Suggested patches for W98SE- OT

[ms]

That's pretty bad, I admit.


I dunno John. I think that it is common knowledge that many people
despise MS and enjoy watching it squirm like a beached whale when
simple exploits are passed about. I get a kick out of watching myself
<G>. But I don't want to get burned in the process. 98SE serves me
very well and I intend to run it as long as I can; then it's farewell
to MS!

Common sense can prevent many exploits. But, an ill-formatted email or
web page is tough to guard against in everyday computing. The fact
that someone can run programs on my machine if I come across one of
these is enough to make me patch. It's the principle of the thing. I
want to be in complete charge and I feel that I am since installing
all security patches and running several programs to protect and
inform me of anything funny going on. I did the recommended "network
unbinding" at grc.com. I keep all security programs updated, usually
checking everytime I boot up. Collectively I think doing all of this
leaves me in complete control... until the next 98 exploit anyway that
is not addressed by MS.

I think the entire problem was Bill's schedule; he actually named 95
and 98 for the years they were to come out. There was insufficient
security studies. The poor programmers had time only to keep the
darned things from blue screening when released. Money talks, security
walks. At least they did address the most important flaws. I don't
think that running connected to the internet without the updates is
wise myself.

I'm pretty sure that nothing was changed in updating that gives MS a
poker in my fire. 98SE (fully patched) is mine as far as I can tell.
There is no spyware. I've removed the ads. There is no registration
crap like I got in purchasing Excel. The OS does my bidding and not
that of MS.



A completely bad plan by MS, for certain.

snip
For me, the killer is that MS defines a critical patch that is needed
including IE 5.01 (W2000), but not written for IE 5.01/W98. Then,
several other IE/W98 patches, MS says I need to update from 5.01 to
5.5/6.0 just to download the patches. No thanks.

I have disabled everything possible in IE, just use it for a few
websites. Normal use is Netscape 4.79 and Firebird.

Mike Sa

 

[omega]

For me, the killer is that MS defines a critical patch that is needed
including IE 5.01 (W2000), but not written for IE 5.01/W98. Then,
several other IE/W98 patches, MS says I need to update from 5.01 to
5.5/6.0 just to download the patches. No thanks.

[...]

Mike, do you have service pack 2?

http://public.planetmirror.com/pub/microsoft/ie/5.01sp2/win9x/

ie501sp2.exe 06-Jun-2001 06:37 79.7M

I don't know if the critical update you refer to is dated later than this.
And yeah, I do notice that the download above is the whole huge shallop.
Yet it could be worth thinking about downloading it, and putting on CD,
to set aside for emergency repair.

Strategy 2. If your drive is divided with apps on a different partition
from the OS... Then you might consider building a new, second OS partition.
On it install 5.5 or 6.0. As an independent matter from affecting your
current working configuration. You'd keep it hidden until the time arrives
where you need, or want, to move into it.

As to disk space reqs, I've found 300-350 mb to be a good size for a w98 OS
partition, with swap on drive D.

 

[REMbranded]

jason <[email protected]> wrote:

(e-mail address removed) wrote in news:[email protected]:

But if the common denominator is scripting, shouldn't something like
ScriptTrap (which I also use and forgot to mention), along with keeping
scripting turned off in the browser do the trick? Obviously, I'd rather be
completely safe, but it goes against everything I believe in to have to
make IE my default and get an updated version of it, just to "patch" an IE
(or other) exploit.

I use a script trap also. It has never been activated as far as I
know. It's AnalogX Script Defender.

The DCom program might well fix this for you.

It does suck. First we get "innovation" that we don't want in a
browser intertwined with an operating system to take Netscape down.
Then this same "innovation" is used to dump support for 98. It's funny
how that works.

3rd party utilities might serve in place of the security updates. I
hope to get quite a bit more out of 98SE before I retire it.

 

[jason]

The DCom program might well fix this for you.

Thanks REM, I hadn't heard about that utility. I tested "closed" for the
local probe and "stealth" for the remote test. I'll eventually read the
documentation, but in your opinion, should I go ahead and "Disable DCOM" or
just not bother?

 

[ms]

For me, the killer is that MS defines a critical patch that is needed
including IE 5.01 (W2000), but not written for IE 5.01/W98. Then,
several other IE/W98 patches, MS says I need to update from 5.01 to
5.5/6.0 just to download the patches. No thanks.

[...]

Mike, do you have service pack 2?

http://public.planetmirror.com/pub/microsoft/ie/5.01sp2/win9x/

ie501sp2.exe 06-Jun-2001 06:37 79.7M

I don't know if the critical update you refer to is dated later than this.
And yeah, I do notice that the download above is the whole huge shallop.
Yet it could be worth thinking about downloading it, and putting on CD,
to set aside for emergency repair.

Strategy 2. If your drive is divided with apps on a different partition
from the OS... Then you might consider building a new, second OS partition.
On it install 5.5 or 6.0. As an independent matter from affecting your
current working configuration. You'd keep it hidden until the time arrives
where you need, or want, to move into it.

As to disk space reqs, I've found 300-350 mb to be a good size for a w98 OS
partition, with swap on drive D.

Thanks, Karen.

Yes, my IE is 5.01SP2. It has given me no trouble with basic patches,
but I *only* use it for a few IE coded pages, and then I've disabled
ActiveX and Java script.

I have a "boat anchor" P166 puter, old motherboard so 8.3 GB limit, 2
partitions on HD, so I like small programs. And have pretty much what I
need.

As many say, IE is unsafe to use, I never liked it, always used
Netscape.

A little point, but after millions of users, 5 major revisions, STILL-
if you want to save a html page, IE's damn default save is a folder with
all images, that is a nuisance. Netscape does it better.

Funny, though- Firebird acts like IE, not Netscape in the above example.

Mike Sa

 

[REMbranded]

Thanks REM, I hadn't heard about that utility. I tested "closed" for the
local probe and "stealth" for the remote test. I'll eventually read the
documentation, but in your opinion, should I go ahead and "Disable DCOM" or
just not bother?

I'm going by his opinion that it is totally unnecessary and it does
provide for a vulnerability, so I'd guess it best to do so. This might
have the same effect as the MS patch... I dunno. It sounds like it
might.

It would be great to see 3rd parties pick up where MS leaves off on
security. That's a pretty large chore though.
..

 

[ms]

For me, the killer is that MS defines a critical patch that is needed
including IE 5.01 (W2000), but not written for IE 5.01/W98. Then,
several other IE/W98 patches, MS says I need to update from 5.01 to
5.5/6.0 just to download the patches. No thanks.

[...]

Mike, do you have service pack 2?

http://public.planetmirror.com/pub/microsoft/ie/5.01sp2/win9x/

ie501sp2.exe 06-Jun-2001 06:37 79.7M

I don't know if the critical update you refer to is dated later than this.

snip

This is a response I got on a MS ng, that is very informative, and
refers to an excellent W9X website.

I only use IE for a few web pages that require it. So I have no need or
desire for a later version. And, it has worked ok for the past 2 years
with only a few patches on SP2.

quote:
Don't assume that because you don't explicitly use IE to view HTML
(i.e. something else is set as your default www. handler) that IE is
irrelevant to your safety. It isn't - anything that causes HTML
content to be processed by and of the following...
- Outlook Express (any version)
- Outlook 2000 and later
- Windows
- applications that pass HTML to Windows to process
- stand-alone .HTA files
- Windows Explorer if "View As Web Page"
- Active Desktop
- stand-alone Windows Scripting Host files
....will invoke IE's HTML rendering code, or (in the case of WSH) other
code that ships as part of IE.

In addition, note that presence of OE implies OE will be the program
associated with .EML files, no matter what application is registered
as the default email handler.

Every version of Windows older than XP ships with a critically broken
HTML rendering engine that will automatically run raw code files if
these are MIME-wrapped as if they were appropriate for in-line
rendering as part of the HTML "text". This defect is impervious to
security zone settings that limit ActiveX, scripting, etc.

See http://users.iafrica.com/c/cq/cquirke/mimehole.htm

See http://users.iafrica.com/c/cq/cquirke/riskfix.htm on approaches to
risk management, particular in relation to WSH and .HTA in Win9x - WSH
is the engine that runs LoveLetter and subsequent script file malware
such as Anna Kournukova (which was spawned by a handful of mouse
clicks in a widely-dowloadable WYSIWYG worm generator package)

Thanks to IE's integration into Windows (something that the DoJ
outcome actually encouraged), you have to either rip out IE by the
roots (Google on "Win98 Lite") or keep it patched up.
end quote

HTH

Mike Sa

 

[jason]

Don't assume that because you don't explicitly use IE to view HTML
(i.e. something else is set as your default www. handler) that IE is
irrelevant to your safety. It isn't - anything that causes HTML
content to be processed by and of the following...
- Outlook Express (any version)
- Outlook 2000 and later
- Windows
- applications that pass HTML to Windows to process
- stand-alone .HTA files
- Windows Explorer if "View As Web Page"
- Active Desktop
- stand-alone Windows Scripting Host files
...will invoke IE's HTML rendering code, or (in the case of WSH) other
code that ships as part of IE.

In addition, note that presence of OE implies OE will be the program
associated with .EML files, no matter what application is registered
as the default email handler.

Based on that, I'm going to uninstall OE. It came with my system and I
never use it. Anyone know if there is a downside to ditching OE?

 

[jason]

Every version of Windows older than XP ships with a critically broken
HTML rendering engine that will automatically run raw code files if
these are MIME-wrapped as if they were appropriate for in-line
rendering as part of the HTML "text". This defect is impervious to
security zone settings that limit ActiveX, scripting, etc.

See http://users.iafrica.com/c/cq/cquirke/mimehole.htm

Okay, I fell asleep reading the article, but am I to understand that
*any* Win98SE user is "doomed" to this security flaw unless we upgrade
both IE and Outlook?? FULL upgrades, not patches? Even when we use
neither program? That sucks. That sucks big time.

See http://users.iafrica.com/c/cq/cquirke/riskfix.htm on approaches to
risk management, particular in relation to WSH and .HTA in Win9x - WSH
is the engine that runs LoveLetter and subsequent script file malware
such as Anna Kournukova (which was spawned by a handful of mouse
clicks in a widely-dowloadable WYSIWYG worm generator package)

Good article. Thanks for passing it on Mike.

 

[ms]

Based on that, I'm going to uninstall OE. It came with my system and I
never use it. Anyone know if there is a downside to ditching OE?

I used a utility on Art Kopp's site to uninstall OE two weeks ago,
everything's fine. YMMV.

If some programmers stopped coding pages only for IE, I'd never use IE.

Mike Sa

 

[ms]

Okay, I fell asleep reading the article, but am I to understand that
*any* Win98SE user is "doomed" to this security flaw unless we upgrade
both IE and Outlook?? FULL upgrades, not patches? Even when we use
neither program? That sucks. That sucks big time.


Good article. Thanks for passing it on Mike.

Maybe some of the experts can comment, but after I research some more, I
plan to only install minimal patches, now not only supporting W98, but
the inherent IE. I've run over 4 years without those patches, and IMO,
it's a risk every time I install one.

BTW, that website in the quoted text is an excellent W98 help site.

Mike Sa

 

[null]

Okay, I fell asleep reading the article, but am I to understand that
*any* Win98SE user is "doomed" to this security flaw unless we upgrade
both IE and Outlook?? FULL upgrades, not patches? Even when we use
neither program? That sucks. That sucks big time.

The HTML rendering engine, MSHTML.DLL, can be renamed to MSHTML.OLD
after using IERADICATOR. I think that takes care of it once and for
all It's a good idea to delete OE and Outlook from the PC as well.

But if you reinstall Windows you'll have not only this little tiny bit
of work to do all over again but (in my case) far more. So it makes
sense to clone fixed up Windows to a backup drive.


Art
http://www.epix.net/~artnpeg

 

[omega]

Based on that, I'm going to uninstall OE. It came with my system and I
never use it. Anyone know if there is a downside to ditching OE?

You will lose support for .mht. I'm aware that you don't use MSIE-based
browsers and save to that format, but it might be that you have relatives
or whatever who send you .mht attachments.

 

[REMbranded]

Okay, I fell asleep reading the article, but am I to understand that
*any* Win98SE user is "doomed" to this security flaw unless we upgrade
both IE and Outlook?? FULL upgrades, not patches? Even when we use
neither program? That sucks. That sucks big time.

Vote with your pocketbook. It is rather strange to say this as I
really enjoy 98SE. As you can see it was ill-conceived as far as
security goes though and is a pretty large target. Linux provides for
freedom at the price of another learning curve.

Good article. Thanks for passing it on Mike.

If you can muster 2 hard drives > 1 gig each:

One approach is doing the pain in the behind series of full updates,
reboots, muttering under the breath and getting everything patched
with all available patches. Then going through the process of removing
all the stuff the updates brought, like AOL ads, etc. Then remove OE
and run RegSeeker. Then run IEeradicator to remove IE. Run RegSeeker
again. Make sure everything is working right. The suggested settings
in the articles above are probably a good idea. Take the time to make
them. Then get a good boot manager like XOSL so you can hide one
drive from the other (Win freaks when it can detect itself).

Then xxcopy /clone to the other drive.

The upside is with two copies this will hopefully be the last time you
have to do such work. It's simple to format one and xxcopy the other
back over it. All of the tedious work has been done and saved. As long
as both drives don't go belly up at the same time you're in good
shape.

The downside of course is this is a heck of alot of work! Installing
large files just to install other large files before removing the
first large files, sheesh. If that's innovation I need a new
dictionary.

It was worth the time to do this for me. I've done all of this except
for running IEeradicator. I tried a few years ago and it mussed up my
system. I've read others who have had success with this program. Can
anyone who has used IE Eradicator recently provide any feedback?

http://www.litepc.com/ieradicator.html

I certainly do not need IE anymore and I'd really like to pitch it an
anchor now that I have all patches installed and backed up.


98Lite is commercialware that makes very small working versions of
Windows. Does anyone know of any freeware that can accomplish this?

http://www.litepc.com/98lite.html

 

[omega]

BTW, that website in the quoted text is an excellent W98 help site.

Agree.

http://users.iafrica.com/c/cq/cquirke/software.htm

About Software
- Manage it
- Assess bloat
- Read why it falls over

(Cquirke also posts on netnews, a virus group and a w98 group. Just recently
I was reading a number if his articles together via a groups.google search.)

 

[omega]

You will lose support for .mht. I'm aware that you don't use MSIE-based
browsers and save to that format, but it might be that you have relatives
or whatever who send you .mht attachments.

A subject that has been on my mind a little, lately.

I'd been trying to look into how to have the most minimal of the OE files
and reg entries, in order to get mht support. I'd hoped that there would
have been a webpage with a howto on this, but I could find none.

Just the files was not enough (msoert2.dll inetres.dll msls31.dll imm32.dll
inetcomm.dll). My regmon log had this for a notfound entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
NOTFOUND

But it probably has related keys. I think I'll have to approach the project
from another angle. Boot to a partition that does have OE installed, monitor
its uninstall, then test adding back those reg keys
that are related to the mht.

It's not that I've particularly missed mht support over the past years.
Yet I've got it on the menus of my MSIE-based browsers, and its a file
format I cannot read... If I can get it on my system with just a few
files and regentries, I'm going to try for that.

 

[null]

It was worth the time to do this for me. I've done all of this except
for running IEeradicator. I tried a few years ago and it mussed up my
system. I've read others who have had success with this program. Can
anyone who has used IE Eradicator recently provide any feedback?

http://www.litepc.com/ieradicator.html

I dunno what feedback I can give other than the fact that I've used it
successfully on Win 98 original (several years back) and more recently
on Windows ME.


Art
http://www.epix.net/~artnpeg

 

[omega]

(e-mail address removed):

I dunno what feedback I can give other than the fact that I've used it
successfully on Win 98 original (several years back) and more recently
on Windows ME.

And Onno is another poster here who reports using it successfully. The
story I read is that it does nothing to disable MSHTML. So if that's the
area of concern some people have, it would be Art's experience of his
manually working towards that end which would be pertinent...

 

[ms]

I used a utility on Art Kopp's site to uninstall OE two weeks ago,
everything's fine. YMMV.

If some programmers stopped coding pages only for IE, I'd never use IE.

Mike Sa

I should add, after removing OE, there are still Outlook Express folders
in my C:\Programs directory. I learned in W95 to leave useless folders
alone to avoid problems.

Mike Sa

 

[REMbranded]

(e-mail address removed) wrote:

The HTML rendering engine, MSHTML.DLL, can be renamed to MSHTML.OLD
after using IERADICATOR. I think that takes care of it once and for
all It's a good idea to delete OE and Outlook from the PC as well.

My file is in use and it is patched with a security patch. If I remove
IE I wonder if I'll be removing the patch?

Also, I noticed a few other files:

mshtml.tlb
mshtmled.dll
mshtmler.dll

Do you know anything about these files?

But if you reinstall Windows you'll have not only this little tiny bit
of work to do all over again but (in my case) far more. So it makes
sense to clone fixed up Windows to a backup drive.

After making all of the painstaking adjustments backing them up makes
very good sense. The investment of time can be saved can be cloned and
easily reused.