Ran into an issue recently where Windows 7 IE 8 was experiencing an error when visiting a Microsoft Dynamics CRM website. The error was:
A Microsoft Dynamics CRM window was unable to open and may have been blocked by a pop-up blocker. Please add this Microsoft Dynamics CRM server to the list of sites your pop-up blocker allows to open new Windows: URL
What is really cool about this error message is the fact that I actually have the popup blocker disabled. DOH!
I started running through all of the usual suspects, disabling toolbars\BHO’s from manage addons but nothing seemed to help. So I took more drastic steps.
First I downloaded Disk2VHD from sysinternals (Microsoft) and made a backup of my machine. Why you might ask? Simple I want to be able to load a “VM” with an undo disk. The undo disk will allow me to do anything I want with the VM and never worry about what I might break. Stuff I would never do to my physical machine.
Anyways I made the VHD and booted it up, I then took a working machine and started exporting registry keys that I thought might help. After importing the known good registry keys from the working machine into the non-working machine I still had the error. I then began the process of registry comparison, while a very painful process I was able to find an anomaly
On my machine with the popup blocker error I had the following entry in the registry.
[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{79eac9c0-baf9-11ce-8c82-00aa004ba90b}"
On the machine that works (without the popup blocker error) I had the following.
[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
I modified the registry on the non-working machine to match what I had on the working machine and bingo the issue was resolved (note: I had to reboot first)
So what is this key and how did it get changed? That is a very good question and I am glad you asked. It appears the registration of ieproxy.dll was overwritten by another process (likely something I installed)
The real fix is not to simply edit the registry as I listed above, but is to regsvr32 the ieproxy.dll located in C:\program files\internet explorer or c:\program files (x86)\internet explorer
First click on the Windows button and type cmd in the search box.
Now right click on cmd and select Run as administrator
Now type in the following command:
regsvr32 "C:\program files\internet explorer\ieproxy.dll"
If you have a 64bit version of Windows register the 32bit version of IE
regsvr32 "C:\program files (x86)\internet explorer\ieproxy.dll"
If the registration was successful you will see the following message. At this point click OK.
That’s it I hope this helps some of you guys\gals.
Hello everyone I wanted to post an update that we are still here and will soon be posting a few new blogs. We have been watching the incredible transformation that is occurring with IE 9 and found ourselves sidetracked from our IE 8 post. I guess that is our ADD showing through.
If you haven’t checked out the IE 9 beta or any of the previews you are missing out. Go to http://www.beautyoftheweb.com/ or http://ie.microsoft.com/testdrive/ for some very cool stuff.
Anyways if you are still on IE 6 but are looking to make the leap to IE 8 you should check out this video. It is a little over an hour but well worth your time.
Migrating from Internet Explorer 6 to Internet Explorer 8
Ok ran into something pretty cool with Windows 7 and Internet Explorer 8 as it relates to Authorization headers. Let’s say you happen to have your internal web servers configured to require Kerberos authentication, and you just happen to have fiddler or a network trace running when you connected to the server. You will notice your typical 401 auth challenge and upon a successful connection IE 8 will send the Authorization http header. (See example below)
It appears that every GET or POST request will automatically include the authorization header this is called request-based auth. The benefit of request-based auth is that you avoid the whole 401 auth war that can break out on the wire. This is actually a performance enhancement that appears to only exist in Windows 7. IE 8 on Vista\XP do not use this enhancement, maybe Microsoft will backport this feature someday.
So here is my side by side of the two different auth methods used by IE 8 depending on your OS.
| IE 8 on XP and Vista | IE 8 on Windows 7 and 2008 R2 |
|
|
So how do you make IE8 on Windows 7 flip back to the Connection Based Auth method?
Simple send down a header from the web server. That header you will want to include is called the
Persistent-Auth header. If you set it equal to true IE 8 on Windows 7 will no longer send the Auth header in each request. You can read more about this in the following two locations.
http://msdn.microsoft.com/en-us/library/dd341152(PROT.10).aspx
http://msdn.microsoft.com/en-us/library/ee393311(v=PROT.10).aspx
I know this is IE 6 and who cares about IE 6 right? Well lots of corporations still use IE 6 for their day to day business activities. So here it is…
Environment
Internet Explorer 6 on Windows XP (sp2\3), you are using a .pac file to configure your proxy settings. Users access websites that require them to supply Kerberos credentials.
Results
Users see the informative error message “HTTP Error 401 – Unauthorized: Access is denied due to invalid credentials.” At this point your phone lights up like a Christmas tree.
Reason
Bug resolved with http://support.microsoft.com/kb/921400
This is great I just blogged about something that Microsoft fixed back in 2006. But I promise I am not wasting your time. Here is why; after you install this fix or a much later version of wininet.dll that is on the Microsoft QFE branch you must add the following registry key to actually “turn on the fix”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
Value Name: iexplore.exe
Data Type: REG_DWord
Value: = 1
NOTE: you will need to create a key named FEATURE_AUTOPROXY_CACHE_ANAME_KB921400 before you can specify the process.
NOTE 2: If you have a process other than iexplore.exe that you feel needs this fix then just add your process under this registry key.
NOTE 3: Or if you just want this on for all processes use an asterisk * in the place of the process name.
Ok that it for IE 6 today oh and btw this does not apply to IE 7 or IE 8 seems like they fixed the glitch.
I felt this was important to re-document and see if we can expand on it. Please see the ping back to where most of this content came from. The guy does a great job and deserves the credit. I am going to work to expand this information where possible so think of this post as a living post subject to updates 
Pingback: http://www.innovation.ch/personal/ronald/ntlm.html
Introduction
This is an attempt at documenting the undocumented NTLM authentication scheme used by M$’s browsers, proxies, and servers (MSIE and IIS); this scheme is also sometimes referred to as the NT challenge/response (NTCR) scheme. Most of the info here is derived from three sources (see also the Resources section at the end of this document): Paul Ashton’s work on the NTLM security holes, the encryption documentation from Samba, and network snooping. Since most of this info is reverse-engineered it is bound to contain errors; however, at least one client and one server have been implemented according to this data and work successfully in conjunction with M$’s browsers, proxies and servers.
Note that this scheme is not as secure as Digest and some other schemes; it is slightly better than the Basic authentication scheme, however.
Also note that this scheme is not an http authentication scheme – it’s a connection authentication scheme which happens to (mis-)use http status codes and headers (and even those incorrectly).
NTLM Handshake
When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; "C" is the client, "S" the server):
1: C --> S GET ...
2: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM
3: C --> S GET ...
Authorization: NTLM <base64-encoded type-1-message>
4: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM <base64-encoded type-2-message>
5: C --> S GET ...
Authorization: NTLM <base64-encoded type-3-message>
6: C <-- S 200 Ok
Messages
The three messages sent in the handshake are binary structures. Each one is described below as a pseudo-C struct and in a memory layout diagram. byte is an 8-bit field; short is a 16-bit field. All fields are unsigned. Numbers are stored in little-endian order. Struct fields named zero contain all zeroes. An array length of "*" indicates a variable length field. Hexadecimal numbers and quoted characters in the comments of the struct indicate fixed values for the given field.
The field flags is presumed to contain flags, but their significance is unknown; the values given are just those found in the packet traces.
Type-1 Message
This message contains the host name and the NT domain name of the client.
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x01
byte zero[3];
short flags; // 0xb203
byte zero[2];
short dom_len; // domain string length
short dom_len; // domain string length
short dom_off; // domain string offset
byte zero[2];
short host_len; // host string length
short host_len; // host string length
short host_off; // host string offset (always 0x20)
byte zero[2];
byte host[*]; // host string (ASCII)
byte dom[*]; // domain string (ASCII)
} type-1-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 1 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0x03 | 0xb2 | 0 | 0 |
+-------+-------+-------+-------+
16: | domain length | domain length |
+-------+-------+-------+-------+
20: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
24: | host length | host length |
+-------+-------+-------+-------+
28: | host offset | 0 | 0 |
+-------+-------+-------+-------+
32: | host string |
+ +
. .
. .
+ +-----------------+
| | domain string |
+-------------+ +
. .
. .
+-------+-------+-------+-------+
The host and domain strings are ASCII (or possibly ISO-8859-1), are uppercased, and are not nul-terminated. The host name is only the host name, not the FQDN (e.g. just "GOOFY", not "GOOFY.DISNEY.COM"). The offsets refer to the offset of the specific field within the message, and the lengths are the length of specified field. For example, in the above message host_off = 32 and dom_off = host_off + host_len. Note that the lengths are included twice (for some unfathomable reason).
Type-2 Message
This message contains the server’s NTLM challenge.
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x02
byte zero[7];
short msg_len; // 0x28
byte zero[2];
short flags; // 0x8201
byte zero[2];
byte nonce[8]; // nonce
byte zero[8];
} type-2-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 2 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
16: | message len | 0 | 0 |
+-------+-------+-------+-------+
20: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
24: | |
+ server nonce |
28: | |
+-------+-------+-------+-------+
32: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
36: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
The nonce is used by the client to create the LanManager and NT responses (see Password Hashes). It is an array of 8 arbitrary bytes. The message length field contains the length of the complete message, which in this case is always 40.
Type-3 Message
This message contains the username, host name, NT domain name, and the two "responses".
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x03
byte zero[3];
short lm_resp_len; // LanManager response length (always 0x18)
short lm_resp_len; // LanManager response length (always 0x18)
short lm_resp_off; // LanManager response offset
byte zero[2];
short nt_resp_len; // NT response length (always 0x18)
short nt_resp_len; // NT response length (always 0x18)
short nt_resp_off; // NT response offset
byte zero[2];
short dom_len; // domain string length
short dom_len; // domain string length
short dom_off; // domain string offset (always 0x40)
byte zero[2];
short user_len; // username string length
short user_len; // username string length
short user_off; // username string offset
byte zero[2];
short host_len; // host string length
short host_len; // host string length
short host_off; // host string offset
byte zero[6];
short msg_len; // message length
byte zero[2];
short flags; // 0x8201
byte zero[2];
byte dom[*]; // domain string (unicode UTF-16LE)
byte user[*]; // username string (unicode UTF-16LE)
byte host[*]; // host string (unicode UTF-16LE)
byte lm_resp[*]; // LanManager response
byte nt_resp[*]; // NT response
} type-3-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 3 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | LM-resp len | LM-Resp len |
+-------+-------+-------+-------+
16: | LM-resp off | 0 | 0 |
+-------+-------+-------+-------+
20: | NT-resp len | NT-Resp len |
+-------+-------+-------+-------+
24: | NT-resp off | 0 | 0 |
+-------+-------+-------+-------+
28: | domain length | domain length |
+-------+-------+-------+-------+
32: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
36: | user length | user length |
+-------+-------+-------+-------+
40: | user offset | 0 | 0 |
+-------+-------+-------+-------+
44: | host length | host length |
+-------+-------+-------+-------+
48: | host offset | 0 | 0 |
+-------+-------+-------+-------+
52: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
56: | message len | 0 | 0 |
+-------+-------+-------+-------+
60: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
64: | domain string |
+ +
. .
. .
+ +-------------------+
| | user string |
+-----------+ +
. .
. .
+ +-------------+
| | host string |
+-----------------+ +
. .
. .
+ +---------------------------+
| | LanManager-response |
+---+ +
. .
. .
+ +------------------+
| | NT-response |
+------------+ +
. .
. .
+-------+-------+-------+-------+
The host, domain, and username strings are in Unicode (UTF-16, little-endian) and are not nul-terminated; the host and domain names are in upper case. The lengths of the response strings are 24.
Password Hashes
To calculate the two response strings two password hashes are used: the LanManager password hash and the NT password hash. These are described in detail at the beginning of the Samba ENCRYPTION.html document. However, a few things are not clear (such as what the magic constant for the LanManager hash is), so here is some almost-C code which calculates the two responses. Inputs are passw and nonce, the results are in lm_resp and nt_resp.
/* setup LanManager password */
char lm_pw[14];
int len = strlen(passw);
if (len > 14) len = 14;
for (idx=0; idx<len; idx++)
lm_pw[idx] = toupper(passw[idx]);
for (; idx<14; idx++)
lm_pw[idx] = 0;
/* create LanManager hashed password */
unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
unsigned char lm_hpw[21];
des_key_schedule ks;
setup_des_key(lm_pw, ks);
des_ecb_encrypt(magic, lm_hpw, ks);
setup_des_key(lm_pw+7, ks);
des_ecb_encrypt(magic, lm_hpw+8, ks);
memset(lm_hpw+16, 0, 5);
/* create NT hashed password */
int len = strlen(passw);
char nt_pw[2*len];
for (idx=0; idx<len; idx++)
{
nt_pw[2*idx] = passw[idx];
nt_pw[2*idx+1] = 0;
}
unsigned char nt_hpw[21];
MD4_CTX context;
MD4Init(&context);
MD4Update(&context, nt_pw, 2*len);
MD4Final(nt_hpw, &context);
memset(nt_hpw+16, 0, 5);
/* create responses */
unsigned char lm_resp[24], nt_resp[24];
calc_resp(lm_hpw, nonce, lm_resp);
calc_resp(nt_hpw, nonce, nt_resp);
Helpers:
/*
* takes a 21 byte array and treats it as 3 56-bit DES keys. The
* 8 byte plaintext is encrypted with each key and the resulting 24
* bytes are stored in the results array.
*/
void calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
{
des_key_schedule ks;
setup_des_key(keys, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) results, ks, DES_ENCRYPT);
setup_des_key(keys+7, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+8), ks, DES_ENCRYPT);
setup_des_key(keys+14, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+16), ks, DES_ENCRYPT);
}
/*
* turns a 56 bit key into the 64 bit, odd parity key and sets the key.
* The key schedule ks is also set.
*/
void setup_des_key(unsigned char key_56[], des_key_schedule ks)
{
des_cblock key;
key[0] = key_56[0];
key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
key[7] = (key_56[6] << 1) & 0xFF;
des_set_odd_parity(&key);
des_set_key(&key, ks);
}
Keeping the connection alive
As mentioned above, this scheme authenticates connections, not requests. This manifests itself in that the network connection must be kept alive during the second part of the handshake, i.e. between the receiving of the type-2 message from the server (step 4) and the sending of the type-3 message (step 5). Each time the connection is closed this second part (steps 3 through 6) must be repeated over the new connection (i.e. it’s not enough to just keep sending the last type-3 message). Also, once the connection is authenticated, the Authorization header need not be sent anymore while the connection stays open, no matter what resource is accessed.
For implementations wishing to work with M$’s software this means that they must make sure they use either HTTP/1.0 keep-alive’s or HTTP/1.1 persistent connections, and that they must be prepared to do the second part of the handshake each time the connection was closed and is reopened. Server implementations must also make sure that HTTP/1.0 responses contain a Content-length header (as otherwise the connection must be closed after the response), and that HTTP/1.1 responses either contain a Content-length header or use the chunked transfer encoding.
Example
Here is an actual example of all the messages. Assume the host name is "LightCity", the NT domain name is "Ursa-Minor", the username is "Zaphod", the password is "Beeblebrox", and the server sends the nonce "SrvNonce". Then the handshake is:
C -> S GET ...
S -> C 401 Unauthorized
WWW-Authenticate: NTLM
C -> S GET ...
Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
S -> C 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
C -> S GET ...
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
S -> C 200 Ok
and the unencoded messages are:
Type-1 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 01 00 00 00 03 b2 00 00 "NTLMSSP........." 10: 0a 00 0a 00 29 00 00 00 09 00 09 00 20 00 00 00 "....)....... ..." 20: 4c 49 47 48 54 43 49 54 59 55 52 53 41 2d 4d 49 "LIGHTCITYURSA-MI" 30: 4e 4f 52 "NOR"
Type-2 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00 "NTLMSSP........." 10: 28 00 00 00 01 82 00 00 53 72 76 4e 6f 6e 63 65 "(.......SrvNonce" 20: 00 00 00 00 00 00 00 00 "........"
Type-3 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 "NTLMSSP........." 10: 72 00 00 00 18 00 18 00 8a 00 00 00 14 00 14 00 "r..............." 20: 40 00 00 00 0c 00 0c 00 54 00 00 00 12 00 12 00 "@.......T......." 30: 60 00 00 00 00 00 00 00 a2 00 00 00 01 82 00 00 "`..............." 40: 55 00 52 00 53 00 41 00 2d 00 4d 00 49 00 4e 00 "U.R.S.A.-.M.I.N." 50: 4f 00 52 00 5a 00 61 00 70 00 68 00 6f 00 64 00 "O.R.Z.a.p.h.o.d." 60: 4c 00 49 00 47 00 48 00 54 00 43 00 49 00 54 00 "L.I.G.H.T.C.I.T." 70: 59 00 ad 87 ca 6d ef e3 46 85 b9 c4 3c 47 7a 8c "Y....m..F...<Gz." 80: 42 d6 00 66 7d 68 92 e7 e8 97 e0 e0 0d e3 10 4a "B..f}h.........J" 90: 1b f2 05 3f 07 c7 dd a8 2d 3c 48 9a e9 89 e1 b0 "...?....-<H....." a0: 00 d3 ".."
For reference, the intermediate hashed passwords are:
- lm_hpw (LanManager hashed password):
- 91 90 16 f6 4e c7 b0 0b a2 35 02 8c a5 0c 7a 03 00 00 00 00 00
- nt_hpw (NT hashed password):
- 8c 1b 59 e3 2e 66 6d ad f1 75 74 5f ad 62 c1 33 00 00 00 00 00
Resources
LM authentication in SMB/CIFS - http://www.ubiqx.org/cifs/SMB.html#SMB.8.3
- A document on cracking NTLMv2 authentication
- http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt
- Squid’s NLTM authentication project
- http://squid.sourceforge.net/ntlm/
- Encryption description for Samba
- http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.html
- Info on the MSIE security hole
- http://oliver.efri.hr/~crv/security/bugs/NT/ie6.html
- FAQ: NT Cryptographic Password Attacks & Defences
- http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=17
- M$’s hotfix to disable the sending of the LanManager response
- ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lm-fix
- A description of M$’s hotfix
- http://www.tryc.on.ca/archives/bugtraq/1997_3/0070.html
Acknowledgements
Special thanks to the following people who helped with the collection and debugging of the above information:
UPDATE 10/20/2009:
It appears there is a bug introduced with MS09-054 which is the latest Internet Explorer Cumulative Security Update just released last Tuesday, Oct 13 2009. From the review the situation appears to be isolated to VBSCRIPT and only with very specific usage scenarios. Not sure about the rest of the world but we at IE8Blog gave on VBSCRIPT several years ago.
KB976749 You receive a VBScript "Type Mismatch" script error message in Internet Explorer after you install cumulative security update 974455
http://support.microsoft.com/kb/976749
A couple tests were run using the examples provided in the knowledge base article and it appears the issue involves MSHTML.DLL.
Hot off the security press Microsoft rev’s IE with the latest in security goodness.
Microsoft security updates for October 2009
http://www.microsoft.com/security/updates/bulletins/200910.aspx
Microsoft Security Bulletin MS09-054 – Critical
Cumulative Security Update for Internet Explorer (974455)
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
MS09-054: Cumulative security update for Internet Explorer
http://support.microsoft.com/kb/974455
Affected Software
|
Operating System |
Component |
Maximum Security Impact |
Aggregate Severity Rating |
Bulletins Replaced by This Update |
|
Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1 |
|
|
|
|
|
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
|
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
|
Internet Explorer 6 |
|
|
|
|
|
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
|
Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
|
Internet Explorer 7 |
|
|
|
|
|
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
|
Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
|
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Internet Explorer 8 |
|
|
|
|
|
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
|
Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows 7 for 32-bit Systems |
Remote Code Execution |
Critical |
None |
|
|
Windows 7 for x64-based Systems |
Remote Code Execution |
Critical |
None |
|
|
Windows Server 2008 R2 for x64-based Systems* |
Remote Code Execution |
Critical |
None |
|
|
Windows Server 2008 R2 for Itanium-based Systems |
Remote Code Execution |
Critical |
None |
Ok this post will be a little more Internet Explorer 7 focused but I thought it would be valuable to share.
So many times when I am attempting to print content off a webpage I find that the "Shrink To Fit” feature leaves a bit to be desired. I am starting out by opening http://msdn.microsoft.com as I would expect this page to render perfectly in IE and indeed it does.
Now by simply clicking on File – Print – Preview we will see a new rendering of the page which appears to look very different than the page I was just looking at. At first glance you might think hey all the content is there and it doesn’t look that bad.
But it’s when you compare this page to the same page in Firefox you see the difference.
Firefox actually even rendered the Ads and the layout looks more like the original page than the IE 7 rendering. The problem isn’t Shrink To Fit but more about how Internet Explorer is designed to print preview.
So what are your options? At this point I am not sure but I am posting this out there to see if anyone has found a good add-in that will scale the page down and still look nice. Post away on the comments.
In this article, you will learn how Proxy Auto-Disover configuration files , wpad.dat files, provide central administration for proxy connections to the Internet and how the algorithm sequence work.
When using Automatically Detect setting setting in IE will search a proxy auto-configuration file in the predefined detection methods:
NOTE: Only applies when ‘Automatically detect settings’ in Internet Options > connections > Lan Connections is the only option checked. Other options for configuring IE connection settings include Automatic Configuration Scripts and manually specifying a proxy server.
- DHCP (252 option)
- DNS A record query/queries
- NetBios
If DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record.
If DHCP 252 is not configured, IE will continue until it either exhausts the search or gets a response:
- BootP request to DHCP for the 252 option containing the path to the wpad.dat file if DHCP 252 is not configured
- DNS A query for “wpad.” ex. wpad.domainname.com if the DNS query fails
- A Netbios query for a machine named WPAD occurs If Netbios fails
- A direct connection is attempted
If this attempt fails, the user is presented with the Cannot display the webpage or similar message.
The wpad.dat detection (steps 1 thru 3) occur when “Detecting proxy settings…” is displayed in the status bar in the lower left corner of the Internet Explorer window.
Example of a detection order:
- If a domain suffix is west.corp.contoso.com
IE will perform the following queries:
- wpad.west.corp.contoso.com
- wpad.corp.contoso.com
- wpad.contoso.com
NOTE: If a domain suffix search order has been specified, the first domain in the list will be used instead.
We have demostrated that there is potential overhead associated with the detection method and if you don’t ahve a WPAD solution, there is not readon to have this option enabled. Disabling this option can reduce network traffic as well as initial page laod times for Internet Explore. When we disable this option, IE will attempt to connect immediately.
Internet Explorer 8 has been out for a while now so why create another blog to talk about it? Well that simple. I feel that many questions go unanswered about how and why things happen when using Internet Explorer. We cannot go through life blaming everything on Microsoft, heck they actually do a great job trying to accommodate the needs of everyone. But along the way we run into quirky issues that sometimes drive you crazy, this is where my blog comes in.
While I don’t proclaim to be an expert in all things Internet Explorer I can hold my own. So I am going to put my efforts behind helping you; my readers, solve issues or at least understand why things are they way they are from an Internet Explorer point of view.
Please check back often as I have many topics I plan on covering.