Issues with MS02-005

From: Sorenson, Brenda (BLSORENSON@PLATO.COM)
Date: 02/25/02

Date:         Mon, 25 Feb 2002 15:47:13 -0600
From: "Sorenson, Brenda" <BLSORENSON@PLATO.COM>

Has anyone heard of issues with MS02-005 (IE Cumulative patch)? The
article below is the only article I have seen so far regarding this latest
cumulative patch.

Latest IE Patch Can Crash Browser

Microsoft advises Webmasters to change sites' use of VB script and avoid

Joris Evers, IDG News Service
Friday, February 15, 2002

Microsoft's latest security patch for Internet Explorer causes the Web
browser to crash when viewing Web pages that contain a certain VBScript
directive, several IE users have found. Microsoft acknowledges the problem
and says Web site administrators will need to take action.

"This issue does not pose a security threat to users. This issue affects
stability. Normal operation can be restored by restarting IE," Microsoft
said in a statement Friday. "Microsoft Product Support Services has been
working with customers to implement a workaround that addresses a problem in
which patched IE browsers could crash when viewing certain pages containing
a specific VBScript directive."

The way to fix the problem in the short term will be to tweak the coding on
Web pages that contain this directive, called the execScript directive,
Microsoft said. However, Microsoft is working on an updated patch, but does
not know when that will be released. The latest patch can be downloaded from
Microsoft's site. In postings to Microsoft's discussion groups, users had
earlier pinpointed the execScript directive as the culprit.

"The workaround is one that site operators would implement on their ASP
(Active Server Page) pages. End-users need not do anything," Microsoft said,
adding that a knowledge base article explaining the issue and the workaround
procedure will be posted to shortly.

Problems Reported
One Dutch IE user on Friday said his patched Web browser crashed when
accessing the Web JetAdmin remote management tool for Hewlett-Packard

"Sadly, the patch removes functionality in IE. I installed the patch on my
IE 5 system, but removed it immediately by installing a complete new version
of IE 6. The HP administrator page on our LAN did not work on the patched
system, but did work on unpatched systems," said Jean van Laarhoven, systems
manager for a part of Amsterdam's city government.

Internet advertising company DoubleClick advised its customers in an e-mail
not to install Microsoft's patch, a DoubleClick spokesperson said Friday.
DoubleClick's ad management system is accessed through the Web and relies on
scripting. Two European DoubleClick users, who requested anonymity,
confirmed that IE crashed when they tried to access the DoubleClick system
after patching their browser.

Microsoft released the "cumulative" patch that fixes six holes in IE
versions 5.01, 5.5, and 6.0 on Monday. The software maker gave the patch a
"critical" rating and urged all users to immediately install it. The set of
patches fixes holes that could allow an attacker to take control over a
user's computer.

Delivery co-sponsored by VeriSign - The Internet Trust Company
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!