Re: Problem with latest security update kb891781 (dhtmled.ocx upda

From: fartak (fartak_at_discussions.microsoft.com)
Date: 02/15/05 

Date: Tue, 15 Feb 2005 02:25:03 -0800

Thanks for help, but still I didn't succeeded. For further explanation: our
application is stand-alone application using dhtmled.ocx and mshtml for html
manipulation. That MS bulletin says, that SP2 increases security
(=restrictions) for Local zones. That's ok. Our application worked well with
this sp2. Even though with all updates released up to now but the mentioned
KB891781, that replaces the ActiveX component. That's strange. This update
should fix possible remote attack, but it seems, that those guys did some
thing wrong. The ActiveX component (dhtmled.ocx) runs, the application
normally initializes itself (including ActiveX component dhtmled), but you
can't access its DOM interface for document manipulation. When you do such
thing "Interface unknown" exception raises. This changes after apply of
kb891781.

According the article -
http://support.microsoft.com/default.aspx?scid=kb;en-us;833633
I played with registry and perrmit almost everything for local zone
(computer), intranet, internet and so on. Nothing has changed. That's really
annoying :-(.
We have to recommend our customers using the application not to install this
update untill the cleaner solution will arisen. I hope, that scenario of MS
being unable to fix this problem with vulnerability correctly so they turns
some features off, is not true...

Regards Jiri Fartak (jfartak@wms.cz)

"Jon Kennedy" wrote:

> http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx
> From the "General Information" section:
>
> What is the Local Machine zone lockdown?
> In Windows XP Service Pack 2, all local files and content that are processed
> by Internet Explorer has additional security applied to it in the Local
> Machine zone. This feature restricts HTML in the Local Machine zone. This
> feature also restricts HTML that is hosted in Internet Explorer. These
> restrictions help mitigate attacks where the Local Machine zone is used as
> an attack vector to load malicious HTML code.
>
> Because of this change, ActiveX script in local HTML pages that are viewed
> inside Internet Explorer will not run. Also, script in local HTML pages that
> are viewed inside Internet Explorer prompts the user for permission to run.
>
> For how to change the local machine zone security settings, see this
> article:
>
> How to strengthen the security settings for the Local Machine zone in
> Internet Explorer
> http://support.microsoft.com/default.aspx?scid=kb;en-us;833633
>
> --
>
> Jon R. Kennedy
> Charlotte, NC, USA
> jkennedy2@carolina.rr.com
>
> "genX" <genX@discussions.microsoft.com> wrote in message
> news:ED177C04-C595-49E7-A2D7-4B3622741F51@microsoft.com...
> > Hi,
> > today I've installed latest security update kb891781, which caused, that
> > our
> > application for web content management that uses MSHTML editing ActiveX
> > control dhtmled.ocx, stops work. Our application is developed in Delphi
> > and
> > uses this component for content managing.
> > I found the problem (after tracing some debug info)- the application
> > couldn't get access to the DOM (IHtmlEditDocument2 interface) through
> > IHTMLEdit interface, so it raised the exception "Unknown interface".
> > I didn't find any workaround than uninstall this security fix. Then
> > everything was OK as before. Of course, I spent some time with security
> > settings in IE - I enabled almost everything, but nothing helped.
> >
> > I tried to find whether some other has the same problem and I found some
> > polish application based on this component having the same trouble.
> >
> > Does anybody has any idea where the problem is?
> > Thanx.
>
>

Relevant Pages