Results 1 to 8 of 8
  1. #1
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    Just went through the patch process myself - running the demo before and after.
    After the patch and a re-boot, the demo page still displays my Inbox, but the alerts and DIR command do not (appear) to run.
    By restricting (setting to prompt) Active X in IE's Security setup, I can prevent the demo page from displaying my inbox.
    My take on Microsoft's waffle is that the patch will prevent incoming HTML emails from operating, but no-one is actually *forcing* you to go to a website that could be malicious, so it can't be *their* fault if you do.
    Very reassuring.

  2. #2
    New Lounger
    Join Date
    May 2002
    Location
    Iowa City, USA
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    Not sure what you mean by DIR commands, Leif. I was able to delete some emails no problem just like before the patch was applied.

    I agree on what you say about going to a malicious site but my point is that the patch did not appear to fix anything.

  3. #3
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    Apologies for forgetting to respond - the latest Woody's Watch reminded me. (<A target="_blank" HREF=http://www.woodyswatch.com/office/archtemplate.asp?current>Here</A> if you don't subscribe!)

    I ran the test before I installed the patch, and all sorts of wierd and wonderful (test) messages came up, plus a DIR listing in a Command Prompt window. You can see the list of commands that will run on the demo page you mention above.
    That was fixed, but like you (and obviously the rest of the world) I still appear vulnerable . . .

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    the inbox is supposed to display - it's what the view control is used for.

    the scripting was not supposed to be permitted - the pop ups of the mail and cmd was the security violation.

    if you are not seeing the popups, then the fix is working as intended.

    the view control is used in digital dashboards and team folders (and can be used in active desktops). There are some dashboard demos using the view control at <A target="_blank" HREF=http://www.digidashlive.com>http://www.digidashlive.com</A>. (My fav is the Russian board.)

  5. #5
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    BTW - Woody is wrong with his comment about the inbox display. He totally misunderstands what the purpose of the view control is. You are supposed to be able to see the inbox (or other outlook folders)

  6. #6
    New Lounger
    Join Date
    May 2002
    Location
    Iowa City, USA
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts

    MS01-038 - Patch does not work (10.3117.2625)

    Hello,

    Well, I just installed the patch for MS01-038 found here
    <A target="_blank" HREF=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-038.asp>http://www.microsoft.com/technet/treeview/...in/MS01-038.asp</A>

    I then went to here <A target="_blank" HREF=http://guninski.com/vv2xp.html>http://guninski.com/vv2xp.html</A>to run the demo and test the patch and guess what......... my machine is still vulnerable to the exploit!

    So, I ran Office XP setup and removed Outlook 2002. I then reinstalled Outlook and ran the MSO1-38 patch and I got a message that the patch was already installed.

    I wonder if anyone has had similar experiences. What should I do to solve the problem? How does one get the patch to work?

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    MS's <A target="_blank" HREF=http://www.microsoft.com/technet/security/bulletin/MS01-038.asp>bulletin</A> agrees, it's a feature not a bug: "The control should only allow passive operations such as viewing mail or calendar data."

    What seems to be lacking is precise user control over who accesses which ActiveX component. The user's IE security choices appear to be to allow, disallow, or prompt for:

    (1) Downloads of signed ActiveX components (not relevant here; it's part of Office)
    (2) Downloads of unsigned ActiveX components (ditto)
    (3) Scripting of "unsafe for scripting" ActiveX components (not relevant; it's considered safe)
    (4) Scripting of "safe for scripting" ActiveX components (relevant, but blunderbuss)

    In this case, one could change the Internet Zone setting from Enable to Prompt for item (4). Then, the test page should throw up a dialog asking if you want to allow the script to access this control. I think the dialog probably has sufficient information to know which control it is, but, not having this control, I'm not sure. Could someone test it?

    As a paranoid type, I use higher than Microsoft's standard "Medium" security in the Internet zone, but most users probably do not dig into it that deeply. And if you visit pages that make a lot of use of ActiveX controls that ship with Office, this dialog could pop up frequently and be annoying and lead users to flip the easy switch

  8. #8
    New Lounger
    Join Date
    May 2002
    Location
    Iowa City, USA
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS01-038 - Patch does not work (10.3117.2625)

    Yes, and apparently we are supposed to be able to manipulate the data (i.e delete, move, etc.) but the web page will not be able to do any of this manipulation as was the case without the patch.

    I was previously under a similar impression as Woody. This all seem very confusing to me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •