|
Author
|
Topic: 4/11/06 Windows Updates Change How ActiveX Works
|
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 13 April 2006 11:09 AM
profile
Excerpt from article published on 4/11/06:Tuesday's security updates for Internet Explorer that will also change how users interact with Web sites. Some sites that rely on popular ActiveX controls, such as Apple's QuickTime, RealNetworks' RealPlayer, and Adobe's Flash and Acrobat, are likely to give users fits.The change, which Microsoft has been warning Web site developers about since December 2005, was made to abide by a ruling in a patent infringement lawsuit Microsoft lost in 2003 to the University of California and its startup, Eolas Technologies Inc. With the changes rolled out in a mandatory security fix, any IE user who downloads and installs Tuesday's security patches -- either manually or via an automated system such as Microsoft Update -- will likely need to modify how they use those sites which haven't been rewritten. What should users expect? --- By default, IE will now consider embedded ActiveX content as inactive. Thus on unmodified sites, ActiveX content will not run. In other words, music won't play or a Flash component won't launch. --- To activate an interactive ActiveX control, move the mouse over the content -- which now will be boxed -- and click on the pop-up tool tip dialog. --- Alternately, users can press the Tab key until the focus is set on the content's box, then press either the spacebar or Enter key to activate. --- Each control on each page must be manually activated in this way. Adobe has posted a short Flash-based demo that shows the activation process. (Ironic note: If you're using IE after the Tuesday update has been applied, you must active the Flash demo manually.) Read the entire story here ------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices |
Ernie Renn
Member From: Brainerd, Minnesota USA
|
posted 17 April 2006 02:08 PM
profile
The most recent Windows Update has a file called "verclsid.exe" in it. (I think it does anyway.) After it was installed I couldn't get IE to work correctly. Couldn't open any folders on the computer. Nothing would come on. It was like it was locking up. I opened the task manager and started turning things off. When I got to that program and turned it off, everything came on. The updater, of course, redownloaded it and I had to go thru the process again. I ended up turning off the auto updater. I sent a report to MS, but who knows what will ever come of that...Any ideas?
------------------
My best,
Ernie
www.BuddyEmmons.com |
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 17 April 2006 09:00 PM
profile
I have come face to face with verclsid.exe, last week, while removing spyware from a computer. The spyware infecting the PC was the infamous Nail.exe, by abetterinternet. Due to bugs in the programs the desktop had become unstable, taking forever to draw and destroy windows. Using Task Manager I found verclsid at the top of the list, and not liking the looks of it I terminated the process. The desktop (explorer.exe) immediately began to function again.Within a few seconds verclsid reappeared in Task Manager, and continued to do so every time I terminated it. This told me that it was running as a service with a watcher protecting it. My first thought was that it was the active component of some new spyware. After running a system search I read the properties and was astounded to discover that it is owned by Microsoft. Ok, what to do. Run spyware scans with all the usual tools, removing a hundred plus pieces of crapware, but the problem didn't go away. Every time I rebooted and entered the desktop Notepad opened with a blank page. This kept occuring after I pulled the Nail. Hmmm. I found the launcher by exposing hidden files and displaying known extensions. It was in the logged-in user's Startup folder, and was named Desktop.exe. It did not show up as a running process in TM. I couldn't see any reference to it anywhere, so I deleted it from the Startup folder, logged off and back on. No more Notepad, and no more verclsid.exe. My deduction, Watson, is that Microsoft has programmed verclsid to run whenever a suspicious program is launched. I have no idea what it is supposed to do about the malware, but it seems to go away once the infector is removed from memory. I will reveal more as I understand more about this file and it's purpose. It definitely came in with the April 11 updates. All I can say to you is "if you see verclsid.exe as a running process in Task Manager, you probably have been infected with a malware program, and it is trying to do something about it, and failing, de-stabilizing your computer in the process." ------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices [This message was edited by Wiz Feinberg on 17 April 2006 at 09:03 PM.]
|
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 17 April 2006 09:14 PM
profile
New info #1:Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the "Vulnerability Details" section of this bulletin, this update includes the following changes in security functionality: • This security update introduces a new file, Verclsid.exe. Verclsid.exe is used to verify a COM object before it is instantiated by Windows Explorer. • This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios.
This update is creating chaos right now. DSLReports has a 6 page ongoing thread about it at: http://www.dslreports.com/forum/remark,15875820 Here is what one person has done to stop this file from screwing up his computer, until MS can patch their patch: "Go into C: then open Windows folder. Open System32 look for verclsid.exe and rename it verclsid.old" Another wrote: "I unistalled that particular update that contained verclsid.exe - it was update 908531, and things started working again."
All your base are belong to Microsoft!------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices [This message was edited by Wiz Feinberg on 17 April 2006 at 09:16 PM.]
|
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 17 April 2006 09:28 PM
profile
The MS Knowledgebase now discusses this problem, under the heading:
Problems in Windows Explorer or the Windows shell after you install security update MS06-015At: http://support.microsoft.com/?kbid=918165
SYMPTOMS
After you install security update MS06-015 (908531) (http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx), you may experience one of more of the following issues:
• Unable to access special folders like "My Documents" or "My Pictures".
• Microsoft Office applications may stop responding when you attempt to save or open Office files in the "My Documents" folder.
• Office files in the "My Documents" folder are not able to open in Microsoft Office.
• Opening a file through an application's File / Open menu causes the program to stop responding .
• Typing an address into Internet Explorer’s address bar has no effect.
• Right-clicking on a file and selecting Send To has no effect.
• Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
• Some third-party applications stop responding when opening or saving data in the “My Documents” folder.
CAUSE
The MS06-015 security update package installs a new binary, VERCLSID.EXE, which validates shell extensions before they are instantiated by the Windows Shell or Windows Explorer. On some computers, VERCLSID.EXE stops responding. The following have been identified to cause VERCLSID.EXE to stop responding:
• Hewlett-Packard's Share-to-Web software. There have been reported issues where HP software causes the VERCLSID.EXE process to stop responding. In particular, HP's Share-to-Web Namespace Daemon (Hpgs2wnd.exe) which ships with:
• HP PhotoSmart software
• Any HP DeskJet printer that includes a card reader
• HP Scanners
• Some HP CD-DVD RWs
• HP Cameras
Share-to-Web Namespace Daemon can be found in the "C:\Program Files\hewlett-packard\hp share-to-web\hpgs2wnd.exe" folder. Share-to-Web is auto-started from both the Startup menu and the Run registry key.
• The VERCLSID.EXE process is flagged by Sunbelt Kerio Personal Firewall. Sunbelt Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm) has a feature which flags any attempt by an application to launch another application for the user's approval. Kerio is flagging Explorer.exe's launch of VERCLSID.EXE. When this occurs, VERCLSID.EXE’s execution stops until the user clicks through Kerio's notification dialog. Users can configure Kerio to allow VERCLSID.EXE to execute without prompting.
RESOLUTION
• Hewlett-Packard's Share-to-Web software. The MS06-015 (908531) (http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx) security update includes a "white list"; VERCLSID.EXE will not scan any extension that appears on this list. Adding the HP shell extension corrects the problem. Manually edit the registry:
1. Log on to the computer with an account with administrator privileges.
2. Click the Start button and then click Run.
3. Type Regedit and then click OK.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
5. Right-click "Cached", point to New, click "DWORD Value", and then enter:{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401 6. Set the Data of this value to 1
7. Close the Registry Editor.
8. Use Task Manager to end the Verclsid.exe process or restart the computer. Note: If other third-party COM controls or shell extensions are determined to cause this issue, the same method must be used to add the appropriate shell extension.
• VERCLSID.EXE process flagged by Sunbelt Kerio Personal Firewall. Kerio Personal Firewall Users can configure Kerio to allow VERCLSID.EXE to execute without prompting.
It has not been determined if there are other third-party COM controls or shell extensions that may also cause this problem. If the steps above do not resolve your issue, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/directory/overview.asp |
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 18 April 2006 07:33 AM
profile
I should mention that I have applied this update to my computers and have had no such problems as described above. I don't have the software listed above either. This suggests that the patch is interacting badly with certain pre-existing programs that required shell access, and with invaders that try to embed themselves into the Windows Explorer Shell. Nail (abetterinternet a.k.a. Smitfraud.c) does just that. It adds it's executable to Explorer during Winlogon, and verclsid saw this and was trying to determine if this was a valid change, which it was not, and caused the (customer's) infected system to grind to a near halt.------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices[This message was edited by Wiz Feinberg on 25 April 2006 at 05:46 AM.] | |
The Steel Guitar Forum
