IE6 SP1 cumulative update does it have a bug ?

Well i am in an xp machine with IE 6 and having the same update. Doesnot seem to affect my system .

you mean the windows help right ? May be something is not correct there

Yes Help as from the start menu.

However I'm in Win98SE maybe its OS specific ?

The weird thing is that the only variable is the presence or absence of this update.

The only thing I can think of is that it contains something which itself has a bug which has not yet been updated  

May be . But i have not seen this particular problem here so far

Also make sure your windows 98 is upto date ( windowsupdate.microsoft.com)

Also check for virus and spywares in your system

Try this system file checker   http://www.windows-help.net/windows98/start-142.shtml

I'm using Windows 98 FE and also have the IE 6 SP1 installed.  I'm not having any problem with my trouble shooters, but I noticed another bug.  Whenever I make a change to my address book in Outlook Express it saves the backup to the desktop with a name of ~ and no extension.

caza13,

That is a known bug of OE, it's a backup of your address book.

Try a rename with a .wab extension et voilá... an address book!

Cheers,

Zee

Thanks BillDL,

Seems I forgot the first rule of resolving pc problems 'RTFM' except in this case the manual would be the security bulletin !

Anyway your explanation clearly resolves the problem.

I can easily export two sets of reg keys so I can 'switch on' the troubleshooter when I want.

Thanks for your help

Nick

No problem, Nick.  That one was fresh on my mind, because I was wondering whether there was an extra fix for this.  I recall that one of the "Rollup" Updates for Windows XP had a problematic update which was installed, and thereafter required a "hotfix" patch to fix it.

The update in your case, addressed in MS03-48, superseded MS03-40 which is discussed here:

http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

Quoting from that page (under "Technical Details"):

>>
As with the previous Internet Explorer cumulative patches released with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.

In addition to applying this security patch it is recommended that users also install the Windows Media Player update referenced in Knowledge Base Article 828026. This update is available from Windows Update as well as the Microsoft Download Center for all supported versions of Windows Media Player. While not a security patch, this update contains a change to the behavior of Windows Media Player’s ability to launch URLs to help protect against DHTML behavior based attacks. Specifically, it restricts Windows Media Player’s ability to launch URLs in the local computer zone from other zones.
<<

referenced url's:

http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;811630
http://support.microsoft.com/default.aspx?scid=kb;en-us;828026

From:
http://support.microsoft.com/default.aspx?scid=kb;en-us;811630

it appears to be a different problem, although seemingly related by the intended functionality.

The differences seem to be that the troubleshooter uses its own ActiveX control, while the window.showHelp( ) has a weakness in the method in which IE handles Dynamic DHTML behaviour in the IE Restricted Zone.  ie.  it uses the URL types ms-its:  or mk:@MSITStore: to access .CHM  help pages that have the ability to interact with your computer.  It's beginning to sound a bit like the troubleshooter again, isn't it?  :-)

Anyway, have a read at:
http://www.microsoft.com/windows98/downloads/contents/WUCritical/q811630/default.asp

I feel pretty sure that this Help Update MUST have been applied in subsequent cumulative patches, but of that I am NOT totally sure.

http://download.microsoft.com/download/c/1/2/c12bc7ae-1c9d-4e1c-b4bc-e2630a8d57a3/811630USA8.EXE

NOTE:  this "hotfix", like so many others, does NOT have an uninstall routine.

Try this out of curiosity:

Paste the following into your address bar and click GO:

mk:@MSITStore:C:\WINDOWS\Help\windows.chm::/default.htm

and then click the top left icon to the left of "Windows Help" in the Title bar
Select "Jump to URL" and paste in:

mk:@MSITStore:C:\WINDOWS\HELP\mstask.chm::/agent_add_task.htm

Does this work?

I am as curious to know whether these links will access my system from THIS Experts Exchange Page.  I don't have this Help Patch installed on the computer I'm using, so it will be a good test.

Hope these musings are helpful.

Nope, they aren't ID's as urls on this page, but I suppose they could be hyperlinked in a malicious help file by someone cleverer than me ;-)

Hmmm.  It opens in IE rather than run by "C:\WINDOWS\hh.exe" in the normal way as a .CHM file.  Risky?

Try an experiment.  Paste this into Notepad, and save as something like "CALC.HTML".
Open in IE and click the link.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML dir=ltr>
<HEAD>
<META HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252">
<title>Windows Calculator</title>

<link rel="stylesheet" type="text/css" href="coUA.css"></HEAD>
<BODY>
<p>
<a name="app_calculator"></a><b>Using Windows Calculator</b></p>
<p>
You can use Calculator in standard view to perform simple calculations.</p>
<p>
<OBJECT id=hhctrl type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=12 height=12>
<PARAM name="Command" value="Shortcut">
<PARAM name="TEXT" value="Text:Click here">
<param NAME="fONT" VALUE="VERDANA,8,0x000800,underline">
<PARAM name="Item1" value="SciCalc,calc.exe">
</OBJECT>&nbsp;to start Calculator.</p>
<b>Notes</b>
<P>You can also start Calculator by clicking <b>Start</b> &gt; <b>Programs</b> &gt; <b>Accessories</b>
&gt; <b>Calculator</b>.</P>
</BODY>
</HTML>

Just curious to see what happens.

Hello again Bill,

Its just turned midnight here in the uk so I have not had time to work through your last set of msgs.

Last night after reading your previous post I exported the tshoot reg keys and its CLSID ref. Then ran the IE update.

Of course at this point the troubleshoot is in its non working mode.

Then I found the killbit key in the compatability list exported that key and then deleted it from the reg.

When I ran the troubleshooter it worked and as yet I have not esperienced any problems.

I will play around with your suggestions over the weekend and see what happens.

In theory I suppose this means I am 'exposed to attack' but I'm not using a permanent connection and I am behind a firewall so hopefully the risk is not great.

That sounds like you have probably nailed the problem, Nick.  Let us know how you get on with it.
BTW, 03.22 here in the UK right now :-)

Hello Bill,
Sat 16.00

This consolidates the story so far in one message, with some additional technical detail.

Initial problem: Win98 troubleshooter 'suggested solution' displaying as a blank or empty window.

Right click to properties within the blank window and read:

mk:@MSITStore:C:\WINDOWS\Help\Tshoot98.chm::/w98hw_result.htm

Background:

Hard disk reformated last week end win98se reinstalled from OEM CD
Ran windows update and identifed 17 critical updates (which I have managed to store on a separate HD to ease any future reinstallation).

These were installed in the order of their update number (just in case a later one modifed some file included in an earlier one).

Subsequently ran anti virus, spyware/adware checkers and SFC to check for any problems acquired during the downloading process or during update installation.

No problems encountered.

After running cummulative update 824245 Troubleshhoter fails to display properly.

One of the updates included in this list was 811630 the update that supposedly corrects a fault in HTML help in a previous update. So presumably this modfication is not included in the Nov cummulative update 824145

This revised update is focused on resolving problems "when you use Microsoft Internet Explorer to open or use a Web page that calls the window.showHelp script method to open a Uniform Resource Locator (URL) in an HTML Help window:"

So far I as my specific problem is concerned that is opening the win98 troubleshooter on my own local hard disc it does not re establish the functionality lost after running 824145    

Attempts at resolution:

Subsequently uninstalled 824145 and found trobleshooter worked ok.

After reading the documentation you referred to
Ran regedit found a CLSID entry for tshoot under HKLM\software\classes\
and under the CLSID key
HKLM\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF} found various sub keys for tshoot.

Subsequently reinstalled 824145 and ran regedit again and found an additional key the 'killbit key'
HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4B106874-DD36-11D0-8B44-00A024DD9EFF}]
"Compatibility Flags"=dword:00000400

So running cummulative update 824145 adds this new key and addtionally deletes the CLSID key mentioned above and enters a new CLSID HKLM\Software\CLASSES\CLSID\{4B10687#5#-DD36-11D0-8B44-00A024DD9EFF}
There is actually only a one character differnece between them which I've marked # #. This new key contains one sub key an inProceserver32 entry.

The only thing I have done is to delete the killbit key, after first exporting it in case I have to add it back.
#######

Ok so now working through last nights suggestions.

I tried pasting mk:@MSITStore:C:\WINDOWS\Help\windows.chm::/default.htm

All I got was a Welcome page with no links to anything except to Microsoft itself via a copyright footnote.

I tried running the calc.html you suggested although  the page opened, before it could complete I got the "unsafe control........" message obviously as a consequence of my  security settings within IE.

So I guess if the cummulative update casues a loss of functionality <possibly this is only a Win98 issue anyway>. Then users can delete the killbit key but need to monitor subsequent operations for problems and additionally be strict about restricting unsafe controls trying access their systems.

Hi again,

I have noticed some additional behaviour.

In the arriving at the comments in the previous message I had reinstalled the cummulative update 824145 and then installed the hotfix update 811630, which I ahd not run previously to determine the imapct of the latter.

After logging off from submitting that message I then set about restoring my troubleshooter functionality.

Following the procedure I had used earlier I deleted the killbit key only to discover that that troubleshooter functionality was not restored as I had expected.

Since I cannot find the relevant changes in the registry made by the hotfix I can not explain this.

In addition when I ran the troubleshooter after deleting the killbit key I noticed that
the troubleshooter was asking to open a port on the standard 127.0.0.1 local host address, I would not have noticed this but for the fact that I had left my firewall running after disconnecting from net.

Each instance seems to try on a different port but usually starts at 1130.

So I then reinstalled the two reg keys that I had previously exported before installing 824145 and the troubleshooter works once again.

I have run port tests on the Gibson research site grc.com and so far as I can see a firewall such as zonealarm prevents this from being a problem.

Whether I have stored up problems for the future remains to be seen suffice to say if a user needs those troubleshooters they can get them back by hacking the registry, I have n't noted any requests to open a port after do so.

For the benefit of anyone who needs the reg dteails I add them below, but these keys may only be appropriate to Win98SE

The killbit key was at:

HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4B106874-DD36-11D0-8B44-00A024DD9EFF}]
"Compatibility Flags"=dword:00000400
 

The original (ie pre cummulative update 824145 ) keys

[HKEY_LOCAL_MACHINE\Software\CLASSES\TSHOOT.TSHOOTCtrl.1\CLSID]
@="{4B106874-DD36-11D0-8B44-00A024DD9EFF}"

and

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}]
@="Microsoft Local Troubleshooter"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\ProgID]
@="TSHOOT.TSHOOTCtrl.1"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\InprocServer32]
@="C:\\WINDOWS\\HELP\\TSHOOT.OCX"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\ToolboxBitmap32]
@="C:\\WINDOWS\\HELP\\TSHOOT.OCX, 1"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\MiscStatus\1]
@="131473"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\Control]
@=""

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\TypeLib]
@="{4B106871-DD36-11D0-8B44-00A024DD9EFF}"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\Implemented Categories]

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{4B106874-DD36-11D0-8B44-00A024DD9EFF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

That's some excellent work there Nick, and your .reg keys will certainly be useful to us and anyone else who later finds this PAQ'd page.  Thanks for posting them.

Gibson's Port Scanning page is certainly a great place to check things out, as long as you aren't paranoid :-)  He also gave ZoneAlarm top marks in his pages where he described how he caught up with the 13-year old who launched the Denial of Service attacks using "Zombie Bots".   I reckon you are really pretty well covered as it now stands, and I don't think you'll lose any sleep worrying about insecurities, but it is pauzzling and mildly annoying when it isn't apparent what changes are made to your system by installing this delimiting hotfix.

Incidentally, your decision to install the updates in chronological order by release date is certainly the most sensible way to do it and, although I am not sure of this, I don't see how windows update online is able to do this (if at all).  I have often wondered about this, and tried to analyse the methods used, but it went over my head.

I guessed that the calc.exe experiment would probably yield that same result.

Strangely, I have just installed Win98SE on a basic wee base unit kicking around here and, with IE 5.01 and the following updates applied, MY troubleshooter is displaying exactly the same characteristics.  I haven't purposefully restricted anything in the registry, although Norton AntiVirus 2002 is set for "Script Blocking" and email scanning, but is not running in autoprotect mode.  All Windows and Internet Settings are configured for usability rather than restriction, so this puzzles me.

IE settings:
Local intranet - Medium-low
Trusted sites - Low
Internet - Medium
Restricted sites - High

(for anyone who is thinking of hacking me, my IP address is dynamically assigned :-)

Updates applied:
Q242937 - Windows Driver Model Audio Update for Windows 98 SE
Q263044 - Fdisk update for Hard Disks Larger than 64 GB
(the above are the only ones I have purposefully installed.  The rest seem to have been applied automatically by software or driver files)
Q242975 - Update for 1394 Storage Peripherals in Windows 98 SE
Q267304 - Hotfix for above
Q273468 - Hmm.  Can't immediately see what that one is, must be in Office2K?
Q274370 - Digital CD Audio update?

The following  updates are also installed.  The first one was applied by me, while the 2nd is included in IE 5.01:

Q261255 - OE 5.01 "preview pane" security patch
Q240308 - Scriptlet.Typelib and Eyedog Security Vulnerability Update

Interestingly, the 2nd one is described thus:

http://support.microsoft.com:80/support/kb/articles/q240/3/08.asp

>>
Microsoft has released an update that eliminates security vulnerabilities in the following two ActiveX controls:
1. Object for constructing type libraries for scriptlets (Scriptlet.Typelib)
2. Eyedog

The Scriptlet.Typelib and Eyedog controls are not related to each other, but both are incorrectly marked as "safe for scripting" and can therefore be called from Internet Explorer.  Developers use the Scriptlet.Typelib control to generate Type Libraries for Windows Scripting Components. The Scriptlet.Typelib control should not be marked "safe for scripting" because it allows local files to be created or modified. The update removes the "safe for scripting" setting, which causes Internet Explorer to prompt you for confirmation before loading the control.
The Eyedog control is used by diagnostic software in Windows. The Eyedog control should not be marked "safe for scripting" because it allows registry information to be queried and computer characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The update prevents the control from loading within Internet Explorer.
The BubbleBoy virus, an Internet worm virus, is a virus that requires Internet Explorer 5 and Microsoft Outlook 2000 or Microsoft Outlook 98 or Microsoft Outlook Express. This virus can be embedded in e-mail messages that are in Hypertext Markup Language (HTML) format and that do not contain any attachments. The update that is described in this article eliminates the security vulnerabilities in the two ActiveX controls; this update prevents the BubbleBoy virus from spreading.
<<

I just wonder if removal of the "safe for scripting" setting has affected the "is used by diagnostic software in Windows" functionality if "Troubleshooter" is deemed to be "diagnostic software".

Anyhow, this is all hypothetical, but strange that this should manifest itself on this newly installed OS.

How many times did I say "certainly" there?  :-)

Hi Bill,

So far as the Eyedog update is concerned I can really comment on its impact (I havent actually seen any) becuase that degree of techicnal knowledge is beyond my competence.

So far as as the order of installing updates is concerned, I couldn't figure out how windows update does it either, it doesnt appear to be date order anyway. I elected to go by the ref number or the KB article number.

When I started on this schlep I could nt find much advice online until I came here, but then I suppose you wouldnt actually know that the troubleshooter problem exists until you come to use it !

Once again thanks for help
 Nick

Pleasure, Nick.