Security Update/Patch notification (5.5 SP-1)

[Pilgrim]

I received a notification from Microsoft of a highly recommended "patch" that is available for all users of MSIE 5.5 and 6.0. I visited the page with this URL <A target="_blank" HREF=http://securitycheck.passport.com/default.asp>http://securitycheck.passport.com/default.asp</A> and thought it was just a gimmick to try and get me to upgrade to 6.x... but clicking on the link, "Tell me more about the security patch", it seems there is a "patch" for MSIE 5.5

BUT... here's why I'm posting this question. Reading the information about the patch itself, it says that the affected browsers are 5.5 SP-2 and 6.0... I don't have SP-2, according to the "Help/About" information I have. Sooooo, should I install this patch or no? I looked through all my Woody's ezines and couldn't find anything on this particular patch that deals with the Active Scripting vulnerability, etc....

Thanks,

Jeff

[kaplinb]

It looks like Microsoft abandoned all versions of Internet Explorer prior to 5.5 SP2 altogether. If you didn't upgrade to IE 5.5 SP2 or IE 6 (all versions), count on yourself...

This patch you are asking about (Q312461) is cumulative patch, another words, it combines all previous patches AND eliminates three new vulnerabilities: the first two involve how IE handles cookies across domains and the third one involves how IE handles URLs that include dotless IP addresses. For more information, see <A target="_blank" HREF=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-055.asp>Microsoft Security Bulletin MS01-055</A>

[Pilgrim]

kaplinb,

Thanks for the response. However, I seem to still be stuck in a quandary whether or not I should install this patch? Woody has been quite explicit and forceful, even in today's "Woody's Office Watch" that we should avoid anything to do with the SR-2 patch. Since this security patch says it applies to MSIE 5.5 SP-2 and 6.0, I have that old "uneasy feeling" <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15> But then again, perhaps I am confusing the SR-2 patch for Office and SP-1 and SP-2 for MSIE?

Are you personally recommending that this patch be installed if someone is using MSIE 5.5 SP-1? The vulnerability issue it addresses seems to be quite serious, but I don't want to install something that is going to cause problems. As you know, not all of MS's patches are desirable... hehe!

Jeff

[MerC]

Thing is, if you don't upgrade you're open to whatever security holes MS left unplugged. Personally, I'd go the whole hog and install IE6 (preferably from a CD, unless you've broadband), 128-bit encryption, MSJVM 5.00.3802. Then see if you still need the update. If so, install it. IE6 has a much more configurable way of handling cookies, for instance.
I use IE6 flavor as above with XPP and 2kP. With 98SE I prefer 5.5 SP2.
I don't now what Woody had to say, but I've not had any problem doing it this way. When updating, always chhose the option to back-up, so you can revert if need be. Sometimes these things don't bite first go.

Rgds

[Pilgrim]

Okay, I downloaded the security patch and tried to install it.... <img src=/S/doh.gif border=0 alt=doh width=15 height=15>... and as I suspected it won't work because it is only good for 5.5 SP-2, which I don't have (SP-1). I'm not really keen on upgrading? to 6.0 since it appears to be more "entertainment" oriented rather than functional, hehe.

Okay, I found where I could download/install MSIE 5.5 SP-2.... did that... and installed the patch! Thanks for everyone's advice and help. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

Jeff

[jscher2000]

As a footnote, I believe the IE 5.5 SP2 patch was the one that removed support for "Netscape-style" plug-ins, breaking all sorts of third party applications and requiring downloads of new versions of, for example, QuickTime. Hopefully all the plug-in providers have ActiveX controls by now, as that is what MS now demands.

[kaplinb]

And to be clear... Woody is talking about SR-2 Patch for OFFICE 2000, not for IE 5.5

I know, some people can't tell Windows from Office (all Microsoft stuff has identical version names), so please read carefully what is it about.

[Howard Kaikow]

Woody is referring to SR-2 for Office, that's a different critter.

[Pilgrim]

Just a followup note here and a bit of advice to others. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

I installed the SP2 patch for IE and then the Security Update. It caused numerous problems, e.g., disallowing pictures to be inserted in Outlook (2000 SP1a), timeout errors when retrieving e-mail, etc.. So it would appear that the SP2 Update for IE has a direct effect on other Office applications.

To solve these problems, I reverted back to the previous version of 5.5 (through the Control Panel/Add&Remove Programs/etc. The result was I had to download the SP1 Patch again, etc... <img src=/S/doh.gif border=0 alt=doh width=15 height=15> But all the problems were resolved after the restore.

Bottom line is, at least the way I see it, DO NOT INSTALL THE IE SP2 PATCH

Question for you: You said, When updating, always choose the option to back-up, so you can revert if need be. That's sound advice, but I'm wondering if you are implying that there is a way to preserve/backup your current version of IE so that if problems arise, such as I experienced, you can easily revert to the "good" version without having to go through the long and tedious trouble of using the "Setup.exe" again; i.e., downloading and installing the entire thing?

Thanks,

Jeff

[MerC]

Hi Jeff
Yes. If you've chosen to back-up, you can revert via the Repair option, I believe. This is the quick route I recommend. Nonetheless, when this happens to me, I prefer to take a longer approach and do exactly as you describe : reinstall IE by doing an over-the-top installation of the OS, then download the upgrades again. Belt-and-braces I suppose, but it wouldn't be everyone's best route. It has the advantage of correcting any fault that may have been caused by or in the download process.



Rgds

[jscher2000]

I think we figured it out over on the Outlook board in <A target="_blank" HREF=http://www.wopr.com/cgi-bin/w3t/showthreaded.pl?Cat=&Board=out&Number=108311>Post #108311</A>. (I have Office 2000 SR-1a and IE 5.5 SP2.)