ie8rocks

Ran into an issue recently where Windows 7 IE 8 was experiencing an error when visiting a Microsoft Dynamics CRM website. The error was:

A Microsoft Dynamics CRM window was unable to open and may have been blocked by a pop-up blocker.  Please add this Microsoft Dynamics CRM server to the list of sites your pop-up blocker allows to open new Windows: URL

What is really cool about this error message is the fact that I actually have the popup blocker disabled. DOH!

I started running through all of the usual suspects, disabling toolbars\BHO’s from manage addons but nothing seemed to help. So I took more drastic steps.

First I downloaded Disk2VHD from sysinternals (Microsoft) and made a backup of my machine. Why you might ask? Simple I want to be able to load a “VM” with an undo disk. The undo disk will allow me to do anything I want with the VM and never worry about what I might break. Stuff I would never do to my physical machine.

Anyways I made the VHD and booted it up, I then took a working machine and started exporting registry keys that I thought might help. After importing the known good registry keys from the working machine into the non-working machine I still had the error. I then began the process of registry comparison, while a very painful process I was able to find an anomaly

On my machine with the popup blocker error I had the following entry in the registry.

[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{79eac9c0-baf9-11ce-8c82-00aa004ba90b}"

On the machine that works (without the popup blocker error) I had the following.

[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"

I modified the registry on the non-working machine to match what I had on the working machine and bingo the issue was resolved (note: I had to reboot first)

So what is this key and how did it get changed? That is a very good question and I am glad you asked. It appears the registration of ieproxy.dll was overwritten by another process (likely something I installed)

The real fix is not to simply edit the registry as I listed above, but is to regsvr32 the ieproxy.dll located in C:\program files\internet explorer or c:\program files (x86)\internet explorer

First click on the Windows button and type cmd in the search box.

image

Now right click on cmd and select Run as administrator

image

Now type in the following command: 
   regsvr32 "C:\program files\internet explorer\ieproxy.dll"

If you have a 64bit version of Windows register the 32bit version of IE
   regsvr32 "C:\program files (x86)\internet explorer\ieproxy.dll"

clip_image003

If the registration was successful you will see the following message. At this point click OK.

clip_image004

That’s it I hope this helps some of you guys\gals.

Hello everyone I wanted to post an update that we are still here and will soon be posting a few new blogs. We have been watching the incredible transformation that is occurring with IE 9 and found ourselves sidetracked from our IE 8 post. I guess that is our ADD showing through.

If you haven’t checked out the IE 9 beta or any of the previews you are missing out. Go to http://www.beautyoftheweb.com/ or http://ie.microsoft.com/testdrive/ for some very cool stuff.  

Anyways if you are still on IE 6 but are looking to make the leap to IE 8 you should check out this video. It is a little over an hour but well worth your time.


Migrating from Internet Explorer 6 to Internet Explorer 8

Ok ran into something pretty cool with Windows 7 and Internet Explorer 8 as it relates to Authorization headers. Let’s say you happen to have your internal web servers configured to require Kerberos authentication, and you just happen to have fiddler or a network trace running when you connected to the server. You will notice your typical 401 auth challenge and upon a successful connection IE 8 will send the Authorization http header. (See example below)

image

It appears that every GET or POST request will automatically include the authorization header this is called request-based auth. The benefit of request-based auth is that you avoid the whole 401 auth war that can break out on the wire. This is actually a performance enhancement that appears to only exist in Windows 7. IE 8 on Vista\XP do not use this enhancement, maybe Microsoft will backport this feature someday.

So here is my side by side of the two different auth methods used by IE 8 depending on your OS.

IE 8 on XP and Vista IE 8 on Windows 7 and 2008 R2
  • Uses Connection Based Auth
  • Leads to 401 response from server and more packets on the wire.
  • Could result in slower experience if the webserver closes the connection and forces a reauth on each get.
  • Uses Request Based Auth
  • Reduce or eliminate 401’s because each request contains the auth header
  • Could be a faster experience for the user if the server closes the connection.
  • (downside is the GET or POST request is larger as it contains the auth header) [hey nothing in life is free]

 

So how do you make IE8 on Windows 7 flip back to the Connection Based Auth method?

Simple send down a header from the web server. That header you will want to include is called the

Persistent-Auth header. If you set it equal to true IE 8 on Windows 7 will no longer send the Auth header in each request. You can read more about this in the following two locations.

http://msdn.microsoft.com/en-us/library/dd341152(PROT.10).aspx

http://msdn.microsoft.com/en-us/library/ee393311(v=PROT.10).aspx

I know this is IE 6 and who cares about IE 6 right?  Well lots of corporations still use IE 6 for their day to day business activities. So here it is…

Environment

Internet Explorer 6 on Windows XP (sp2\3), you are using a .pac file to configure your proxy settings. Users access websites that require them to supply Kerberos credentials.

Results

Users see the informative error message “HTTP Error 401 – Unauthorized: Access is denied due to invalid credentials.” At this point your phone lights up like a Christmas tree.

Reason

Bug resolved with http://support.microsoft.com/kb/921400 

 

This is great I just blogged about something that Microsoft fixed back in 2006. But I promise I am not wasting your time. Here is why; after you install this fix or a much later version of wininet.dll that is on the Microsoft QFE branch you must add the following registry key to actually “turn on the fix”

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
Value Name: iexplore.exe
Data Type: REG_DWord
Value: = 1

NOTE: you will need to create a key named FEATURE_AUTOPROXY_CACHE_ANAME_KB921400 before you can specify the process.

NOTE 2: If you have a process other than iexplore.exe that you feel needs this fix then just add your process under this registry key.

NOTE 3: Or if you just want this on for all processes use an asterisk * in the place of the process name.

Ok that it for IE 6 today oh and btw this does not apply to IE 7 or IE 8 seems like they fixed the glitch.

I felt this was important to re-document and see if we can expand on it. Please see the ping back to where most of this content came from. The guy does a great job and deserves the credit. I am going to work to expand this information where possible so think of this post as a living post subject to updates :-)

Pingback: http://www.innovation.ch/personal/ronald/ntlm.html

Introduction

This is an attempt at documenting the undocumented NTLM authentication scheme used by M$’s browsers, proxies, and servers (MSIE and IIS); this scheme is also sometimes referred to as the NT challenge/response (NTCR) scheme. Most of the info here is derived from three sources (see also the Resources section at the end of this document): Paul Ashton’s work on the NTLM security holes, the encryption documentation from Samba, and network snooping. Since most of this info is reverse-engineered it is bound to contain errors; however, at least one client and one server have been implemented according to this data and work successfully in conjunction with M$’s browsers, proxies and servers.

Note that this scheme is not as secure as Digest and some other schemes; it is slightly better than the Basic authentication scheme, however.

Also note that this scheme is not an http authentication scheme – it’s a connection authentication scheme which happens to (mis-)use http status codes and headers (and even those incorrectly).

NTLM Handshake

When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; "C" is the client, "S" the server):

    1: C  --> S   GET ...
    
    2: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM
    
    3: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-1-message>
    
    4: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM <base64-encoded type-2-message>
    
    5: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-3-message>
    
    6: C <--  S   200 Ok

Messages

The three messages sent in the handshake are binary structures. Each one is described below as a pseudo-C struct and in a memory layout diagram. byte is an 8-bit field; short is a 16-bit field. All fields are unsigned. Numbers are stored in little-endian order. Struct fields named zero contain all zeroes. An array length of "*" indicates a variable length field. Hexadecimal numbers and quoted characters in the comments of the struct indicate fixed values for the given field.

The field flags is presumed to contain flags, but their significance is unknown; the values given are just those found in the packet traces.

Type-1 Message

This message contains the host name and the NT domain name of the client.

    struct {
        byte    protocol[8];     // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
        byte    type;            // 0x01
        byte    zero[3];
        short   flags;           // 0xb203
        byte    zero[2];

        short   dom_len;         // domain string length
        short   dom_len;         // domain string length
        short   dom_off;         // domain string offset
        byte    zero[2];

        short   host_len;        // host string length
        short   host_len;        // host string length
        short   host_off;        // host string offset (always 0x20)
        byte    zero[2];

        byte    host[*];         // host string (ASCII)
        byte    dom[*];          // domain string (ASCII)
    } type-1-message
                 0       1       2       3
             +-------+-------+-------+-------+
         0:  |  'N'  |  'T'  |  'L'  |  'M'  |
             +-------+-------+-------+-------+
         4:  |  'S'  |  'S'  |  'P'  |   0   |
             +-------+-------+-------+-------+
         8:  |   1   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        12:  | 0x03  | 0xb2  |   0   |   0   |
             +-------+-------+-------+-------+
        16:  | domain length | domain length |
             +-------+-------+-------+-------+
        20:  | domain offset |   0   |   0   |
             +-------+-------+-------+-------+
        24:  |  host length  |  host length  |
             +-------+-------+-------+-------+
        28:  |  host offset  |   0   |   0   |
             +-------+-------+-------+-------+
        32:  |  host string                  |
             +                               +
             .                               .
             .                               .
             +             +-----------------+
             |             | domain string   |
             +-------------+                 +
             .                               .
             .                               .
             +-------+-------+-------+-------+

The host and domain strings are ASCII (or possibly ISO-8859-1), are uppercased, and are not nul-terminated. The host name is only the host name, not the FQDN (e.g. just "GOOFY", not "GOOFY.DISNEY.COM"). The offsets refer to the offset of the specific field within the message, and the lengths are the length of specified field. For example, in the above message host_off = 32 and dom_off = host_off + host_len. Note that the lengths are included twice (for some unfathomable reason).

Type-2 Message

This message contains the server’s NTLM challenge.

    struct {
        byte    protocol[8];     // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
        byte    type;            // 0x02
        byte    zero[7];
        short   msg_len;         // 0x28
        byte    zero[2];
        short   flags;           // 0x8201
        byte    zero[2];

        byte    nonce[8];        // nonce
        byte    zero[8];
    } type-2-message
                 0       1       2       3
             +-------+-------+-------+-------+
         0:  |  'N'  |  'T'  |  'L'  |  'M'  |
             +-------+-------+-------+-------+
         4:  |  'S'  |  'S'  |  'P'  |   0   |
             +-------+-------+-------+-------+
         8:  |   2   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        12:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        16:  |  message len  |   0   |   0   |
             +-------+-------+-------+-------+
        20:  | 0x01  | 0x82  |   0   |   0   |
             +-------+-------+-------+-------+
        24:  |                               |
             +          server nonce         |
        28:  |                               |
             +-------+-------+-------+-------+
        32:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        36:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+

The nonce is used by the client to create the LanManager and NT responses (see Password Hashes). It is an array of 8 arbitrary bytes. The message length field contains the length of the complete message, which in this case is always 40.

Type-3 Message

This message contains the username, host name, NT domain name, and the two "responses".

    struct {
        byte    protocol[8];     // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
        byte    type;            // 0x03
        byte    zero[3];

        short   lm_resp_len;     // LanManager response length (always 0x18)
        short   lm_resp_len;     // LanManager response length (always 0x18)
        short   lm_resp_off;     // LanManager response offset
        byte    zero[2];

        short   nt_resp_len;     // NT response length (always 0x18)
        short   nt_resp_len;     // NT response length (always 0x18)
        short   nt_resp_off;     // NT response offset
        byte    zero[2];

        short   dom_len;         // domain string length
        short   dom_len;         // domain string length
        short   dom_off;         // domain string offset (always 0x40)
        byte    zero[2];

        short   user_len;        // username string length
        short   user_len;        // username string length
        short   user_off;        // username string offset
        byte    zero[2];

        short   host_len;        // host string length
        short   host_len;        // host string length
        short   host_off;        // host string offset
        byte    zero[6];

        short   msg_len;         // message length
        byte    zero[2];

        short   flags;           // 0x8201
        byte    zero[2];

        byte    dom[*];          // domain string (unicode UTF-16LE)
        byte    user[*];         // username string (unicode UTF-16LE)
        byte    host[*];         // host string (unicode UTF-16LE)
        byte    lm_resp[*];      // LanManager response
        byte    nt_resp[*];      // NT response
    } type-3-message
                 0       1       2       3
             +-------+-------+-------+-------+
         0:  |  'N'  |  'T'  |  'L'  |  'M'  |
             +-------+-------+-------+-------+
         4:  |  'S'  |  'S'  |  'P'  |   0   |
             +-------+-------+-------+-------+
         8:  |   3   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        12:  |  LM-resp len  |  LM-Resp len  |
             +-------+-------+-------+-------+
        16:  |  LM-resp off  |   0   |   0   |
             +-------+-------+-------+-------+
        20:  |  NT-resp len  |  NT-Resp len  |
             +-------+-------+-------+-------+
        24:  |  NT-resp off  |   0   |   0   |
             +-------+-------+-------+-------+
        28:  | domain length | domain length |
             +-------+-------+-------+-------+
        32:  | domain offset |   0   |   0   |
             +-------+-------+-------+-------+
        36:  |  user length  |  user length  |
             +-------+-------+-------+-------+
        40:  |  user offset  |   0   |   0   |
             +-------+-------+-------+-------+
        44:  |  host length  |  host length  |
             +-------+-------+-------+-------+
        48:  |  host offset  |   0   |   0   |
             +-------+-------+-------+-------+
        52:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        56:  |  message len  |   0   |   0   |
             +-------+-------+-------+-------+
        60:  | 0x01  | 0x82  |   0   |   0   |
             +-------+-------+-------+-------+
        64:  | domain string                 |
             +                               +
             .                               .
             .                               .
             +           +-------------------+
             |           | user string       |
             +-----------+                   +
             .                               .
             .                               .
             +                 +-------------+
             |                 | host string |
             +-----------------+             +
             .                               .
             .                               .
             +   +---------------------------+
             |   | LanManager-response       |
             +---+                           +
             .                               .
             .                               .
             +            +------------------+
             |            | NT-response      |
             +------------+                  +
             .                               .
             .                               .
             +-------+-------+-------+-------+

The host, domain, and username strings are in Unicode (UTF-16, little-endian) and are not nul-terminated; the host and domain names are in upper case. The lengths of the response strings are 24.

Password Hashes

To calculate the two response strings two password hashes are used: the LanManager password hash and the NT password hash. These are described in detail at the beginning of the Samba ENCRYPTION.html document. However, a few things are not clear (such as what the magic constant for the LanManager hash is), so here is some almost-C code which calculates the two responses. Inputs are passw and nonce, the results are in lm_resp and nt_resp.

    /* setup LanManager password */

    char  lm_pw[14];
    int   len = strlen(passw);
    if (len > 14)  len = 14;

    for (idx=0; idx<len; idx++)
        lm_pw[idx] = toupper(passw[idx]);
    for (; idx<14; idx++)
        lm_pw[idx] = 0;


    /* create LanManager hashed password */

    unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
    unsigned char lm_hpw[21];
    des_key_schedule ks;

    setup_des_key(lm_pw, ks);
    des_ecb_encrypt(magic, lm_hpw, ks);

    setup_des_key(lm_pw+7, ks);
    des_ecb_encrypt(magic, lm_hpw+8, ks);

    memset(lm_hpw+16, 0, 5);


    /* create NT hashed password */

    int   len = strlen(passw);
    char  nt_pw[2*len];
    for (idx=0; idx<len; idx++)
    {
        nt_pw[2*idx]   = passw[idx];
        nt_pw[2*idx+1] = 0;
    }

    unsigned char nt_hpw[21];
    MD4_CTX context;
    MD4Init(&context);
    MD4Update(&context, nt_pw, 2*len);
    MD4Final(nt_hpw, &context);

    memset(nt_hpw+16, 0, 5);


    /* create responses */

    unsigned char lm_resp[24], nt_resp[24];
    calc_resp(lm_hpw, nonce, lm_resp);
    calc_resp(nt_hpw, nonce, nt_resp);

Helpers:

    /*
     * takes a 21 byte array and treats it as 3 56-bit DES keys. The
     * 8 byte plaintext is encrypted with each key and the resulting 24
     * bytes are stored in the results array.
     */
    void calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
    {
        des_key_schedule ks;

        setup_des_key(keys, ks);
        des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) results, ks, DES_ENCRYPT);

        setup_des_key(keys+7, ks);
        des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+8), ks, DES_ENCRYPT);

        setup_des_key(keys+14, ks);
        des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+16), ks, DES_ENCRYPT);
    }


    /*
     * turns a 56 bit key into the 64 bit, odd parity key and sets the key.
     * The key schedule ks is also set.
     */
    void setup_des_key(unsigned char key_56[], des_key_schedule ks)
    {
        des_cblock key;

        key[0] = key_56[0];
        key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
        key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
        key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
        key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
        key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
        key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
        key[7] =  (key_56[6] << 1) & 0xFF;

        des_set_odd_parity(&key);
        des_set_key(&key, ks);
    }

Keeping the connection alive

As mentioned above, this scheme authenticates connections, not requests. This manifests itself in that the network connection must be kept alive during the second part of the handshake, i.e. between the receiving of the type-2 message from the server (step 4) and the sending of the type-3 message (step 5). Each time the connection is closed this second part (steps 3 through 6) must be repeated over the new connection (i.e. it’s not enough to just keep sending the last type-3 message). Also, once the connection is authenticated, the Authorization header need not be sent anymore while the connection stays open, no matter what resource is accessed.

For implementations wishing to work with M$’s software this means that they must make sure they use either HTTP/1.0 keep-alive’s or HTTP/1.1 persistent connections, and that they must be prepared to do the second part of the handshake each time the connection was closed and is reopened. Server implementations must also make sure that HTTP/1.0 responses contain a Content-length header (as otherwise the connection must be closed after the response), and that HTTP/1.1 responses either contain a Content-length header or use the chunked transfer encoding.

Example

Here is an actual example of all the messages. Assume the host name is "LightCity", the NT domain name is "Ursa-Minor", the username is "Zaphod", the password is "Beeblebrox", and the server sends the nonce "SrvNonce". Then the handshake is:

    C -> S   GET ...
    
    S -> C   401 Unauthorized
             WWW-Authenticate: NTLM
    
    C -> S   GET ...
             Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
    
    S -> C   401 Unauthorized
             WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
    
    C -> S   GET ...
             Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
    
    S -> C   200 Ok

and the unencoded messages are:

Type-1 Message:

       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
   0:  4e 54 4c 4d 53 53 50 00 01 00 00 00 03 b2 00 00  "NTLMSSP........."
  10:  0a 00 0a 00 29 00 00 00 09 00 09 00 20 00 00 00  "....)....... ..."
  20:  4c 49 47 48 54 43 49 54 59 55 52 53 41 2d 4d 49  "LIGHTCITYURSA-MI"
  30:  4e 4f 52                                         "NOR"

Type-2 Message:

       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
   0:  4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00  "NTLMSSP........."
  10:  28 00 00 00 01 82 00 00 53 72 76 4e 6f 6e 63 65  "(.......SrvNonce"
  20:  00 00 00 00 00 00 00 00                          "........"

Type-3 Message:

       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
   0:  4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00  "NTLMSSP........."
  10:  72 00 00 00 18 00 18 00 8a 00 00 00 14 00 14 00  "r..............."
  20:  40 00 00 00 0c 00 0c 00 54 00 00 00 12 00 12 00  "@.......T......."
  30:  60 00 00 00 00 00 00 00 a2 00 00 00 01 82 00 00  "`..............."
  40:  55 00 52 00 53 00 41 00 2d 00 4d 00 49 00 4e 00  "U.R.S.A.-.M.I.N."
  50:  4f 00 52 00 5a 00 61 00 70 00 68 00 6f 00 64 00  "O.R.Z.a.p.h.o.d."
  60:  4c 00 49 00 47 00 48 00 54 00 43 00 49 00 54 00  "L.I.G.H.T.C.I.T."
  70:  59 00 ad 87 ca 6d ef e3 46 85 b9 c4 3c 47 7a 8c  "Y....m..F...<Gz."
  80:  42 d6 00 66 7d 68 92 e7 e8 97 e0 e0 0d e3 10 4a  "B..f}h.........J"
  90:  1b f2 05 3f 07 c7 dd a8 2d 3c 48 9a e9 89 e1 b0  "...?....-<H....."
  a0:  00 d3                                            ".."

For reference, the intermediate hashed passwords are:

lm_hpw (LanManager hashed password):
91 90 16 f6 4e c7 b0 0b a2 35 02 8c a5 0c 7a 03 00 00 00 00 00
nt_hpw (NT hashed password):
8c 1b 59 e3 2e 66 6d ad f1 75 74 5f ad 62 c1 33 00 00 00 00 00

Resources

* LM authentication in SMB/CIFS
http://www.ubiqx.org/cifs/SMB.html#SMB.8.3
* A document on cracking NTLMv2 authentication
http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt
* Squid’s NLTM authentication project
http://squid.sourceforge.net/ntlm/
* Encryption description for Samba
http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.html
* Info on the MSIE security hole
http://oliver.efri.hr/~crv/security/bugs/NT/ie6.html
* FAQ: NT Cryptographic Password Attacks & Defences
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=17
* M$’s hotfix to disable the sending of the LanManager response
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lm-fix
* A description of M$’s hotfix
http://www.tryc.on.ca/archives/bugtraq/1997_3/0070.html

Acknowledgements

Special thanks to the following people who helped with the collection and debugging of the above information:

 

UPDATE 10/20/2009:

It appears there is a bug introduced with MS09-054 which is the latest Internet Explorer Cumulative Security Update just released last Tuesday, Oct 13 2009. From the review the situation appears to be isolated to VBSCRIPT and only with very specific usage scenarios. Not sure about the rest of the world but we at IE8Blog gave on VBSCRIPT several years ago. 

KB976749 You receive a VBScript "Type Mismatch" script error message in Internet Explorer after you install cumulative security update 974455

http://support.microsoft.com/kb/976749

A couple tests were run using the examples provided in the knowledge base article and it appears the issue involves MSHTML.DLL.

Hot off the security press Microsoft rev’s IE with the latest in security goodness.

Microsoft security updates for October 2009

http://www.microsoft.com/security/updates/bulletins/200910.aspx

Microsoft Security Bulletin MS09-054 – Critical

Cumulative Security Update for Internet Explorer (974455)

http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

MS09-054: Cumulative security update for Internet Explorer

http://support.microsoft.com/kb/974455

Affected Software

Operating System

Component

Maximum Security Impact

Aggregate Severity Rating

Bulletins Replaced by This Update

Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1

Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 5.01 Service Pack 4

Remote Code Execution

Critical

MS09-034

Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 6 Service Pack 1

Remote Code Execution

Critical

MS09-034

Internet Explorer 6

Windows XP Service Pack 2 and Windows XP Service Pack 3

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows XP Professional x64 Edition Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows Server 2003 Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows Server 2003 x64 Edition Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Internet Explorer 7

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2003 Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2*

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2*

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Internet Explorer 8

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2003 Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2*

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2*

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows 7 for 32-bit Systems

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Windows 7 for x64-based Systems

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Windows Server 2008 R2 for x64-based Systems*

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Windows Server 2008 R2 for Itanium-based Systems

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Ok this post will be a little more Internet Explorer 7 focused but I thought it would be valuable to share.

So many times when I am attempting to print content off a webpage I find that the "Shrink To Fit” feature leaves a bit to be desired. I am starting out by opening http://msdn.microsoft.com as I would expect this page to render perfectly in IE and indeed it does.

MSDN Website rendered  Now by simply clicking on File – Print – Preview we will see a new rendering of the page which appears to look very different than the page I was just looking at. At first glance you might think hey all the content is there and it doesn’t look that bad.

 

 

 

 

 

But it’s when you compare this page to the same page in Firefox you see the difference.

Internet Explorer 7 Print Preview Shrink To Fit Firefox Print Preview Shrink To Fit

Firefox actually even rendered the Ads and the layout looks more like the original page than the IE 7 rendering. The problem isn’t Shrink To Fit but more about how Internet Explorer is designed to print preview.

So what are your options?  At this point I am not sure but I am posting this out there to see if anyone has found a good add-in that will scale the page down and still look nice. Post away on the comments.

In this article, you will learn how Proxy Auto-Disover configuration files , wpad.dat files, provide central administration for proxy connections to the Internet and how the algorithm sequence work.

When using Automatically Detect setting setting in IE will search a proxy auto-configuration file in the predefined detection methods:

NOTE: Only applies when ‘Automatically detect settings’ in Internet Options > connections > Lan Connections is the only option checked. Other options for configuring IE connection settings include Automatic Configuration Scripts and manually specifying a proxy server.

  1. DHCP (252 option)
  2. DNS A record query/queries
  3. NetBios

If  DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record.

If DHCP 252 is not configured, IE will continue until it either exhausts the search or gets a response:

  1. BootP request to DHCP for the 252 option containing the path to the wpad.dat file if DHCP 252 is not configured
  2. DNS A query for “wpad.” ex. wpad.domainname.com if the DNS query fails
  3. A Netbios query for a machine named WPAD occurs If Netbios fails
  4. A direct connection is attempted

If this attempt fails, the user is presented with the Cannot display the webpage or similar message.

The wpad.dat detection (steps 1 thru 3) occur when “Detecting proxy settings…” is displayed in the status bar in the lower left corner of the Internet Explorer window.

Example of a detection order:

- If a domain suffix is west.corp.contoso.com

IE will perform the following queries:

  • wpad.west.corp.contoso.com
  • wpad.corp.contoso.com
  • wpad.contoso.com

NOTE: If a domain suffix search order has been specified, the first domain in the list will be used instead.

We have demostrated that there is potential overhead associated with the detection method and if you don’t ahve a WPAD solution, there is not readon to have this option enabled. Disabling this option can reduce network traffic as well as initial page laod times for Internet Explore.  When we disable this option, IE will attempt to connect immediately.

Internet Explorer 8 has been out for a while now so why create another blog to talk about it? Well that simple. I feel that many questions go unanswered about how and why things happen when using Internet Explorer. We cannot go through life blaming everything on Microsoft, heck they actually do a great job trying to accommodate the needs of everyone. But along the way we run into quirky issues that sometimes drive you crazy, this is where my blog comes in.

While I don’t proclaim to be an expert in all things Internet Explorer I can hold my own. So I am going to put my efforts behind helping you; my readers, solve issues or at least understand why things are they way they are from an Internet Explorer point of view.

Please check back often as I have many topics I plan on covering.