Archived from groups: microsoft.public.win98.gen_discussion (
More info?)
Sorry, I got the history wrong in your case. Somehow thought you had IE
5.01. Anyway, the end-point is that you *do* need to set the kill-bit, and
the patch doesn't seem to be available. So do it manually.
Did I understand you correctly? Did you previously see this patch listed at
WU? Because the response from MS is to quote the following paragraph from
the Security Bulletin:
"Note Critical security updates for these operating systems may not
be available at the same time as the other security updates that
are included with this security bulletin. They will be made available as
soon as possible following the release. When these security updates are
available, you will be able to download them only from the Windows
Update Web site."
That would indicate that the patch has not yet been posted for Win9x
systems.
--
Gary S. Terhune
MS-MVP Shell/User
"Gary S. Terhune" <grystnews@mvps.org> wrote in message
news:%23EG1q4PpFHA.708@TK2MSFTNGP09.phx.gbl...
> I've punted the issue upstairs. We'll see what they say. Regardless of
> whether it applies to your system or not, the patch *should_be* available
> at WU Catalog.
>
> Your logic is faulty. The patch isn't offered for versions of IE earlier
> than 5.5 because those versions simply aren't supported any longer.
> Haven't been for some time. That does *not* mean that earlier versions
> aren't vulnerable, particularly earlier versions of IE5 (not sure about
> IE4.) I would bet that your IE *is* vulnerable, and in any case, the
> kill-bit fix I suggested won't harm your installation. The Active-X
> control involved isn't supposed to be used in IE, anyway. This issue is a
> common one--Active-X controls that aren't meant to be accessed by IE but
> manage to be hooked by malware into doing so, with all the security issues
> that suggests. Setting the kill-bit is the common solution. Pretty much
> that entire ActiveX Compatibility key of the Registry consists of
> kill-bits. A similar issue is currently top news in security circles
> regarding MSDDS.DLL (an Office 2000 file), and the same solution is
> suggested.
>
> As for KB891711 (MS05-002), that *did* have problems when it was first
> issued. A replacement patch was issued within a short time and no longer
> causes any problems that I'm aware of. You *should* install KB891711
> without delay.
>
> --
> Gary S. Terhune
> MS-MVP Shell/User
>
> "Just me" <Justme489@myLink.com> wrote in message
> news:29dcg1ditrlneoat46k4tci2d0nol6rupr@4ax.com...
>> Thanks for responding, Gary.
>>
>> I'm using Windows 98SE with IE SP2 and now I'm not sure whether it
>> applies to me. But a month ago I'm sure I saw the update at the
>> Windows Update site as applying to me. I had made a note of it for a
>> later update. Today, however, the update was no longer there implying,
>> to me, that I may not need it afterall.
>>
>> Below is what MS05-037 says under "Affected Components" at
>>
http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx
>> It reads in part:
>>
>> "Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium
>> Edition -- Review the FAQ section of this bulletin for details about
>> these operating systems."
>>
>> "Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on
>> Microsoft Windows 98 SE or on Microsoft Windows Millennium Edition
>> Review the FAQ section of this bulletin for details about these
>> operating systems."
>>
>> From the above, seems that I may not need the update since I'm using
>> Win 98 SE with IE5.5. Am I correct in this?
>>
>> I have all of the critical updates except the above and the Security
>> Update 891711 (MS05-002), which I've read that this latter may create
>> problems.
>>
>> Again, thanks for responding.
>>
>> John
>>
>>
>>
>>
>>
>>
>> On Fri, 19 Aug 2005 10:22:57 -0700, "Gary S. Terhune"
>> <grystnews@mvps.org> wrote:
>>
>>>Not sure what's up with the update, I'm checking into that. However, the
>>>update performs a relatively simple registry hack that you can do
>>>yourself.
>>>Note the following paragraph from MS05-037 (the pertaining Security
>>>Bulletin):
>>>
>>>------------------------------------------------------
>>>Does this update contain any changes to functionality?
>>>No. Since the JView Profiler COM object was not designed to be accessed
>>>through Internet Explorer, this update sets the kill bit for the JView
>>>Profiler (Javaprxy.dll) COM object. To help protect customers who have
>>>this
>>>object installed, this update prevents it from being instantiated in
>>>Internet Explorer. For more information about kill bits, see Microsoft
>>>Knowledge Base Article 240797. The class identifier (CLSID) for this
>>>object
>>>is '03D9F3F2-B0E3-11D2-B081-006008039BF0'.
>>>------------------------------------------------------
>>>
>>>In short: Open REGEDIT and navigate to HKLM\Software\Internet
>>>Explorer\ActiveX Compatibility. Look at the CLSID keys under that for a
>>>key
>>>named "03D9F3F2-B0E3-11D2-B081-006008039BF0'" If that key doesn't exist,
>>>create it. In that key, create a new DWORD named "Compatibility Flags",
>>>make
>>>the value 400.
>>>
>>>Should result in a value that looks like this: 0x000000400 (1024)
>>
>
>