Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    2 Star Lounger
    Join Date
    May 2001
    Location
    Monte Sereno, California, USA
    Posts
    137
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Outlook 2000 SR1
    Installed the MS023 tonight an do not see any problems yet.

    I have installed the May 11 2002, View Control Security Update.

    I have NOT installed the SP2 or the Aug 9, 2001, Extended E-mail Security Updates.

  2. #2
    3 Star Lounger Woody's Avatar
    Join Date
    Jan 2001
    Location
    Nashville, Tennessee
    Posts
    358
    Thanks
    1
    Thanked 644 Times in 4 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Ray -

    Try clicking the "Organize" or "Find" icons on the toolbar.

    Do the instructions appear in Times New Roman? They should be in Tahoma...
    Woody

    For Dummies book author, Senior Contributing Editor for InfoWorld, and long-suffering Windows victim. Check out the latest at AskWoody.com.

  3. #3
    3 Star Lounger Woody's Avatar
    Join Date
    Jan 2001
    Location
    Nashville, Tennessee
    Posts
    358
    Thanks
    1
    Thanked 644 Times in 4 Posts

    IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    I'm getting reports from all over the place that installing the Internet Explorer "Critical Update" MS released yesterday (MS02-023, http://www.microsoft.com/technet/security/...in/MS02-023.asp ) trashes the Outlook 2000 and 2002 "Find" and "Organize" fonts.

    I'm about to install the update on a sacrifical machine, and should have a special WOW out shortly.

    If any of you have hit the problem, could you send me confirmation, observations - and any suggestions you might have for fixing it? Send me mail directly - talk2woody@woodyswatch.com

    Thanks!
    Woody

    For Dummies book author, Senior Contributing Editor for InfoWorld, and long-suffering Windows victim. Check out the latest at AskWoody.com.

  4. #4
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Woody,
    I have installed the "MS023" patch. I tried doing a search within Outlook 2002 and had NO problems.

    I am running Windows XP Pro, and Office 2002, with Outlook version as 10.2627.2625. I have NOT installed any of the Service Releases.

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  5. #5
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    in outlook 2002, only Organize is messed up. It's butt ugly. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> Find in OL2002 is the tiny little bar and doesn't use css. In 2000, Find is as ugly as Organize.

    In testing, it only looks ugly, but it still works. It uses the fonts from IE, so you can change it.

  6. #6
    New Lounger
    Join Date
    May 2002
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Woody, call me stoopid (ok, you're stoopid!), but could the font change be anything to do with the virus attachments that substitiute common filenames with I's and L's in order to mislead users? Is BS, I mean MS trying to slowly rectify that particular visual security hole?

    Am I making any sense?

  7. #7
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Nope, Woody is right that it's the patch.

    From information i've gleened from other sources, the IE patch blocks HTML from reading style sheets located on local machines. Outlook uses several web style pages that are stored in a dll and that dll uses a global style sheet, instead of including the css in the page.

    I'm trying to find out if any other applications will be affected, since we're pushing the patch out to desktops Monday morning. I don't want to spend all day answering calls about programs not looking 'right'. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  8. #8
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    This is Win98SE with Outlook98. The Organize and Find text is in TimesNewRoman -- as described -- but it certainly does not look that bad...
    Attached Images Attached Images

  9. #9
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    I am not entirely clear on how the update did this. As best I can tell this is related to the second vulnerability: "Local Information Disclosure through HTML Object (CAN-2002-0191)".

    This vulnerability involves the potential reading of information stored locally (on your computer). The "mitigating factor" is that the file to be read must contain "a particular, individual ASCII character". MS steps all around and never tells you the character: the left "brace" or "curly-backet" ("{"). I suspect this character must be fairly ubiquitous in Cascading Style Sheets. The demonstration of this vulnerability is here: http://sec.greymagic.com/adv/gm004-ie/

    On my trials, I found that only some portions of a given file (which must contain a left curly brace) could be read. So, to me the vulnerability is quite limited.

    The patch claims to fix this: "by implementing proper handling of the HTML object in question when it makes calls to files on the local system." Whatever that means...

    It seems that Outlook98 uses HTML files to create the "panes" that appear when you click "Find" or "Organize". These pages are located as "resources" inside this file: Outlwvw.dll. On my Win98 system with Outlook98, this resides in C:Program FilesMicrosoft OfficeOffice.

    The HTML resources are entitled Find.htm and Org.htm respectively. It appears that the "Style" of these pages -- including the text fonts -- are controlled in a CSS (Cascading Style Sheet) file. The one in question is also appears to be a "resource" inside Outlwvw.dll and it is called "Org.css".

    If you open Outlwvw.dll with a binary file viewer you can actually see these things. I believe this is the begining of Find.htm:
    -----------------------------
    <html>
    <head>
    <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1">
    <title>Find Webview</title>
    <LINK REL=stylesheet HREF="res://outlwvw.dll/org.css"></LINK>

    </head>
    -----------------------------------
    You will of course note this line: REL=stylesheet HREF="res://outlwvw.dll/org.css".
    As I stated, this should be pointing to the style sheet for Find.htm.

    Here is the header for the Org.htm file:
    --------------------------
    <html>
    <head>
    <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1">
    <title>Organize Webview</title>

    <LINK REL=stylesheet HREF="res://outlwvw.dll/org.css"></LINK>

    </head>
    ----------------------------
    Again you see the same style sheet called.


    SOMEHOW the new patch screws up the way Outlook is calling this LOCAL CSS resource. Time to run, but I thought you might find this input intriguing.

  10. #10
    3 Star Lounger Woody's Avatar
    Join Date
    Jan 2001
    Location
    Nashville, Tennessee
    Posts
    358
    Thanks
    1
    Thanked 644 Times in 4 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    In fact, that's EXACTLY what happened.

    Details coming up in WOW this week. Stay tuned.

    Excellent sleuthing, by the way...
    Woody

    For Dummies book author, Senior Contributing Editor for InfoWorld, and long-suffering Windows victim. Check out the latest at AskWoody.com.

  11. #11
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Thanks. Sorry to run before I was finished, but I had to get the kids to bed. :-]

    At the end of what appears to be "Org.htm" (aka Organize Webview) -- before the next NULL character -- there is 'style sheet' information which I suspect IS the "Org.css" file. The beginning of this resource looks like this:
    -----------------------------------------------------------
    <style type="text/css">
    <!--

    .option {
    font-family: "Tahoma";
    font-weight: normal;
    font-size: 8pt;
    color:window;
    cursor:hand;
    text-decoration:underline;
    }

    .optionselected {
    font-family: "Tahoma";
    font-weight: normal;
    font-size: 8pt;
    color:windowtext;
    cursor:hand;
    text-decoration:underline;
    }

    .title { font-size: 12pt;
    font-weight: bold;

    }
    ----------------------------------------

    Etc, etc. At least two things are worth noting:
    1) the "left curly brace" certainly IS important in CSS files (duh!, I wish I really understood coding!)
    2) the ".option" section MOST LIKELY is to specify the font that we SHOULD be seeing in both he Organize and Find panes. As you stated -- is it Tahoma not Times New Roman. Also notice that the ".title" section has no specified font and I suspect that means TimesNewRoman is the default font to be used.

    Let me jump off topic for one second. You CAN change the default IE fonts. For "English" -- or perhaps even "US English" -- they appear to be stored here:
    -------------------
    HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3
    IEPropFontName="Times New Roman"
    IEFixedFontName="Courier New"
    -------------------
    There are other numbered sub-keys there that MAY be for other languages -- otherwise I don't know why there is more than one. My computer here in the US uses sub-key "3".

    Back on topic:
    So... when you click on the Find or Organize buttons, Find.htm or Org.htm are called to open -- and they are supposed to use the CSS information stored in the "Org.css" resource inside Outlwvw.dll. This CSS resource is in the EXACT SAME file that the .htm resources are located in -- namely Outlwvw.dll. These are all located on your computer, so one would expect them to be in the MyComputer (aka LocalMachine) zone. One would suspect that few restrictions would be placed on this relatively simple transaction.

    However, after the MS02-023 patch, the ability to use a local CSS file seems to have been severely impaired. Exactly how "implementing proper handling of the HTML object in question when it makes calls to files on the local system" translates into: "we screwed up your ability to use a local CSS resource in the same .dll file as the .htm resource" -- is way beyond my ability to grasp.

    You will note, MS again feels the need to shroud this in mystery. They don't come out and say "Left Curly Brace" ({) -- it is the "particular, individual ASCII character". (The original version of the MS02-023 bulletin had a difficult time even spelling the word "particular".) Additionally, MS feels the need to obscure the issue further by using terms like "the object in question". Are they simply referring to a Cascading Style Sheet? Is that the 'secret' object, or do they mean something else? It is interesting that in the bulletin in question "the object in question" must call on a file with "the particular character in question". Gee, could they be a little more vague?

    There are two interesting registry values that get queried upon opening the the "Organize" pane. They are:
    ---------------------------------------
    HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
    "CSS_Compat"=""
    "Use Stylesheets"=""
    ----------------------------------------
    I had originally hoped that adding these non-existent values -- and setting them to "yes" -- might override this CSS blockage. But, so far on my preliminary trials this has not succeeded.

    A Google search of "CSS_Compat" was fruitless and it appears that "Use Stylesheets" is "yes" by default...
    http://support.microsoft.com/default.aspx?...b;en-us;Q183717
    http://support.microsoft.com/default.aspx?...b;EN-US;q272518

    Oh well. Good luck on your upcoming expos

  12. #12
    3 Star Lounger Woody's Avatar
    Join Date
    Jan 2001
    Location
    Nashville, Tennessee
    Posts
    358
    Thanks
    1
    Thanked 644 Times in 4 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Er, WOW!

    That's the most thorough - and accurate - explanation I've seen.

    OK if I quote you?
    Woody

    For Dummies book author, Senior Contributing Editor for InfoWorld, and long-suffering Windows victim. Check out the latest at AskWoody.com.

  13. #13
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    It's fine with me!

  14. #14
    3 Star Lounger Woody's Avatar
    Join Date
    Jan 2001
    Location
    Nashville, Tennessee
    Posts
    358
    Thanks
    1
    Thanked 644 Times in 4 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    Nope, it's more subtle. Details coming in WOW this week...
    Woody

    For Dummies book author, Senior Contributing Editor for InfoWorld, and long-suffering Windows victim. Check out the latest at AskWoody.com.

  15. #15
    2 Star Lounger
    Join Date
    Sep 2001
    Location
    Kalgoorlie, Western Australia, Australia
    Posts
    155
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 'Critical Update' Trashes Outlook Fonts (Outlook 2000, 2002)

    You can also change the fonts using Tools - internet options - general tab - fonts button at the bottom of the tab from within IE to fix the problem while we are waiting for the patch. The font is still a bit big in Outlook though. This fix does mean all webpages with stylesheets are in Tahoma. But that is probably not a bad thing <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •