This is what I found on Compatibility Flags:

MS TechNet:
http://www.microsoft.com/technet/prodtechn...E12E3D1F8B.mspx

WinGuides:
http://www.winguides.com/registry/display.php/1188/

Hope this helps.
eidenk
Jul 18 2005, 05:06 AM
Thanks MDGx.
Google Internet Forums Unattended CD/DVD Guide
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.