Saturday, 23 April 2005


Sorry for the cryptic title, but KB891711 is the topic, along with computer security, software quality, and similar matters.

KB891711 is a Microsoft Security Update (so all Mac and Unix users reading this don't have to worry, but will no doubt find this amusing, and may safely engage in much Schadenfreude).

There's a complete discussion on this update over at, but here's the gist of it.

First, "why is this update unlike all the other updates"? Because it installs a process that appears on your task list. If you press CTRL-ALT-DEL on a Windows 98 box, you get a list of all running tasks, that is programs that are doing their thing on your computer at the moment. Try it and see - You might have something like this :

A.E.Brain - Opera

Opera, check, that's my browser. ZoneAlarm and VisualZone are parts of my firewall, Avgcc the anti-virus software and so on. (And if your list doesn't have a Firewall and Anti-Virus Scanner on it, Why not? Get one NOW!) All are things I want running on my machine, all are things I've had to OK, except for this very very VERY suspicious-looking "KB891711", which looks as if it might be a key logger or some other malevolent entity.

Well, I was partly right. It's not a key logger, it's an Icon, Image and Hyperlink examiner. It may or may not be malevolent, but was intended to be beneficial. In other words, it's a typical Microsoft Product.

Microsoft in its wisdom decided that the only way to fix a problem that hackers were starting to exploit was to install this on my machine the last time I got the monthly set of security patches.

Here's why the patch was needed :
eEye Digital Security has discovered a vulnerability in USER32.DLL's handling of Windows animated cursor (.ani) files that will allow a remote attacker to reliably overwrite the stack with arbitrary data and execute arbitrary code.

Because Windows animated cursors can be supplied for use by Internet Explorer, this vulnerability affects any applications that use the Internet Explorer component internally, such as Internet Explorer itself, Word, Excel, PowerPoint, Outlook, Outlook Express, and so on, as well as the Windows shell.

In the case of Internet Explorer, the user's system will be compromised when the user views a website that shows a malformed ANI file referenced via a style sheet in the HTML file. Likewise, a system may be compromised through Outlook and Outlook Express when the user tries to read an HTML e-mail containing a MIME-encoded malformed ANI file and a style sheet referencing the encoded ANI file, invoked using HTML such as < BODY style="CURSOR: url('cid:xxxx')" >. In the case of the Windows shell (explorer.exe), exploitation occurs when the user opens a folder containing a malformed ANI file.

This vulnerability also exists in all obsolete versions of the Windows operating system (Windows 95/98/NT4).
So in summary, if you have Windows of any form from 95 to ME, and you look at the wrong website, or receive the wrong e-mail, or look at the wrong spreadsheet, word document, or powerpoint presentation, you're toast.
To make matters worse, the past few days, there have been a number of reports of large companies that provide shared hosting web servers, who have been compromised and their customers web pages modified to attack visitors using the exploits that this fix blocks. In other words, the hackers are starting to attack users who do not have the fix installed and have found ways to do it on a large scale. There is also a report of one known hacker site using this exploit (MS05-002) to infect visitors with two files, that only the Kaspersky AV is currently detecting.

So it is a real threat now and there is no other way to protect your system short of only allowing viewing in text format and never clicking on a image, icon or hyperlink.
Oh yes, many problems have been reported by people with this patch, especially on older machines. This patch appears to break many non-Microsoft web browsers and other software, at least on some machines. Unfortunately for the consipracy-minded, if also breaks the competing Mirosoft products on those machines too.
Note that this update was issued on 11th Jan 2005 and then revised on 8th March 2005.
It's not known whether there are different versions of this patch, early ones very buggy, later ones not, but if you're having trouble with a Win98 machine recently after updating this patch, try uninstalling it and getting a new version.

Instructions here, in entry 15.

OK, I'll repeat them so you don't have to click on it.
It's a little bit of a ritual but quite easy (just takes a lot of words to explain).

First make up an empty folder to put it into (anywhere, any name, as long as you will be able to find it later).

You then go to this website:
Windows "Coporate" Update

This looks exactly like normal Windows Update but it isn't. You go through the ritual of selecting your system and critical updates. Eventually you will find a long list poked into a fairly small box bottom right of screen.

Scroll down and you will find the number about two thirds of the way down. Put it in the shopping basket and download it. You will need to browse to the empty folder you made previously before it will download.

Once you've done all that come off line and go to the folder you made. You will then find it has made a stack of sub-folders. Just work your way through that lot until you find the file (it's called Windows98-KB891711-ENU.EXE).

I would normally say just double click it and away you go. In this instance it is sensible to heed Dan's warning in #12. (The warning reads as follows - I read in another forum today that in the "Exec Notes or something or other" that it should be installed while running in safe mode. (I haven't been anywhere else yet, so when I run across it again I'll gather more detailed info in case it's required.) - AEB) It certainly won't do any harm to install it from Safe Mode.

You probably know this, but to get to Safe Mode you either hold Ctrl key down while booting or if this doesn't work keep tapping F8 key while booting. From the startup menu that appears select Safe Mode. It will be like normal Windows but with large icons and rotten graphics. Just find the file and double click it. Re-boot afterwards.
Or get a friendly neighbourhood tech geek to to this for you (show them these instructions). He or she is likely to get a buzz out of helping you and another chance to demonstrate to the world their Superior Computer-Fu.

No comments: