Tihiy

KB891711 Windows 98 Security Patch finally fixed!

31 posts in this topic

Yes... That stupid bug that wasn't actually critical for 9x/ME is closed now. By me. Without lockups or something like.

It was already fixed in 98 Revolutions Pack, but i've separated fix from it and proud to release it here. Spread it worldwide.

Download

(do not link directly please!!!)

Gape: notice that it's 98 user32.dll 4.10.0.2231 version hacked; it's version changed to 4.10.0.2232 to supress errors after installation.

USER.EXE remains unchanged; it's included only for user32.dll compatibility.

If you will include it to Service Pack (hope so), note that Windows won't work propertly without Ti891711.DLL.

Revolutions Pack users: you don't need that update.

0

Share this post


Link to post
Share on other sites

Nice one. Gonna test it for use with Dutch SP :)

0

Share this post


Link to post
Share on other sites

Silently updated it to add qfecheck entries for compatibility with original hotfix. :zzz:

0

Share this post


Link to post
Share on other sites
Silently updated it to add qfecheck entries for compatibility with original hotfix. :zzz:

Too bad it's for W98SE only since you modified the user32.dll file to v4.10.2232.

I will use this ONLY under a Win98se system.

As for the W98fe and WME machines that I have, I'll just wait for revised KB891711 patches to be posted by Microsoft. The user32.dll file Tihiy modified is NOT compatible with Win98fe and WinME and can break those versions of Windows.

0

Share this post


Link to post
Share on other sites
The user32.dll file Tihiy modified is NOT compatible with Win98fe and WinME and can break those versions of Windows.

Have you tested?

0

Share this post


Link to post
Share on other sites
As for the W98fe and ...

without risking sounding too dumb... :blushing: what is 98fe (hay, gotta learn somewhere)?

0

Share this post


Link to post
Share on other sites

Good job, Tihiy.

But I have a question. What about compatibility? If the user firstly install SP 2.0 with your fix, and secondly Revolutions Pack, everything will be OK?

0

Share this post


Link to post
Share on other sites
Good job, Tihiy.

But I have a question. What about compatibility? If the user firstly install SP 2.0 with your fix, and secondly Revolutions Pack, everything will be OK?

Of course. How can I do not care about RP users?!

That version will simply have no effect if installed on Revolutions Pack.

0

Share this post


Link to post
Share on other sites
Of course. How can I do not care about RP users?!

That version will simply have no effect if installed on Revolutions Pack.

:blushing: You're right.

0

Share this post


Link to post
Share on other sites

Hi Tihiy,

It looks like there is a fix from Windows Update for this. It came out today. I downloaded it a few minutes ago and rebooted. It looks like it is no longer running as a service. It still shows up in Add/Remove Programs, but not in the Task Manager as it did before.

bUMBLES

0

Share this post


Link to post
Share on other sites

Yeah, looks like they released new version.

But seems it still present as [hidden] task! (Maybe check msconfig?)

Somebody tested? [i'm still thinking my version is better]

0

Share this post


Link to post
Share on other sites

Tihiy. How do you know your patch is working? Simply copy-past hexcode will not do the trick I guess :)

Did you test it?

BTW, if Microsoft's new patch solves the issue I'll stick with that one for Dutch SP.

0

Share this post


Link to post
Share on other sites

Simple. I've just read technical CAN buletin mentioned in article.

It says integer overflow occurs in LoadImage() function when dwResSize value (4-bit) exceeds maximal word (2-bit) value. If dwResSize will be ~FFFFFFFF (-1) then malicious code can be executed.

So, hacked version of user32.dll has patched import table which LoadImage() points to loader written in "unused" space. It loads Ti......DLL and gives it control.

Check function in Ti......DLL opens icon file and checks if dwResSize>maximal word value. If it is, function fails (so virus won't be executed). If it does not, it transfers control to User32.dll original LoadImage() pointer hardcoded.

[if i had Windows sources i believe it's just 1 line of code to add

But, because Win9x developer team is killed, ( :) ) stupid NT developers trying to write a 16-bit memory hook which do the same, but:

- It will consume 16-bit handles, bad

- It won't protect machine until loaded

- When unloaded, will crush everything]

So... if ^^ that was you wanted :yes: ? As I as said before, this update isn't critical.

AND MY UPDATE SHOULD BE TESTED WELL IF WILL BE INCLUDED SOMEWHERE.

0

Share this post


Link to post
Share on other sites
Yeah, looks like they released new version.

But seems it still present as [hidden]task! (Maybe check msconfig?)

Somebody tested? [i'm still thinking my version is better]

It does show up in MSConfig as KB891711 in C:\windows\system\KB891711\KB891711.exe

It seems to be running fine on the 3 machines here at work that I updated a couple of hours ago. Although to be honest, we never really had problems with the original update.

Tihy,

When I get home for work, I will post about my experience with your update.

BumBlEs

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.