What's the deal with MS05-002 (KB891711.EXE) and Windows 98?

Thanks, Luke what does 3.06 give you that 3.05 does not give you?

"Luke" wrote in message
...
: On Sun, 13 Mar 2005 06:45:27 -0700, "Dan" wrote:
:
: I am Googling for it now to test it if I can get a hold of this old
program.
:
: http://www.oldversion.com/program.php?n=eudora
:
: I suggest 3.0.6.
:
: --
: Luke

Well, then you need to read the bulletin again. OE is only mentioned in
that it is one vector out of many that might allow HTML-based malicious
code into your system. Microsoft simply included discussion of other
mitigating factors in certain scenarios involving MS products, and not
just OE. Also discussed are IE security and Outlook, a product that
shares little with OE other than the name and the news client.

Just because Microsoft didn't discuss other, 3rd-party vectors for the
malware involved doesn't mean those vectors don't exist. Fact is, *any*
application that renders HTML may be susceptible to the vulnerability.

--
Gary S. Terhune
MS MVP Shell/User
http://www.grystmill.com/articles/cleanboot.htm
http://www.grystmill.com/articles/security.htm

"John John" wrote in message
...
All it says to me is that the patch is to fix OE and if you don't use
OE you don't need the patch.

John

Gary S. Terhune wrote:

That hardly answers the question. All that says is that viewing
email in
HTML format can be risky. I don't see how switching from OE to some
other newsreader will change that. If you view email in HTML format,
you
are much more at risk than if you view it in plain text, period. Not
only from the vulnerabilities mentioned in this Security Bulletin,
but
from a myriad of other vulnerabilities involving HTML rendering. So,
the
answer is: View email in PlainText only. Fortunately, OE6 and up
have
this option--to view email in PlainText only. Does your newsreader
have
that option? And do you use it? If not, you're engaging in risky
behavior.

We have two out of our three Win98SE computers at work that are experiencing those
exact symptoms since installing the update mentioned. Despite some of the claims
here as to the cause, the machines have no malware; are using the latest updated
drivers for sound and video (machines are only a couple of years old); are not using
McAfee or Norton products; and are connected via broadband (RoadRunner) through a
NetGear router. I removed the update and all is well. I await some clarification
from MS.

The WinME computer and all the XP machines in the same network have no problem.
--
Glen Ventura, MS MVP Shell/User, A+
~ In memory of our friend, MVP Alex Nichol ~
http://aumha.org/alex.htm
http://dts-l.org/goodpost.htm


"Sramic" wrote in message
...
Just on a personal experience note here, ever since I installed these latest
security updates including: "Microsoft Security Bulletin MS05-002
Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code
Execution (891711)"
I have had many blue screens of death to the point of hard rebooting to get
out. It seems that this update is causing me nothing but grief (Win98
3.10.2222, AMD K6-2 450MHz). I am removing this one because I cannot use my
computer with it! Has anyone else experienced this kind of behavior?

"Ivan Bútora" wrote:

Look through some of the recent threats in win98.gen_discussion...

"SFB - KB3MM" wrote in message
...
Whata's the downside of this update?

"Ivan Bútora" wrote in message
...
Dan, please. ANY update is optional. It is up to me if I want to install
it on my machine or not. Yes, I think it's good to install these updates in
general, and I have installed all of them except KB891711. But on the other
hand, there are upsides and downsides. In the case of KB891711, the
inconvenience and trouble that is likely to be caused by this patch is far
greater than the risk of a hacker exploiting your machine. Keep in mind that
there have been several updates this year considered "important" for Windows
98 that have not been released publicly. As Gary Terhune pointed out, the
difference between "important" and "critical" is actually not so significant
in terms of the security threat. So yeah, your machine probably *is*
vulnerable to something. But that's life, you can't be 100% secure all the
time. I don't see the point in making such a big fuss about not having this
one patch installed.

And FYI, since September 2004, my computer has been running WITHOUT
anti-virus protection, anti-spyware, etc. So yesterday I decided I would run
a SpyBot check just for the hell of it, and guess what - nothing found other
than a couple of IE cookies. My point: The most important thing is being
aware of what you're doing with your computer and on the Internet.

Frankly, I don't know what your letter to Bill Gates was, but what I do
know is that MS should be ashamed for releasing a patch in this manner,
without informing the users of the potential caveats, and apparently without
testing in dial-up systems, etc.



"Dan" wrote in message
...
According to PC Today, April issue it is a critical update that has as
of now
not been exploited by hackers. Guys and Gals you need this critical
update
because I am guessing within 3 weeks someone will find a way to
compromise
all 98SE and associated 9x machines that need the patch and have not
been
updated. My best guess is that the time for the hackers will be a
maximum of
3 weeks and it may be even faster so if your machine is connected to the
Internet do whatever it takes to keep "KB891711.EXE" running because I
am
sure down the line Microsoft will be able to do a better fix but this is
a
temporary solution, hopefully to allow users to be safe while on-line.
If
programs are not responding then discover why. People you need this
CRITICAL
PATCH and it is not optional. If Windows will not run with the patch
because
of BSOD then disconnect from the Internet -- remove Ethernet cable, USB
cable
or phone cable until the problem is resolved because if you do not do
this
and have exited this CRITICAL PATCH then you are just asking for your
system
to be hacked and no it will not be by me or my friends although I know a
lot
about security on computers and weak access points and could probably do
it
without too much trouble if I wanted to but my heart is with keeping the
U.S.A and its Allies and businesses and finally consumers to try and get
one
small leg up on the PEOPLE who hack machines for a hobby, the
terriorists and
finally the script kiddies. Let me know how I and others can help you
with
your computer problems. Have a nice day!

"98 Guy" wrote in message ...
:
: If you don't know what I'm talking about, look he
:
: http://www.microsoft.com/technet/sec.../MS05-002.mspx
:
: If you're running Win 98, and have recently (within the past week)
: gone to Windows Updates and updated your computer, you almost
: certainly now have the file "KB891711.EXE" running in the background.
: It is set to run automatically at startup. First time any such update
: or security patch has been configured to operate (instead of simply
: replacing an existing file).
:
: Even though Micro$loth sez that MS05-002 (KB891711.EXE) is critical
: for Win-98, I've read where some (many) people are simply deactivating
: it (via msconfig).
:
: Does anyone really know the truth regarding Win-98 and KB891711.EXE?
:
: Is there anything special about it (like running it in safe mode to
: properly install it) ?
:
: Is it really needed? (for win-98) ?
:
: Is Win-98 really vulnerable to MS05-002 ???

Glad to hear someone else had similar problems. My video card is
a GeForce 2MX400 with 40.72 vers. Nvidia drivers, there are newer drivers
but they don't work as well on my system.

"glee" wrote:

We have two out of our three Win98SE computers at work that are experiencing those
exact symptoms since installing the update mentioned. Despite some of the claims
here as to the cause, the machines have no malware; are using the latest updated
drivers for sound and video (machines are only a couple of years old); are not using
McAfee or Norton products; and are connected via broadband (RoadRunner) through a
NetGear router. I removed the update and all is well. I await some clarification
from MS.

The WinME computer and all the XP machines in the same network have no problem.
--
Glen Ventura, MS MVP Shell/User, A+
~ In memory of our friend, MVP Alex Nichol ~
http://aumha.org/alex.htm
http://dts-l.org/goodpost.htm

There have been several updates from Micro$loth lately:

Security Update for Windows 98 (KB891711)
Security Update for Windows 98 (KB888113)
Security Update for Windows 98 (KB891781)
Security Update for Windows 98 (KB890175)
Cumulative Security Update for IE 6 SP-1 (KB867282)

The most recent being KB891711 and KB888113, which are (probably)
getting installed at the same time for most people.

Both of them are listed as "critical" across the board for all Windows
platforms, even XP AND Windows Server 2003.

There seems to be 4 different issues pertaining to KB891711, which
(apparently) was discovered or made public in late December, 2004.

CVE references:

CAN-2004-1049 (LoadImage API of USER32 Lib / code execution)
CAN-2004-1305 (only a DoS type problem ???)
CAN-2004-1306 (vulnerability in .HLP file processing)
CAN-2004-1361 (vulnerability in .HLP file processing)

It's not clear to me that Microsoft has released patches that address
items 1306 and 1361. Descriptions of these items indicate that Win-98
is not affected (or could be an oversight).

See:
http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1306
http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1361

Item 1049 seems to be the real problem:
http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1049

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft
Windows allows remote attackers to execute arbitrary code via a .bmp,
..cur, .ico or .ani file with a large image size field, which leads to
a buffer overflow, aka the "Cursor and Icon Format Handling
Vulnerability."

Seems to me that the vulnerability to this item depends on how your
browser or e-mail client handles imbedded or attached files of the
types mentioned. Additionally, the user might have to actually
"click" or attempt to execute the malformed files in question to
initiate the vulnerability.

According to Secunia, there are currently 3 security advisories for
Win-98se that remain "unpatched" and 1 with a partial fix:

http://secunia.com/product/13/

I highly advise all Win-98 users to have a look at that page.

Item KB888113 seems to be more browser related (see bottom of this
post). Win-98 is listed specifically as vulnerable.



Details for KB891711 / MS05-002:
---------------------------------------------
Vulnerability in Cursor and Icon Format Handling Could Allow Remote
Code Execution

http://www.microsoft.com/technet/sec.../MS05-002.mspx

1) Cursor and Icon Format Handling Vulnerability - CAN-2004-1049
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2004-1049

Integer overflow in the LoadImage API of the USER32 Lib for
Microsoft Windows allows remote attackers to execute arbitrary
code via a .bmp, .cur, .ico or .ani file with a large image
size field, which leads to a buffer overflow, aka the "Cursor
and Icon Format Handling Vulnerability."

2) Windows Kernel Vulnerability - CAN-2004-1305
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2004-1305

The vulnerability of Windows 98 to these items is not specifically
stated in this link:
http://www.xfocus.net/flashsky/icoExp/index.html

See also: http://www.kb.cert.org/vuls/id/625856

Microsoft Windows LoadImage API vulnerable to integer overflow

Overview

The Microsoft Windows LoadImage API routine is vulnerable to an
integer overflow that may allow a remote attacker to execute arbitrary
code on a vulnerable system.

Description

The LoadImage API routine is used to load an image from a file on
Microsoft Windows platforms. The LoadImage API is included part of the
USER 32 library. A lack of input validation on user supplied input to
the LoadImage API routine may allow an integer overflow to occur. If a
remote attacker supplies a specially crafted image file to a
vulnerable system, that attacker may be able to trigger the integer
overflow to compromise that system.

An exploitable integer buffer overflow exists in the LoadImage API of
the USER32 Lib. This function loads an icon, a cursor or a bitmap and
then try to proceed the image. If an attacker sends a specially
crafter bmp, cur, ico or ani file within an HTML page or in an Email,
it is then possible to run arbitrary code on the affected system.

According to public reports, many Microsoft Windows are affected.
However, reports also indicate Windows XP with Service Pack 2 is not
vulnerable, but we have not confirmed this.

!^!^!^!^!^!^!^!^!^
Note that exploits for this vulnerability are publicly available.

!^!^!^!^!^!^!^!^!

Impact

If a remote attacker can persuade a user to access a specially crafted
image file, the attacker may be able to execute arbitrary code on that
user's system, possibly with elevated privileges. Potentially any
operation that displays an image could trigger exploitation; for
instance, browsing the file system, reading HTML email, or browsing
websites.

Solution

Apply Patch

Apply a patch as described in Microsoft Security Bulletin MS05-002.
Please also note that Microsoft is actively deploying the patches for
this vulnerability via Windows Update.
---------------------------------------------



Details for KB888113 / MS05-015:
------------------------------------------------
Vulnerability in hyperlink object library could allow remote
code execution
http://support.microsoft.com/kb/888113
or
http://www.microsoft.com/technet/sec.../ms05-015.mspx
also
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2005-0057
and
http://www.kb.cert.org/vuls/id/820427

Description
An unchecked buffer in the Microsoft Object Library is vulnerable to
attack when malformed hyperlinks are handled. Such handling occurs
most often when a user clicks on a hyperlink in a browser or in
HTML-rendered email. The Object Library is a dynamic application
interface library used by Windows programs to manage hyperlink
objects. Hyperlink objects are any COM objects (including ActiveX)
that implement the IHlink interface.

Impact
An attacker could execute arbitrary code of their choosing on the
system running the vulnerable version of Windows. Upon successful
exploitation, the malicious code would be executed with the privileges
of the user being attacked.

Workarounds
As noted in Microsoft Security Bulletin MS05-015:
Read e-mail messages in plain text format if you are using Outlook
2002 or a later version, or Outlook Express 6 SP1 or a later version,
to help protect yourself from the HTML e-mail attack vector. Note
that an email-borne attack vector requires a click event on a
hyperlink to occur.
----------------------------------------------

Interesting that the work-around mentions Outlook 2002. What about
Outlook 2000?

Interesting:

------------------------

http://isc.sans.org/

7sir7 Mass Hack Update / DNS Cache Poisoning / Phishing with a twist

Entire web farms hacked to serve up the 7sir7 redirect

We have received reports and evidence that a number of companies that
provide shared hosting web servers have had their servers exploited
and all of the customer homepages modified so that visitors are
attacked. In one case, a Perl script was used to modify each customers
homepage with the additional IFRAME snippet that fellow handler Lorna
had already reported in the diary two days ago. The Perl script reads
in the web server configuration (httpd.conf) on a compromised server,
and then appends the malicious iframe code to all the index.html pages
of all the virtual hosts available on this server. The same reader
(thanks, Clive!) who managed to isolate this script has also
contributed a script written by himself to clean up the affected
pages. If you shout loud enough, we might include it in tomorrow's
diary :-)

The page at 7sir7 is making use of several recent vulnerabilities in
order to download and install malware on the PC of whoever visits the
site.

- Exploits the .ANI cursor vulnerability (MS05-002)
^^^^^^^^
- Exploits the HTML Help Cross Domain Vulnerability (MS05-001)

If successful, the exploits drop either of two files "mhh.exe" or
"sr.exe", both of which so far are only recognized by Kaspersky and
called (not-a-virus:AdWare.ToolBar.SearchIt.h). The files have been
submitted to the other AV vendors.

(more stuff available at above link)

By the way, Micro$loth must have anticipated problems with the
KB891711 patch so they made it run as a service in the system tray
instead of modifying / altering / replacing existing system files. By
making it run as a service, it can easily be turned off if necessary.

In ,
Dan had this to say:

My reply is at the bottom of your sent message:

Wow, thanks for the warning. User is now highly thinking of making
due with posting in Mozilla Thunderbird. Have a nice day! Hmmm, I
must research this information


Before you dump OE as a "fix" for the problem you might want to read this:



In it he gives the best description of the problem in laymens terms in that
the vulnerability isn't JUST with OE, Outlook, or Internet Explorer but
rather a vulnerability in ANY software that's capable of rending HTML.

Galen
--
Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.

On 03/12/2005 at 11:06 PM, Ivan Bútora said:

what I do know is that MS should be ashamed

Of course we know this is an impossibility.

Jim L

--
"Don't call it a crisis until you can't fix it," Obstructionist Party.

On 03/12/2005 at 09:50 PM, "Dan" said:

don't come complaining to me later on if someone connects to your
computer and/or network because you were unpatched and makes all kinds
of changes

For god's sake put in a good firewall.

Jim L

--
"Don't call it a crisis until you can't fix it," Obstructionist
Party.

Me & wrote in news7c831h7542gt7ien7k8upvjqqg4se1emd@
4ax.com:

Find yourself a copy of Eudora 3.0.5 (very old). It's text only
email. If there are pictures included you can choose to view them,
but no html email. That's all I run. I hate html in my email.
You can still download it from Eudora, but I am not sure if it can be
purchased any longer. I bought it many years ago, I upgraded to a
newer version, and found the newer ones were html ONLY. I went back
to the old version.

I am currently using Eudora 6.1.2 (the latest) and you have the option of
disabling all HTML (the way that I run it). Eudora can be run in 3 modes;
lite (free), sponsored and paid:

http://www.eudora.com/download/

On Sat, 12 Mar 2005 23:29:02 -0800, "Gary S. Terhune"
wrote:

That hardly answers the question. All that says is that viewing email in
HTML format can be risky. I don't see how switching from OE to some
other newsreader will change that. If you view email in HTML format, you
are much more at risk than if you view it in plain text, period. Not
only from the vulnerabilities mentioned in this Security Bulletin, but
from a myriad of other vulnerabilities involving HTML rendering. So, the
answer is: View email in PlainText only. Fortunately, OE6 and up have
this option--to view email in PlainText only. Does your newsreader have
that option? And do you use it? If not, you're engaging in risky
behavior.