Re: MS01-058 broke my IE6

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/18/01


Date:         Tue, 18 Dec 2001 10:26:47 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

A number of people have contacted me about the lack of any message regarding
the availability of MS01-058.

Microsoft issued the patch on December 13th, 2001, and on the 14th I
received two messages (below) indicating it (the patch) had broken the
system it was installed on. I contacted the Microsoft Security Response
Center and they indicated they hadn't received any other reports of problems
(as of the 14th) and hadn't heard of customers reporting problems deploying
it.

I thought to wait for more feedback (two reports of problems really isn't
enough to go out with a warning on), or for MS to remove the patch (if they
got enough reports). I was also aware of the *potential* for MS to release
v2.0 to address the issues that HTTP-Equiv rose.

So I've held off mentioning the patch;

http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

But then you have the dire warnings coming from some media outlets that IE
users need to patch Now!

Firstly, of the few IE vulnerabilities that we have actually seen exploited
(or attempted) en-masse, they have typically come several months after the
release of exploit code. Also, when they're dependent on a server being up
to deliver the payload, they don't spred far (or the part that works with
the payload stops working because the site has been taken down).

This isn't to say the patch doesn't address serious issues, Microsoft's
Severity Rating for systems running IE 6.0 is "Critical" across the board.
However, the urgency with which you need to deploy this is offset by the
potential for problems deploying. I'd choose to err on the side of caution
given the installation reports below, and make sure you install on a system
you don't mind destroying before you deploy across your organization.

If anyone else has experienced problems with MS01-058, let me know.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----Original Message-----
From: Jeff Lether
Sent: Friday, December 14, 2001 11:32 AM
To: Russ.Cooper@rc.on.ca
Subject: MS01-058 broke my IE6

I am running Win2K w/ SP2, fully patched in all repects (according to both
MSPSA, HFNetChk, and Windows Update). This morning, like everyone else I
received the dire warnings contained in MS security bulletin MS01-058 and
installed the patch immediately, as urged by Microsoft.

Now, after rebooting (several times!) I can no longer use IE 6.0 (or any
program which depends on it). IE will launch normally, and you can view the
about window to see that the patch was installed. But the second you try to
navigate to any web site (doesn't matter which, I've tried several), IE
locks up and stops responding to anything. It will not respond to the task
manager trying to close it, insisting instead that it is being debugged, and
to close the debugger first. You also cannot shut down windows normally
either. The shutdown sequence just hangs when trying to forcibly close the
non-responding IE. You wind up having to actually power off your system to
get IE out of memory.

Jeff Lether

-----Original Message-----
From: David C. Dunthorn
Sent: Fri, 14 Dec 2001 11:24:22 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS01-058 broken?

NTBugtraq members,

When I installed the MS-01-058 cumulative patch for IE6 and my machine
rebooted, It locked up when changing display modes. I tried rebooting in
vga mode and then changing display modes to one I know works the screen
again went blank and the machine locked. Even when I booted to vga mode and
selected the current display mode and pressed the test button it didn't
work. What _did_ work was pressing the cancel button to not change the
display mode and then reinstall sp6. When the machine rebooted I let it
come up in my normal display mode and everything worked fine. All I've had
to do since then is reinstall any post sp6 updates that I needed. I hope
that this is just happening to me, but when I tried to get to the NTBugtraq
web site I got no response, so I thought this message might be in order.

David C. Dunthorn

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================



Relevant Pages

  • MS01-058 exploit - W32/Cool.A-mm
    ... received two messages indicating it (the patch) had broken the ... I thought to wait for more feedback (two reports of problems really ... given the installation reports below, and make sure you install on a ... display mode and then reinstall sp6. ...
    (NT-Bugtraq)
  • RE: Updating WMI manually!
    ... I have checked throughouly and the reports dont seem to update.It still ... shows that the patch installation failed when it has installed ... Checked the add/ remove programs and found that the patch is ...
    (microsoft.public.sms.admin)
  • screend.conf - help an idiot
    ... > You might want to try the appropriate patch listed ... > Modification Type: NEW KIT ... > The Patch Kit Installation Instructions and the ... > 2 Special Instructions ...
    (Tru64-UNIX-Managers)
  • 9_Recommended error codes (specifically return code 5)
    ... * "return code 2" indicates patches are already installed. ... * "return code 25" means a patches requires another patch that is not yet installed. ... With or without using the save option, the patch installation process ... Installing 114008-01... ...
    (SunManagers)
  • SOLUTION: Q811493 crashes system at boot with BSOD C0000135 WINSRV.DLL could not be found
    ... I always had "Automatic Updates" running and downloaded every ... For some reasen, however, patch Q811493 kept ... had, but because KB824141 is also an update of critical KERNEL files, ... Spending 4 hours solving a MS bug (booting from the installation CD is ...
    (microsoft.public.win2000.general)