Re: Problem with latest security update kb891781 (dhtmled.ocx upda
From: Pat Magnan (pat_at_sluggo.org)
Date: 02/15/05
- Next message: KY: "Display the code of jsp or asp web pages, not the content"
- Previous message: Microsoft: "Windows Update"
- In reply to: fartak: "Re: Problem with latest security update kb891781 (dhtmled.ocx upda"
- Next in thread: salimnair_at_gmail.com: "Re: Problem with latest security update kb891781 (dhtmled.ocx upda"
- Reply: salimnair_at_gmail.com: "Re: Problem with latest security update kb891781 (dhtmled.ocx upda"
- Messages sorted by: [ date ] [ thread ]
Date: 15 Feb 2005 06:39:04 -0800
The problem is affecting Windows 2000 and Windows 98 customers of ours
as well. So I don't think it relates to SP2 issues (I wish it were
that easy). We've debugged into it also, and found the same problem.
No access is being allowed to the DOM object anymore. The interfaces
are actually present, but return NULL pointers, so the 'no such
interface' isn't quite accurate, but may as well be an accurate return
code. The interface exists, it's just useless.
Someone made an error implementing the hotfix as near as I can tell,
either that, or the interfaces have been altered and the way you now
use this COM object is not yet documented? Mind you, I thought when
changing a COM object, the old interfaces were not to be removed such
as not to break existing applications.
Hopefully, it's just a matter of changing the way such applications
access the object, but for the moment, we've had to publish removal
instructions to keep in business.
It is interesting to note that our application is also accessing the
object from Delphi.
fartak <fartak@discussions.microsoft.com> wrote in message news:<610A9151-D876-4C50-B39D-B8DFC0B3597E@microsoft.com>...
> Thanks for help, but still I didn't succeeded. For further explanation: our
> application is stand-alone application using dhtmled.ocx and mshtml for html
> manipulation. That MS bulletin says, that SP2 increases security
> (=restrictions) for Local zones. That's ok. Our application worked well with
> this sp2. Even though with all updates released up to now but the mentioned
> KB891781, that replaces the ActiveX component. That's strange. This update
> should fix possible remote attack, but it seems, that those guys did some
> thing wrong. The ActiveX component (dhtmled.ocx) runs, the application
> normally initializes itself (including ActiveX component dhtmled), but you
> can't access its DOM interface for document manipulation. When you do such
> thing "Interface unknown" exception raises. This changes after apply of
> kb891781.
>
> According the article -
> http://support.microsoft.com/default.aspx?scid=kb;en-us;833633
> I played with registry and perrmit almost everything for local zone
> (computer), intranet, internet and so on. Nothing has changed. That's really
> annoying :-(.
> We have to recommend our customers using the application not to install this
> update untill the cleaner solution will arisen. I hope, that scenario of MS
> being unable to fix this problem with vulnerability correctly so they turns
> some features off, is not true...
>
> Regards Jiri Fartak (jfartak@wms.cz)
>
> "Jon Kennedy" wrote:
>
> > http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx
> > From the "General Information" section:
> >
> > What is the Local Machine zone lockdown?
> > In Windows XP Service Pack 2, all local files and content that are processed
> > by Internet Explorer has additional security applied to it in the Local
> > Machine zone. This feature restricts HTML in the Local Machine zone. This
> > feature also restricts HTML that is hosted in Internet Explorer. These
> > restrictions help mitigate attacks where the Local Machine zone is used as
> > an attack vector to load malicious HTML code.
> >
> > Because of this change, ActiveX script in local HTML pages that are viewed
> > inside Internet Explorer will not run. Also, script in local HTML pages that
> > are viewed inside Internet Explorer prompts the user for permission to run.
> >
> > For how to change the local machine zone security settings, see this
> > article:
> >
> > How to strengthen the security settings for the Local Machine zone in
> > Internet Explorer
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;833633
> >
> > --
> >
> > Jon R. Kennedy
> > Charlotte, NC, USA
> > jkennedy2@carolina.rr.com
> >
> > "genX" <genX@discussions.microsoft.com> wrote in message
> > news:ED177C04-C595-49E7-A2D7-4B3622741F51@microsoft.com...
> > > Hi,
> > > today I've installed latest security update kb891781, which caused, that
> > > our
> > > application for web content management that uses MSHTML editing ActiveX
> > > control dhtmled.ocx, stops work. Our application is developed in Delphi
> > > and
> > > uses this component for content managing.
> > > I found the problem (after tracing some debug info)- the application
> > > couldn't get access to the DOM (IHtmlEditDocument2 interface) through
> > > IHTMLEdit interface, so it raised the exception "Unknown interface".
> > > I didn't find any workaround than uninstall this security fix. Then
> > > everything was OK as before. Of course, I spent some time with security
> > > settings in IE - I enabled almost everything, but nothing helped.
> > >
> > > I tried to find whether some other has the same problem and I found some
> > > polish application based on this component having the same trouble.
> > >
> > > Does anybody has any idea where the problem is?
> > > Thanx.
> >
> >
- Next message: KY: "Display the code of jsp or asp web pages, not the content"
- Previous message: Microsoft: "Windows Update"
- In reply to: fartak: "Re: Problem with latest security update kb891781 (dhtmled.ocx upda"
- Next in thread: salimnair_at_gmail.com: "Re: Problem with latest security update kb891781 (dhtmled.ocx upda"
- Reply: salimnair_at_gmail.com: "Re: Problem with latest security update kb891781 (dhtmled.ocx upda"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
