post-patch IE goes "BOOM"!

[Darren Dirt]

CNet

I've experienced this over the last 2 days or so -- and while I prefer using Firefox, there are some things that will auto-launch in IE and the crashing of the browser is definitely a new "joy" that I hadn't been experiencing NEARLY as regularly as I have this week.

I'm starting to miss the good ol' days of only having the IEXPLORE process hang due to ACROREAD32.EXE not ending itself.

Microsoft patch can cause IE trouble
Last modified: August 15, 2006, 5:32 PM PDT
By Joris Evers
Staff Writer, CNET News.com

Microsoft's security update from Aug. 8 to Internet Explorer is causing browser trouble for some systems.

After people apply the MS06-042 update, rated "critical" by Microsoft, IE may crash when certain Web sites are viewed, the company said in a notice on its customer support Web site. The problem affects IE 6 with Service Pack 1 on Windows XP and Windows 2000 systems, it said.

"Microsoft has identified an issue with the security update MS06-042," the company said in a statement Tuesday. It plans to re-release the bulletin and patch on Aug. 22 for all affected users.

The problem occurs when IE users view Web sites that use version 1.1 of HTTP alongside compression, according to Microsoft's notice. HTTP, or hypertext transfer protocol, is the standard protocol used to browse Web sites.

IE users on security mailing lists have reported browser crashes when using PeopleSoft applications that have Web-based interfaces. Others report running into problems when using other applications, including Microsoft's own customer relationship management, or CRM, tools.

"We are running PeopleSoft for administration systems, and our Windows 2000 SP4 and Windows XP SP1 running Internet Explorer 6.0 SP1 crash when they got into the PeopleSoft pages," Fred Dunn, a systems administrator at the University of Texas Health Science Center at San Antonio, said in an e-mail interview.

Dunn called Microsoft's product support service, which recommended disabling the use of HTTP 1.1 in IE's advanced settings menu. However, that's not a change that's easily done on all PCs in the university, Dunn said. "Our only workaround was to get the PeopleSoft programmers to turn off compression...which slows down the response," he said.

MS06-042 is an update for IE that addresses eight vulnerabilities in the popular browser. It is one of a dozen security updates that Microsoft released last week on Patch Tuesday.

Patches have caused trouble at times, on occasion prompting Microsoft to fix already released updates. In April, it released a second version of a Windows Explorer update because the original interfered with Hewlett-Packard software and Nvidia drivers. In June, it had to fix a patch that caused network connection trouble for some people.

Microsoft has a temporary fix available for the problems caused by MS06-042. However, this fix is not available for download; people have to call Microsoft's support line.

Thanks, Microsoft! How in blanketyblank your recent "critical update" managed to mess up in a way that is totally new ground even for your browser code monkeys, wow, I'm impressed!

[Melbosa]

The hostility, the humanity, the scorned!

[Darren Dirt]

IRONY: Microsoft's own "MS-only" CRM solutions go boom thanks to MS' recent CRITICAL patch...

Less ironic but still weird: my HTTP1.1 setting was UNCHECKED; I don't remember the sites that were going boom so I can't confirm that'll fix it

[TheDruid]

WE got hit really bad by an IE crash they introduced in last weeks update too. Although similar in behavior to the one above (it crashes IE), its a separate "less publicized" crash... which happened to effect 300 million users. There is no viable workaround in our code for it, however MS will be releasing a fix for it shortly too.

The crash above involves the URLMON dll, the one that affected us involved the MSHTL dll.

Try explaining to our clients that for once were not responsible for the new bug in our app
Then explain to them if they run the update, our software will no longer work, but hey its a "Critical" update.

[Darren Dirt]

So what's a summary of the MSHTL problem?

...I knew things would be going from bad to worse once the "click your ActiveX control FIRST to do anything" update oops I mean "fix"...

[TheDruid]

Its related to the IE only window.createPopup(), also known as the chromeless window. After a random number of times showing and hiding this little beauty, IE manages to corrupt its own memory and crash.

Since its an IE only object its use is limited on the open web, except, we use it for our menus, date pickers, tool tips etc. in our app.

[Shayne]

Such a beautiful function as well.  Once I so wish Firefox and Opera were to adopt

[Darren Dirt]

It's basically "what window.open SHOULD have been" -- i.e. FAST loading, fully-featured, less "automatic" stuff included always...


Bummer though -- what kinda ETA you thinking before the management says "rewrite the code!"? Can't you use modal dialogs instead? (Again, IE only IIRC)

[Mr. Analog]

I dunno, any call that lets the developer remove critical browsing buttons (i.e. close, etc)...  :-\

If IE didn't let drop-down boxes pass through all z-index layers irregardless of an objects z-index value, you could use a DIV as a borderless popup.

[Shayne]

A borderless pop that doesnt pass over frames

[Mr. Analog]

A borderless pop that doesnt pass over frames

Frames! Yow!

[TheDruid]

Looks like things have just gone from bad to worse:

http://www.securityfocus.com/news/11408

The URLMON bug is now a security hole!

[Lazybones]

..."on computers running Windows 2000 and Windows XP Service Pack 1".. not good but not the worst..

[Darren Dirt]

Looks like things have just gone from bad to worse:

http://www.securityfocus.com/news/11408

The URLMON bug is now a security hole!

URLMON.dll itself is a security hole! (along the lines of "Out of order? This whole SYSTEM is out of order!" )

[TheDruid]

Finally some MS documentation on our problem:

http://support.microsoft.com/kb/923996