1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Beware of KB891711.EXE

Discussion in 'Legacy Windows' started by Filippo, 2005/03/16.

Thread Status:
Not open for further replies.
  1. 2005/03/16
    Filippo

    Filippo Inactive Thread Starter

    Joined:
    2002/02/13
    Messages:
    107
    Likes Received:
    0
    ISSUE

    Please refer to: "MS05-002: Vulnerability in cursor and icon format handling could allow remote code execution ".
    http://www.microsoft.com/technet/se...n/ms05-002.mspx

    On Win9x systems, this family of related patch installs an executable called KB891711.EXE.

    When I start a number of apps that load bits of GUI (icons, cursors?) in some particular way, this program causes a controlled bluescreen, with the following messages:
    - "an error has occurred "
    - Error: 0D : 0000 : 00010000

    If I press any key, Windows reliably resumes working, without the "offending" application. So far, I noticed that KB891711.EXE breaks several apps. For example:

    - the Trillian IM client bluescreens while starting, right at the point where it loads emoticons.

    - the SIS system tray video settings object bluescreens by just HOVERING the cursor on it in the system tray, because doing so causes the application to LOAD the icons it needs to populate its menu.

    I am sure this breaks a lot more.



    KUDOS

    to Microsoft for showing their committment to security:
    - first they allow some new, improved, dynamic, and redundant way for apps to use bits of GUI
    - when they discover it's imperfect and dangerous they take it away, irrespective of how many 3rd party apps are affected. Those MS security guys don't take no s%^# from anyone. (Although I am pretty sure MS apps are not affected, and if they were they got fixed with plenty of advance warning.).

    Least you babble that Microsoft may have acted illegally, I suggest you go re-read the EULAs you accepted and shut up.



    SOLUTION

    I just dropped into msconfig and prevented KB891711.EXE from running on reboot. (It cannot be killed when running).

    I'll run the risk brought by this vuln, and added this to my cahier des doleances.
     
  2. 2005/03/16
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Yours is the first problem I have heard of KB891711 causing problems, then again the update is barely two weeks old.
    Have you ever adjusted the icon cache size, or used TweakUi to repair the icons? It deletes the ShellIconCache file when doing so, allowing it to be rebuilt.
     

  3. to hide this advert.

  4. 2005/03/21
    Gianni

    Gianni Inactive

    Joined:
    2002/01/07
    Messages:
    106
    Likes Received:
    0
    Last edited: 2005/03/21
  5. 2005/03/21
    Filippo

    Filippo Inactive Thread Starter

    Joined:
    2002/02/13
    Messages:
    107
    Likes Received:
    0
    Thank you markp62!

    I'll definitely give it a try. I was myself a bit surprised that no similar complaints had arisen over TWO FULL WEEKS, with lots of users having switched to automatic updates. But I doubt it's cache related. We'll see!

    I only do manual updates, precisely because I am used to patches being pushed out causing more problems than the vulns they address. I am very extremely careful (say, paranoid) with
    - mail
    - hyperactive mail clients (eg closed port 80 AND inbox preview on Outlook &. co at least since 1998)
    - ANY installs, incl. the Java, Active-X etc. menageries, all sorts of plugins etc., which I firebomb on a regular basis
    - passive and active remote directory access
    - removable media of any kind
    - iffy files (I only consider .txt safe, and I do not use MS apps for it either)
    - ALL thos damned "agent" apps that want to run at boot and call home to discuss their own business behind my back
    - convoluted multimedia apps that ask for useless (for me) leeway to go online
    + I have two firewalls, AV, antitrojan etc and NEVER had a security problem in 17 years of computing on MS.

    It may sound corny, but if you are indeed paranoid, the majority of probs do tend to come from MS patches. I normally wait months to install potentially intrusive ones, and read their reviews first. In my experience, oldish "cumulative" patches tend to be better managed. This was the first early patching I did in perhaps 5 years.

    Last week I cleaned up a friends' stricken high power XP PC that had caught 30+ nasties (as counted by Norton, but there were more that it could not collar), I asked her to give me a demo of the goblins at work. I saw things I had only read about.
    - IE popping open by itself and running like possessed to (dead) **** sites
    - NAV getting into a tizzy, trying in vain to keep the barbarians at bay and yelling for help
    - a dozen unknown, trembling, beady eyed critters poking their furry noses out of the system tray
    - many specific commands (like task manager invoke) apparently disabled by goblins in self defense
    - console "frozen" due to uncontrollable CPU overload (think 3 GHz doing Lord know what)
    - the DSL "out" light on solid spraying Satan's semen at 800kbp...

    Her kids are in for an earful.

    I laughed so hard I almost fell off the chair and had to apologize! My 4-yr old WinME box doesn't do that...
     
  6. 2005/03/21
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Thanks for the links on that Giani :) . I found the annoyances.org link to be of the best informative on what it does, and why a Critical Update is now a new standard windows startup.
    For those who check out that link, read the posts by Jack Gulley.
     
  7. 2005/03/21
    Hugh Jarss

    Hugh Jarss Inactive

    Joined:
    2002/07/22
    Messages:
    908
    Likes Received:
    6
    I suspect that the flashing which I and others mentioned in this thread is related (although the flashing which the thread starter was experiencing turned out to be a different issue)

    would like to try starting 891711 manually after all other startups have fully loaded, as mentioned in the annoyances.org thread
    can anyone see any drawback to this workaround - ie, is there more to this M$ update than the background running of KB891711.EXE?

    best wishes, HJ
     
  8. 2005/03/22
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,068
    Likes Received:
    396
    FYI, mail clients don't ever use port 80. Web based mail via the browser, such as yahoo mail, never uses port 80 either.

    Mail servers use port 110 for pop (downloading messages) and port 25 for smtp (sending messages). The mail client on a computer initially connects to the pop server's port 110 to download messages, afterwhich the messages get downloaded using unassigned port above 1024. When sending messages, the mail client on a computer initially connects to the smtp server's port 25 and again used other ports to upload the messages that are being sent.

    No workstation or home computer ever uses port 80 unless said computer is running a web server to serve webpages. (such as IIS or Apache)
     
  9. 2005/03/22
    Hugh Jarss

    Hugh Jarss Inactive

    Joined:
    2002/07/22
    Messages:
    908
    Likes Received:
    6
    ???? TonyT - I think perhaps you have got the wrong thread?

    the link in my post above should have taken you to a thread "Internet Explorer Flashes ", check out posts #5, #6, #7, #8, #10 which describe behavour symptoms which I suspect may relate to 891711

    I've disabled KB891711 using msconfig; and made a simple batch file to run on startup, cause a 15 second delay, then run KB891711

    Since doing this the problem has not recurred. But the problem was sporadic anyway - could go for several days without trouble, then have a day when it happens almost all the time.

    ==

    TonyT - off-topic, but since you raise the subject: FYI - email clients *do* use port 80 if you let them. They do this if an image has been included in HTML email as an external reference rather than being attached or incorporated, and the email client is set to read HTML email. OE preview pane, for example, will perfectly happily cause HTTP access to port 80 to pick up images - demo (77kB)

    best wishes, HJ

    (edit) apologies to Tony - it's not him with the wrong thread, it's HJ with the wrong end of the stick - confusing his quote with a very similar discussion about danger of images in emails, without re-reading this thread properly before posting. Mea culpa. The point about port 80, though, still stands.
     
    Last edited: 2005/03/23
  10. 2005/03/22
    Hugh Jarss

    Hugh Jarss Inactive

    Joined:
    2002/07/22
    Messages:
    908
    Likes Received:
    6
    forgot to put this earlier:

    after I disabled 891711 with msconfig, I paid a quick visit to WindowsUpdate to see what would happen

    the answer: I wasn't offered any critical updates... so presumably WU decides based on whether you have the files, rather than whether you have the task running

    best wishes, HJ
     
  11. 2005/03/31
    Dennis L Lifetime Subscription

    Dennis L Inactive Alumni

    Joined:
    2002/06/07
    Messages:
    2,557
    Likes Received:
    2
    Current status for KB891711

    KB891711
    Microsoft has acknowledged that a security patch issued in January for its Windows 98 and Windows ME operating systems may cause performance issues for customers who have downloaded the update.

    Have above installed on networked w98SE. Immediately after install, IE6 became extremely unstable. To allow continued use of the computer, have the KB891711.exe running process disabled in startup. To allow Microsoft updates, have a shortcut to load process back to active. Don't yet understand if having update "installed but not active" provides any protection.
     
    Last edited: 2005/03/31
  12. 2005/04/01
    Hugh Jarss

    Hugh Jarss Inactive

    Joined:
    2002/07/22
    Messages:
    908
    Likes Received:
    6
    10 days now since putting the 15 second delay and no recurrence yet - although the problem was intermittent anyway :eek:

    just about starting to get convinced

    best wishes, HJ


    (Windows98)

    @echo off
    echo Start KB891711?
    echo.
    choice /c:yn /t:y,15
    if errorlevel 2 goto end

    KB891711
    :end

    (placed in \SYSTEM\KB891711 & run minimised, close on exit)
     
  13. 2005/04/12
    Hugh Jarss

    Hugh Jarss Inactive

    Joined:
    2002/07/22
    Messages:
    908
    Likes Received:
    6
    891711 seems to be on offer again at Windows Update... ?reworked maybe - or perhaps just insisting on a restart after applying the patch...

    ...noticed that after the earlier application of 891711 (which didn't prompt for a restart) didn't leave 891711 showing as a running task until after the PC was rebooted...

    best wishes, HJ
     
  14. 2005/04/12
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    On the question of restarting.

    I ALWAYS restart after ANY UPDATEs to ANYTHING. Whether it says to or not. The few minutes that it takes may well say a lot.

    And as I stated in the recent post by Hugh Jarss I restart the machine BEFORE updating. ANd the longer the machine has been on and used I think it is better to restart.

    Whether this helps or not I can not say 100% for sure but I have not had any problems YET. LOL

    I also just update two 98SE machines ( apparentl again ) with 891711. SO time will tell

    BillyBob
     
  15. 2005/04/12
    Hugh Jarss

    Hugh Jarss Inactive

    Joined:
    2002/07/22
    Messages:
    908
    Likes Received:
    6
    the DLL's the same (FC /B)

    the EXE's different (9088 bytes plays 9056)

    (realised I had a backup with the old versions in it ;) )

    best wishes, HJ
     
  16. 2005/04/13
    Gianni

    Gianni Inactive

    Joined:
    2002/01/07
    Messages:
    106
    Likes Received:
    0
    http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.