[FYI] XP SP2 Security BUG(s) Report

[Newbie]

[FYI] Also forwarded to MS.

~~~~~~~~~~~~~~~~~~~~~~~~~~~
XP SP2 Security BUG(s) Report
~~~~~~~~~~~~~~~~~~~~~~~~~~~

( BUG 1 of 2 )

With XP_SP2, if you set

'Internet Options' / 'Security' / 'Scripting' / 'Active Scripting' to 'Prompt',

both OE and IE want to prompt you
for their own internal ActiveX scripts,
not just the scripts in posts or pages.

Trust me, this gets *really annoying*,
especially when you click on a news
article or email which has not
been downloaded yet and then
OE fires up a script 'prompt' alert...

Pre SP2, OE & IE were able to 'prompt'
before running each *individual* script
in emails / news posts / web pages
with no major problems at all.


Being able to click on an email / news post / web page
without letting a script execute has saved my computer
from malicious scripts on *numerous* occasions...

( BUG 2 of 2 )

Also, with 'Prompt' turned on for ActiveX and other scripts,
if you click on a web link in OE, the initial script 'prompt'
alert often appears *behind* the IE window, and the
page will not load until you (growl) minimise all
of the open windows to get to the hidden
script 'prompt' alert. Sometimes you
still just get a blank IE window
without even the address
that you've clicked.

These Script 'Prompt' Alerts
need to be forced to 'Stay On Top',
as they were Pre-XP_SP2.

* I trust that these OE & IE security functionalities
* will return ASAP.

Regards.
--
[FYI]
Programs that may behave differently in SP2:
: http://support.microsoft.com/default.aspx?kbid=884130&product=windowsxpsp2

Some programs seem to stop working after you install SP2:
: http://support.microsoft.com/default.aspx?kbid=842242&product=windowsxpsp2

:
http://%77%77%77%2E%4A%6F%68%6E%48%6F%77%61%72%64%4C%69%65%73%2E%63%6F%6D/ :

 

[PA Bear]

Excessive crossposting eliminated.

By default, OE6-SP2 runs in Restricted Sites zone > The default setting for
Restricted Sites zone is High > In this default setting, all Scripting |
ActiveX settings are Disabled > Apparently you have OE running in a zone
other than Restricted Sites with the default High settings so WYSIWYG.

Check out:

Windows XP Service Pack 2: What's New for Internet Explorer and Outlook
Express
http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx

Changes to Functionality in WinXP SP2:

E-mail Handling Technologies
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx

Enhanced Browsing Security
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://support.microsoft.com/default.aspx?pr=windowsxpsp2

What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

AumHa Forums
http://forum.aumha.org

[FYI] Also forwarded to MS.

~~~~~~~~~~~~~~~~~~~~~~~~~~~
XP SP2 Security BUG(s) Report
~~~~~~~~~~~~~~~~~~~~~~~~~~~

( BUG 1 of 2 )

With XP_SP2, if you set

'Internet Options' / 'Security' / 'Scripting' / 'Active Scripting' to
'Prompt',

both OE and IE want to prompt you
for their own internal ActiveX scripts,
not just the scripts in posts or pages.

Trust me, this gets *really annoying*,
especially when you click on a news
article or email which has not
been downloaded yet and then
OE fires up a script 'prompt' alert...

Pre SP2, OE & IE were able to 'prompt'
before running each *individual* script
in emails / news posts / web pages
with no major problems at all.


Being able to click on an email / news post / web page
without letting a script execute has saved my computer
from malicious scripts on *numerous* occasions...

( BUG 2 of 2 )

Also, with 'Prompt' turned on for ActiveX and other scripts,
if you click on a web link in OE, the initial script 'prompt'
alert often appears *behind* the IE window, and the
page will not load until you (growl) minimise all
of the open windows to get to the hidden
script 'prompt' alert. Sometimes you
still just get a blank IE window
without even the address
that you've clicked.

These Script 'Prompt' Alerts
need to be forced to 'Stay On Top',
as they were Pre-XP_SP2.

* I trust that these OE & IE security functionalities
* will return ASAP.

Regards.

http://support.microsoft.com/default.aspx?kbid=884130&product=windowsxpsp2

Some programs seem to stop working after you install SP2:

http://support.microsoft.com/default.aspx?kbid=842242&product=windowsxpsp2

http://%77%77%77%2E%4A%6F%68%6E%48%6F%77%61%72%64%4C%69%65%73%2E%63%6F%6D/
:

 

[Newbie]

| Excessive crossposting eliminated.
|
| By default, OE6-SP2 runs in Restricted Sites zone > The default setting for
| Restricted Sites zone is High > In this default setting, all Scripting |
| ActiveX settings are Disabled > Apparently you have OE running in a zone
| other than Restricted Sites with the default High settings so WYSIWYG.


With respect, (ignore the 'Newbie' Tag)
I fully understand Security Zone Settings.

I am using 'Custom' settings,
as I have been doing
for many, many years.
Most things are set to
'prompt', as I prefer it.

In XP_SP2 a few things
have gone slightly 'screwy',
like alerts going underneath
their window as stated below,
and IE / OE prompting for their
own *internal ActiveX scripting*,
not just the scripts in the Emails,
News Posts and Web Pages.


| Check out:


I did that before I posted this.

(Sorry if the 'Newbie' tag confused you,
others also use my system

Regards.


| Windows XP Service Pack 2: What's New for Internet Explorer and Outlook
| Express
| http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx
|
| Changes to Functionality in WinXP SP2:
|
| E-mail Handling Technologies
| http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx
|
| Enhanced Browsing Security
| http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx
| --
| ~Robear Dyer (PA Bear)
| MS MVP-Windows (IE/OE), AH-VSOP
|
| Are You Ready for WinXP SP2?
| http://support.microsoft.com/default.aspx?pr=windowsxpsp2
|
| What You Should Know About Spyware
| http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx
|
| AumHa Forums
| http://forum.aumha.org
|
| Newbie wrote:
| > [FYI] Also forwarded to MS.
| >
| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
| > XP SP2 Security BUG(s) Report
| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
| >
| > ( BUG 1 of 2 )
| >
| > With XP_SP2, if you set
| >
| > 'Internet Options' / 'Security' / 'Scripting' / 'Active Scripting' to
| > 'Prompt',
| >
| > both OE and IE want to prompt you
| > for their own internal ActiveX scripts,
| > not just the scripts in posts or pages.
| >
| > Trust me, this gets *really annoying*,
| > especially when you click on a news
| > article or email which has not
| > been downloaded yet and then
| > OE fires up a script 'prompt' alert...
| >
| > Pre SP2, OE & IE were able to 'prompt'
| > before running each *individual* script
| > in emails / news posts / web pages
| > with no major problems at all.
| >
| >
| > Being able to click on an email / news post / web page
| > without letting a script execute has saved my computer
| > from malicious scripts on *numerous* occasions...
| >
| > ( BUG 2 of 2 )
| >
| > Also, with 'Prompt' turned on for ActiveX and other scripts,
| > if you click on a web link in OE, the initial script 'prompt'
| > alert often appears *behind* the IE window, and the
| > page will not load until you (growl) minimise all
| > of the open windows to get to the hidden
| > script 'prompt' alert. Sometimes you
| > still just get a blank IE window
| > without even the address
| > that you've clicked.
| >
| > These Script 'Prompt' Alerts
| > need to be forced to 'Stay On Top',
| > as they were Pre-XP_SP2.
| >
| > * I trust that these OE & IE security functionalities
| > * will return ASAP.
| >
| > Regards.
| > > http://support.microsoft.com/default.aspx?kbid=884130&product=windowsxpsp2
| >
| > Some programs seem to stop working after you install SP2:
| > > http://support.microsoft.com/default.aspx?kbid=842242&product=windowsxpsp2

:
http://%77%77%77%2E%4A%6F%68%6E%48%6F%77%61%72%64%4C%69%65%73%2E%63%6F%6D/ :

 

[cquirke (MVP Win9x)]

On Sat, 21 Aug 2004 16:58:40 GMT, "Newbie"

( BUG 1 of 2 )

With XP_SP2, if you set
'Internet Options' / 'Security' / 'Scripting' / 'Active Scripting' to 'Prompt',

both OE and IE want to prompt you
for their own internal ActiveX scripts,
not just the scripts in posts or pages.

This is not an SP2 bug, but an indication of poor design in IE and OE.

Trust me, this gets *really annoying*,

This is true, but do you really want exceptions to monitoring of these
risky behaviors purely on the basis that it's "by Microsoft"?
Especially when 3rd-party BHO get to act as the hostile hand within
Microsoft's IE and OE glove puppets?

Pre SP2, OE & IE were able to 'prompt'
before running each *individual* script
in emails / news posts / web pages
with no major problems at all.

Those scripts are (supposed to be running) in the Security Zone that
OE, and the URL (default: Internet) are set to. The scripts you are
now alerted on are running in local HD "My Computer" zone.

Formally, MS assumed there would be no reason to restrict what the "My
Computer" zone can do. Faith was placed in the security zone facility
being able to keep material separate. That's why you can't even see
the "My Computer" zone as something you can edit in Tools, Options.

SP2 reflects a belated awareness that zones "leak"++ so that it's
almost trivial for malware to either hop from Internet or even
Restricted to "My Computer", or drop code that can then do whatever it
likes from what is now a "My Computer" zone context.

So SP2 tightens up the hidden "My Computer" zone, even to be
paradoxically tighter than more "outermost" zones. And that is what
is snaring the way OE and IE operate.

Being able to click on an email / news post / web page
without letting a script execute has saved my computer
from malicious scripts on *numerous* occasions...

Quite. The new changes aim to block what used to get past!

( BUG 2 of 2 )

Also, with 'Prompt' turned on for ActiveX and other scripts,
if you click on a web link in OE, the initial script 'prompt'
alert often appears *behind* the IE window, and the
page will not load until you (growl) minimise all
of the open windows to get to the hidden
script 'prompt' alert.

That's a bug, and more serious than it looks. A modal dialog box you
can't see can look like a hard lockup, and cause the user to do a bad
exit from Windows, which in turn will lose pending registry settings
and corrupt data. That XP "fixes" this file system corruption is no
comfort, as this just leaves broken files still broken, but no longer
detectable as such. Hullo, head-scratching troubleshoot session.

These Script 'Prompt' Alerts
need to be forced to 'Stay On Top',
as they were Pre-XP_SP2.
Aye.



--------------- ----- ---- --- -- - - -

Tech Support: The guys who follow the
'Parade of New Products' with a shovel.