If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#51
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
Thanks, Luke what does 3.06 give you that 3.05 does not give you?
"Luke" wrote in message ... : On Sun, 13 Mar 2005 06:45:27 -0700, "Dan" wrote: : : I am Googling for it now to test it if I can get a hold of this old program. : : http://www.oldversion.com/program.php?n=eudora : : I suggest 3.0.6. : : -- : Luke |
#52
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
Well, then you need to read the bulletin again. OE is only mentioned in
that it is one vector out of many that might allow HTML-based malicious code into your system. Microsoft simply included discussion of other mitigating factors in certain scenarios involving MS products, and not just OE. Also discussed are IE security and Outlook, a product that shares little with OE other than the name and the news client. Just because Microsoft didn't discuss other, 3rd-party vectors for the malware involved doesn't mean those vectors don't exist. Fact is, *any* application that renders HTML may be susceptible to the vulnerability. -- Gary S. Terhune MS MVP Shell/User http://www.grystmill.com/articles/cleanboot.htm http://www.grystmill.com/articles/security.htm "John John" wrote in message ... All it says to me is that the patch is to fix OE and if you don't use OE you don't need the patch. John Gary S. Terhune wrote: That hardly answers the question. All that says is that viewing email in HTML format can be risky. I don't see how switching from OE to some other newsreader will change that. If you view email in HTML format, you are much more at risk than if you view it in plain text, period. Not only from the vulnerabilities mentioned in this Security Bulletin, but from a myriad of other vulnerabilities involving HTML rendering. So, the answer is: View email in PlainText only. Fortunately, OE6 and up have this option--to view email in PlainText only. Does your newsreader have that option? And do you use it? If not, you're engaging in risky behavior. |
#53
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
We have two out of our three Win98SE computers at work that are experiencing those
exact symptoms since installing the update mentioned. Despite some of the claims here as to the cause, the machines have no malware; are using the latest updated drivers for sound and video (machines are only a couple of years old); are not using McAfee or Norton products; and are connected via broadband (RoadRunner) through a NetGear router. I removed the update and all is well. I await some clarification from MS. The WinME computer and all the XP machines in the same network have no problem. -- Glen Ventura, MS MVP Shell/User, A+ ~ In memory of our friend, MVP Alex Nichol ~ http://aumha.org/alex.htm http://dts-l.org/goodpost.htm "Sramic" wrote in message ... Just on a personal experience note here, ever since I installed these latest security updates including: "Microsoft Security Bulletin MS05-002 Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)" I have had many blue screens of death to the point of hard rebooting to get out. It seems that this update is causing me nothing but grief (Win98 3.10.2222, AMD K6-2 450MHz). I am removing this one because I cannot use my computer with it! Has anyone else experienced this kind of behavior? "Ivan Bútora" wrote: Look through some of the recent threats in win98.gen_discussion... "SFB - KB3MM" wrote in message ... Whata's the downside of this update? "Ivan Bútora" wrote in message ... Dan, please. ANY update is optional. It is up to me if I want to install it on my machine or not. Yes, I think it's good to install these updates in general, and I have installed all of them except KB891711. But on the other hand, there are upsides and downsides. In the case of KB891711, the inconvenience and trouble that is likely to be caused by this patch is far greater than the risk of a hacker exploiting your machine. Keep in mind that there have been several updates this year considered "important" for Windows 98 that have not been released publicly. As Gary Terhune pointed out, the difference between "important" and "critical" is actually not so significant in terms of the security threat. So yeah, your machine probably *is* vulnerable to something. But that's life, you can't be 100% secure all the time. I don't see the point in making such a big fuss about not having this one patch installed. And FYI, since September 2004, my computer has been running WITHOUT anti-virus protection, anti-spyware, etc. So yesterday I decided I would run a SpyBot check just for the hell of it, and guess what - nothing found other than a couple of IE cookies. My point: The most important thing is being aware of what you're doing with your computer and on the Internet. Frankly, I don't know what your letter to Bill Gates was, but what I do know is that MS should be ashamed for releasing a patch in this manner, without informing the users of the potential caveats, and apparently without testing in dial-up systems, etc. "Dan" wrote in message ... According to PC Today, April issue it is a critical update that has as of now not been exploited by hackers. Guys and Gals you need this critical update because I am guessing within 3 weeks someone will find a way to compromise all 98SE and associated 9x machines that need the patch and have not been updated. My best guess is that the time for the hackers will be a maximum of 3 weeks and it may be even faster so if your machine is connected to the Internet do whatever it takes to keep "KB891711.EXE" running because I am sure down the line Microsoft will be able to do a better fix but this is a temporary solution, hopefully to allow users to be safe while on-line. If programs are not responding then discover why. People you need this CRITICAL PATCH and it is not optional. If Windows will not run with the patch because of BSOD then disconnect from the Internet -- remove Ethernet cable, USB cable or phone cable until the problem is resolved because if you do not do this and have exited this CRITICAL PATCH then you are just asking for your system to be hacked and no it will not be by me or my friends although I know a lot about security on computers and weak access points and could probably do it without too much trouble if I wanted to but my heart is with keeping the U.S.A and its Allies and businesses and finally consumers to try and get one small leg up on the PEOPLE who hack machines for a hobby, the terriorists and finally the script kiddies. Let me know how I and others can help you with your computer problems. Have a nice day! "98 Guy" wrote in message ... : : If you don't know what I'm talking about, look he : : http://www.microsoft.com/technet/sec.../MS05-002.mspx : : If you're running Win 98, and have recently (within the past week) : gone to Windows Updates and updated your computer, you almost : certainly now have the file "KB891711.EXE" running in the background. : It is set to run automatically at startup. First time any such update : or security patch has been configured to operate (instead of simply : replacing an existing file). : : Even though Micro$loth sez that MS05-002 (KB891711.EXE) is critical : for Win-98, I've read where some (many) people are simply deactivating : it (via msconfig). : : Does anyone really know the truth regarding Win-98 and KB891711.EXE? : : Is there anything special about it (like running it in safe mode to : properly install it) ? : : Is it really needed? (for win-98) ? : : Is Win-98 really vulnerable to MS05-002 ??? |
#54
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
Glad to hear someone else had similar problems. My video card is
a GeForce 2MX400 with 40.72 vers. Nvidia drivers, there are newer drivers but they don't work as well on my system. "glee" wrote: We have two out of our three Win98SE computers at work that are experiencing those exact symptoms since installing the update mentioned. Despite some of the claims here as to the cause, the machines have no malware; are using the latest updated drivers for sound and video (machines are only a couple of years old); are not using McAfee or Norton products; and are connected via broadband (RoadRunner) through a NetGear router. I removed the update and all is well. I await some clarification from MS. The WinME computer and all the XP machines in the same network have no problem. -- Glen Ventura, MS MVP Shell/User, A+ ~ In memory of our friend, MVP Alex Nichol ~ http://aumha.org/alex.htm http://dts-l.org/goodpost.htm |
#55
|
|||
|
|||
Details of KB891711 & KB888113 (was: What's the deal with MS05-002(KB891711.EXE) and Windows 98?)
There have been several updates from Micro$loth lately:
Security Update for Windows 98 (KB891711) Security Update for Windows 98 (KB888113) Security Update for Windows 98 (KB891781) Security Update for Windows 98 (KB890175) Cumulative Security Update for IE 6 SP-1 (KB867282) The most recent being KB891711 and KB888113, which are (probably) getting installed at the same time for most people. Both of them are listed as "critical" across the board for all Windows platforms, even XP AND Windows Server 2003. There seems to be 4 different issues pertaining to KB891711, which (apparently) was discovered or made public in late December, 2004. CVE references: CAN-2004-1049 (LoadImage API of USER32 Lib / code execution) CAN-2004-1305 (only a DoS type problem ???) CAN-2004-1306 (vulnerability in .HLP file processing) CAN-2004-1361 (vulnerability in .HLP file processing) It's not clear to me that Microsoft has released patches that address items 1306 and 1361. Descriptions of these items indicate that Win-98 is not affected (or could be an oversight). See: http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1306 http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1361 Item 1049 seems to be the real problem: http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1049 Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, ..cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." Seems to me that the vulnerability to this item depends on how your browser or e-mail client handles imbedded or attached files of the types mentioned. Additionally, the user might have to actually "click" or attempt to execute the malformed files in question to initiate the vulnerability. According to Secunia, there are currently 3 security advisories for Win-98se that remain "unpatched" and 1 with a partial fix: http://secunia.com/product/13/ I highly advise all Win-98 users to have a look at that page. Item KB888113 seems to be more browser related (see bottom of this post). Win-98 is listed specifically as vulnerable. Details for KB891711 / MS05-002: --------------------------------------------- Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution http://www.microsoft.com/technet/sec.../MS05-002.mspx 1) Cursor and Icon Format Handling Vulnerability - CAN-2004-1049 http://www.cve.mitre.org/cgi-bin/cve...=CAN-2004-1049 Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." 2) Windows Kernel Vulnerability - CAN-2004-1305 http://www.cve.mitre.org/cgi-bin/cve...=CAN-2004-1305 The vulnerability of Windows 98 to these items is not specifically stated in this link: http://www.xfocus.net/flashsky/icoExp/index.html See also: http://www.kb.cert.org/vuls/id/625856 Microsoft Windows LoadImage API vulnerable to integer overflow Overview The Microsoft Windows LoadImage API routine is vulnerable to an integer overflow that may allow a remote attacker to execute arbitrary code on a vulnerable system. Description The LoadImage API routine is used to load an image from a file on Microsoft Windows platforms. The LoadImage API is included part of the USER 32 library. A lack of input validation on user supplied input to the LoadImage API routine may allow an integer overflow to occur. If a remote attacker supplies a specially crafted image file to a vulnerable system, that attacker may be able to trigger the integer overflow to compromise that system. An exploitable integer buffer overflow exists in the LoadImage API of the USER32 Lib. This function loads an icon, a cursor or a bitmap and then try to proceed the image. If an attacker sends a specially crafter bmp, cur, ico or ani file within an HTML page or in an Email, it is then possible to run arbitrary code on the affected system. According to public reports, many Microsoft Windows are affected. However, reports also indicate Windows XP with Service Pack 2 is not vulnerable, but we have not confirmed this. !^!^!^!^!^!^!^!^!^ Note that exploits for this vulnerability are publicly available. !^!^!^!^!^!^!^!^! Impact If a remote attacker can persuade a user to access a specially crafted image file, the attacker may be able to execute arbitrary code on that user's system, possibly with elevated privileges. Potentially any operation that displays an image could trigger exploitation; for instance, browsing the file system, reading HTML email, or browsing websites. Solution Apply Patch Apply a patch as described in Microsoft Security Bulletin MS05-002. Please also note that Microsoft is actively deploying the patches for this vulnerability via Windows Update. --------------------------------------------- Details for KB888113 / MS05-015: ------------------------------------------------ Vulnerability in hyperlink object library could allow remote code execution http://support.microsoft.com/kb/888113 or http://www.microsoft.com/technet/sec.../ms05-015.mspx also http://www.cve.mitre.org/cgi-bin/cve...=CAN-2005-0057 and http://www.kb.cert.org/vuls/id/820427 Description An unchecked buffer in the Microsoft Object Library is vulnerable to attack when malformed hyperlinks are handled. Such handling occurs most often when a user clicks on a hyperlink in a browser or in HTML-rendered email. The Object Library is a dynamic application interface library used by Windows programs to manage hyperlink objects. Hyperlink objects are any COM objects (including ActiveX) that implement the IHlink interface. Impact An attacker could execute arbitrary code of their choosing on the system running the vulnerable version of Windows. Upon successful exploitation, the malicious code would be executed with the privileges of the user being attacked. Workarounds As noted in Microsoft Security Bulletin MS05-015: Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version, to help protect yourself from the HTML e-mail attack vector. Note that an email-borne attack vector requires a click event on a hyperlink to occur. ---------------------------------------------- Interesting that the work-around mentions Outlook 2002. What about Outlook 2000? |
#56
|
|||
|
|||
Details of KB891711 & KB888113 (was: What's the deal with MS05-002(KB891711.EXE) and Windows 98?)
Interesting:
------------------------ http://isc.sans.org/ 7sir7 Mass Hack Update / DNS Cache Poisoning / Phishing with a twist Entire web farms hacked to serve up the 7sir7 redirect We have received reports and evidence that a number of companies that provide shared hosting web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked. In one case, a Perl script was used to modify each customers homepage with the additional IFRAME snippet that fellow handler Lorna had already reported in the diary two days ago. The Perl script reads in the web server configuration (httpd.conf) on a compromised server, and then appends the malicious iframe code to all the index.html pages of all the virtual hosts available on this server. The same reader (thanks, Clive!) who managed to isolate this script has also contributed a script written by himself to clean up the affected pages. If you shout loud enough, we might include it in tomorrow's diary :-) The page at 7sir7 is making use of several recent vulnerabilities in order to download and install malware on the PC of whoever visits the site. - Exploits the .ANI cursor vulnerability (MS05-002) ^^^^^^^^ - Exploits the HTML Help Cross Domain Vulnerability (MS05-001) If successful, the exploits drop either of two files "mhh.exe" or "sr.exe", both of which so far are only recognized by Kaspersky and called (not-a-virus:AdWare.ToolBar.SearchIt.h). The files have been submitted to the other AV vendors. (more stuff available at above link) By the way, Micro$loth must have anticipated problems with the KB891711 patch so they made it run as a service in the system tray instead of modifying / altering / replacing existing system files. By making it run as a service, it can easily be turned off if necessary. |
#57
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
In ,
Dan had this to say: My reply is at the bottom of your sent message: Wow, thanks for the warning. User is now highly thinking of making due with posting in Mozilla Thunderbird. Have a nice day! Hmmm, I must research this information Before you dump OE as a "fix" for the problem you might want to read this: In it he gives the best description of the problem in laymens terms in that the vulnerability isn't JUST with OE, Outlook, or Internet Explorer but rather a vulnerability in ANY software that's capable of rending HTML. Galen -- Signature changed for a moment of silence. Rest well Alex and we'll see you on the other side. |
#58
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
On 03/12/2005 at 11:06 PM, Ivan Bútora said:
what I do know is that MS should be ashamed Of course we know this is an impossibility. Jim L -- "Don't call it a crisis until you can't fix it," Obstructionist Party. |
#59
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
On 03/12/2005 at 09:50 PM, "Dan" said:
don't come complaining to me later on if someone connects to your computer and/or network because you were unpatched and makes all kinds of changes For god's sake put in a good firewall. Jim L -- "Don't call it a crisis until you can't fix it," Obstructionist Party. |
#60
|
|||
|
|||
What's the deal with MS05-002 (KB891711.EXE) and Windows 98?
Me & wrote in news7c831h7542gt7ien7k8upvjqqg4se1emd@
4ax.com: Find yourself a copy of Eudora 3.0.5 (very old). It's text only email. If there are pictures included you can choose to view them, but no html email. That's all I run. I hate html in my email. You can still download it from Eudora, but I am not sure if it can be purchased any longer. I bought it many years ago, I upgraded to a newer version, and found the newer ones were html ONLY. I went back to the old version. I am currently using Eudora 6.1.2 (the latest) and you have the option of disabling all HTML (the way that I run it). Eudora can be run in 3 modes; lite (free), sponsored and paid: http://www.eudora.com/download/ On Sat, 12 Mar 2005 23:29:02 -0800, "Gary S. Terhune" wrote: That hardly answers the question. All that says is that viewing email in HTML format can be risky. I don't see how switching from OE to some other newsreader will change that. If you view email in HTML format, you are much more at risk than if you view it in plain text, period. Not only from the vulnerabilities mentioned in this Security Bulletin, but from a myriad of other vulnerabilities involving HTML rendering. So, the answer is: View email in PlainText only. Fortunately, OE6 and up have this option--to view email in PlainText only. Does your newsreader have that option? And do you use it? If not, you're engaging in risky behavior. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
What's the deal with MS05-002 (KB891711.EXE) and Windows 98? | Dan | General | 115 | April 15th 05 01:38 AM |
What's the deal with MS05-002 (KB891711.EXE) and Windows 98? | Eugene | General | 5 | March 22nd 05 03:12 PM |
What's the deal with MS05-002 (KB891711.EXE) and Windows 98? | Eugene | Improving Performance | 4 | March 22nd 05 03:12 PM |
What's the deal with MS05-002 (KB891711.EXE) and Windows 98? | Eugene | Setup & Installation | 4 | March 22nd 05 03:12 PM |
What's the deal with MS05-002 (KB891711.EXE) and Windows 98? | Dan | General | 7 | March 21st 05 05:36 PM |