IE Security Bulletin 02-047 affects Terminal Services connecting via a web page

• Previous message: NGSSoftware Insight Security Research: "Microsoft Internet Explorer Legacy Text Control Buffer Overflow (#NISR26082002)"
• Next in thread: Russ: "Re: IE Security Bulletin 02-047 affects Terminal Services connecting via a web page"
• Reply: Russ: "Re: IE Security Bulletin 02-047 affects Terminal Services connecting via a web page"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 24 Aug 2002 18:44:20 -0700
From: "Susan Bradley, CPA aka \"Ebitz\" SBS Rocks [MVP]" <sbradcpa@PACBELL.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

If you install [or let XP or Win2kSP3 autoinstall] the 02-047 Cumulative
patch for IE, you will be unable to connect to Terminal Services from a
Web Page.

You will need to follow MSKB 328002 to adjust the ASP page to include
the updated GUID as follows:

CAUSE This behavior occurs if one or more of the following Terminal
Services ActiveX controls are blocked by Internet Explorer for security
reasons:
Terminal Services Advanced Client (TSAC) 1.0 ActiveX control - GUID:
{1fb464c8-09bb-4017-a2f5-eb742f04392f}
Microsoft Windows XP version of the TSAC - GUID:
{791fa017-2de3-492e-acc5-53c67a2b94d0}
Microsoft Windows .NET beta versions of the TSAC - GUID:
{931a8c29-3ea9-494d-91e7-22e9a9247687}
The only GUID that will work in Internet Explorer after you install the
security patch described in the "Symptoms" section of this article is
the following:
{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}
RESOLUTIONTo resolve this issue, contact the administrator of the Web
server. Administrators should install the new control immediately from
the following Microsoft Web page:

http://www.microsoft.com/windowsxp/pro/downloads/rdwebconn.asp
For additional information about this issue, click the article number
below to view the article in the Microsoft Knowledge Base:
Q327521 MS02-0046: Buffer Overrun in TSAC ActiveX Control Might Allow
Code Execution
Modify existing ASP pages to load the updated control as follows:
<OBJECT language="vbscript" ID="MsRdpClient"

        CLASSID="CLSID:9059f30f-4eb1-4bd2-9fdc-36f43a218f4a"

Q328002 - You Cannot Connect to Terminal Services from a Web Page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328002

For clients attaching to a Win2k Domain [in particular Small Business
Server 2000 servers] the "http://servername/myconsole" is affected. The
webconsole.asp page should be adjusted. For XP clients attaching to a
Small Business Server 2000 domain, the Win2k Remote Desktop Web
connection should be installed on the server and the XP clients can then
use http://servername/tsweb to connect remotely to the server.

In general and for security purposes, it is probably [well no, it is]
more secure to VPN in and use a normal Remote Desktop connection rather
than the Remote Desktop WEB connection.

Susan Bradley

• Previous message: NGSSoftware Insight Security Research: "Microsoft Internet Explorer Legacy Text Control Buffer Overflow (#NISR26082002)"
• Next in thread: Russ: "Re: IE Security Bulletin 02-047 affects Terminal Services connecting via a web page"
• Reply: Russ: "Re: IE Security Bulletin 02-047 affects Terminal Services connecting via a web page"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: SBS 2003 Component Instal Fails ... I am currently doing an upgrade from Windows 2000 server to SBS Server 2003. ... We have tried altering all the folder locations and drives for the instal ... failed in CPageBase::GetGlobalProperty: GUID = ... main install. ... (microsoft.public.windows.server.sbs) Problem Installing Server Tools, Server Configuration ... My SBS 2k3 server is not letting me complete the "Server ... Configuration" or install the "Server Tools" through the setup. ... CPageBase::GetGlobalProperty: GUID = ... (microsoft.public.windows.server.sbs) Re: Problems with TS Web Access in Server 2008 ... I have to add that as I am testing out Server 2008 this is my second install, and that the TS Web Access was working the first time, and that the ActiveX Client was installed the first time, and still is active. ... You must install this ActiveX control before you can access RemoteApp programs through TS Web Access. ... (microsoft.public.windows.terminal_services) Re: SP3 and RWW ... I hear you--that's why I suggested searching the registry on the GUID for that control found in the link I posted. ... I'm not sure what is blocking the request for installation, but it seems to me that the GUID would have to be involved--worth looking for, at least. ... shows the GUID for the activex control involved. ... I wonder if the killbit is set, even though you never had a chance to install the control on this machine? ... (microsoft.public.windows.server.sbs) Re: ActiveX Control for Terminal Services Advanced Client ... It doesn't require you to download an ActiveX control from the server, so if it is installed, all users have access to it. ... Another possibility is to setup the default profile on the machine to include an installed copy of the pre-6.0 ActiveX control, so when new profiles are created, they already have the ActiveX. ... In order for TS to work via IE it is necessary to install the ActiveX control during the first connection to the server. ... (microsoft.public.windows.terminal_services)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint