What an odd problem with MSDN Subscriptions download site!

After I got my MSDN subscriptioin, I immediately had some problems loading the File Transfer Manager activex control from  [https://msdn.microsoft.com/en-us/subscriptions/securedownloads/default.aspx].  If I click on any  product from the menu on the left, and on the link to download an item, I get  what appears to be a common VBscript Warning.

VBScript: Microsoft File Transfer Manager
=====================================
There was an error launching File Transfer Manager.

If you are running Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1, this installation may have been blocked. If the gold IE Information Bar is Present above, please click the bar and select the option to “Install ActiveX”.

For additional assistance, please visit the web site https://transfer.ds.microsoft.com, or contact your help provider.

=====================================

So, it looks like I have some IE Settings preventing me of downloading the activeX control FTM uses to get the download manager window.  I have another computer and this works just fine. I can see that  With the vbscript dialog warning, you should also get a Yellow Bar security warning which allow the user to download the FTM ActiveX control, but on this particular windows 7 machine, this is not happening.

I had to do some digging around only to find out that my Windows 7 machine had the FTM GUID blocked (killbit).and therefor preventing the FTM ActiveX control to be instantiated.

I have not idea what may have cause this machine to have added the FTM to the ActiveX Compatibility List in IE, maybe something I did trying to protect my computer :-), I know that I do run a lot of security applications :-) and some development that may have cause me the pain, but happy to say that it was really easy to fix. 

The the FTM GUID is:  {82774781-8F4E-11D1-AB1C-0000F8773BF0} 

Here is what you have to do:
> Set the {82774781-8F4E-11D1-AB1C-0000F8773BF0} compatibility flag to dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0}]
   “Compatibility Flags”=dword:00000000

OR

> Delete the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0} entry

> You can use the Batch File below to help you quickly make the change

Steps:
> Please cut and paste the code below into notepad and save it as ActivateFTM.cmd or .bat
 
  :: ENABLES FTM ActiveX GUID
  REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0}” /V “Compatibility Flags” /t REG_DWORD /d 0 /f

> Make sure Internet Explorer is not running (confirm by opening Task Manager and killing any IExplore.exe process)
> Run the ActivateFTM.cmd batch file
> Open the 32 bit Internet Explore application and navigate to the MSDN Subscription/Download page
 

BTW: IE9 will rule the browser world…I love what Microsoft is doing :-)

 

Lets start off with a exciting presentation from Mix10, and by the way take the time to watch the entire presentation. You will see some cool stuff we promise.  VIDEO: Keynote Day 2

So how cool was that.. Now do not tell your friends about this secret link, http://ie.microsoft.com/testdrive. You to can get a copy of the preview version of IE9 from the demos in the video and even run the same examples on your own system side-by-side with your current version of Internet Explorer.

We must warn you the preview is not going to be what you expect with respect to toolbars so please read TestDrive FAQ before you start thinking that there is something wrong.

There is one other very important note, if you are on Windows XP you will be very disappointed. Windows XP is not a supported operating system and from the looks of it IE9 is not even on the radar for Windows XP support. Sorry but it is time to move on and get Windows 7 up and running.

Now do not be afraid, just install the package. The Preview is going to run in a side-by-side, standalone, not going to take over your system, force you to reboot, etc… Now I have to say this is cool as well. Wait a second that has never happened in the history of Internet Explorer. If you read this twice it is not a typo, IE9 will install as a stand-alone package and yes you can run IE9 and IE8 at the same time. :-)

Wait a second how in the world can Internet Explorer be cool. If you watched the video you know the answer to the question. If you did not watch the video then go back and watch the video.

A couple other notes that bring to the surface.

IE9 loves your video card. That 1GB 64 GPU video adapter can get a work out with IE9.  Rendering, rendering, and did we at IE8BLOG.com mention rendering is fast.

Do you have an extra core not being used in your system when surfing, well never fear IE9 has this under utilized resource covered as well. How about IE9 compile the javascript code from the web pages you are loading on the fly on one of the processors in your quad-core HP that you purchased from Best Buy.

CSS standards, well this is a never ending story. Great news as well. Write one set of CSS and run that CSS on IE, FF, Chrome, Safari… Is this cool, you bet no more HACKS.

JSCRIPT performance, IE9 is FAST take a look if you do not believe us. Run the tests your self on our own system, http://ie.microsoft.com/testdrive.

Now we are not promoting the installation of Firefox, Chrome, or Safari if you do not have them installed, remember you can compare the current version of IE you have installed against the side-by-side install of the IE9 preview. So, please do clutter up your system with other browsers unless you are a developer building multiple browser compatible web sites.

So get your preview of IE9 installed, use it, play around, load your favorite sites. If something does not work then report it via the Report Issue menu option.

If you are a Firefox Firebug person you need to load the Developer Tools from the menu. Even if you an IT Pro this tool is for you as well. You can now effectively show basic performance data from an end users machine to your developer via the Network tab.

image

Okay after you are done with the first video and tinkering with the preview dive into the a deeper look into IE9 with the following video from Mix10. VIDEO: In-Depth Look at Internet Explorer 9

 

Stay tuned for more, IE9 is going to really heat things up and we can not wait to see the public beta release.

Over the years Control Panel has been through several face lifts. For the most part it is not an IT Professionals best friend like it use to be. Once you give this little trick a try Control Panel will regain the respect it use to have. Say good-bye to the home user interface for ever.

Enabling the enhanced Control Panel was discussed on CNET.COM recently. CNET.COM has dubbed the new view ‘GodMode’. The write is great but there is an easier way which was pointed out to the folks at ie8blog.com and that is to create a shortcut on the desktop with the following.

C:\Windows\explorer.exe shell:::{ED7BA470-8E54-465E-825C-99712043E01C}

For all you Windows Vista users feel free to give it a try. This undocumented feature (or some are calling it an Easter Egg) has been around from some time since it works on Windows Vista. For Windows 2008 R2, no problems works like a champ and we suspect Windows 2008 (r1) will work as well.

What else do you get with Extended Control Panel?

a. Search is great, start typing and the list will dynamic filter. Very nice. Clear the filter to rest. This is on the top right.

b. Views work like you would expect. We like the Small Icon view which allows you to see more items and still maintain the descriptive tile.

References: http://news.cnet.com/8301-13860_3-10423985-56.html?tag=newsEditorsPicksArea.0

Give it a try you will not be disappointed.

Hi,

I am sharing an .exe that will help you disable IE Enhanced Securiy on Windows 2008 or Windows 2003 TS Servers.

Microsoft article  933991 outlines some of the known issues around IE Enhanced Security in Terminal Servers, but it does not provide you the Fix/Solution when dealing with an AD Environment. Here I will show you how you could potentially affect both New users as well as Existing users.

The Scenario:

When you logon as regular user, you discovered that you cannot manage the IE Security Settings. Basically, the option to add Trusted Sites is gray out or a pre-defined group policy appears that it is not getting apply.

Cause:

This is because IE Enhanced Security was turned on and tattooed the users profile.

We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update the registry until you go back and enable and then disable it again. This action, will only affect the new users and existing users will still have the entries on their profiles/registry.

Resolution:

I have written a bat file and an exe that will fix the problem profile. You will have to execute the bat or .exe while logon with the user account in order to affect the user profile. So, to fix this particular scenario, you would want to first, fix the .default profile by creating a new local user account. Fix this account with the .bat or .exe file that will add the entries below and then, copy this new profile to the .default profile.

To affect existing users, you can use the .exe or .bat as a logon script.

This is the best way you can affect everyone.

Download the .exeIEHarden_Disable.

 

Keys the .exe will affect:

Basically, I am running a fix.reg with following keys:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

“IsInstalled”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

“IsInstalled”=-

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

@=””

“IEHarden”=dword:00000000

“UNCAsIntranet”=dword:00000000

“AutoDetect”=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]

“iehardenadmin”=dword:00000000

“iehardenuser”=dword:00000000

 

From the .exe, I have a bat that will execute the following Command:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

regedit /s fix.reg

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Here is a .BAT file that will execute the same function outline above, but using reg.exe.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

::Related Article

::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

 

:: If required, backup the registry keys

:: This is always a good idea before making registry changes

REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”

REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”

 

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f

 

Rundll32 iesetup.dll, IEHardenLMSettings

Rundll32 iesetup.dll, IEHardenUser

Rundll32 iesetup.dll, IEHardenAdmin

 

REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va

REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va

 

 


Related Article

933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

Profile Article: 

http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx

Known issue with Windows 2008 and Profile Creation:

The documents you may find out there may not properly cover the profile creation for windows 2008 or Vista, so we have to use the steps below.

If we select the “C:\Users\Default” as the path in Step 7-e of this article, It wipes all the Data from the Directory (After giving a Warning of course).
When a new user logs on, it picks up the custom profile from “C:\Users\Default”.
The side effect of this workaround is, as all the data is lost from the “C:\Users\Default” it also causes the junction points to be removed.

Note that in Windows Server 2008 and Windows Vista, there are junction points associated for the profile folders.

http://msdn.microsoft.com/en-us/library/bb968829(VS.85).aspx
http://www.svrops.com/svrops/articles/jpoints.htm

There might be an application which has dependencies with these junction points. So below is the valid solution for this.

Solution

The following TechNet article talks about the valid steps to customize the default user profile.

Managing Roaming User Data Deployment Guide (Section : Create a Default Network User Profile)
http://technet.microsoft.com/en-us/library/cc766489.aspx

Creating the new profile:

1)       Log on to a computer running Windows 2008 with any domain user account. Do not use a domain administrator account.

2)      Configure user settings such as connection settings, zone settings whatever is it you want this profile to have. Run the IE Enhanced Security .exe or .bat file to get this profile get the IE Enhanced settings (Turn off). Log off the computer. MAKE SURE YOU TEST THIS NEW USER PROFILE!!!  Log out and log back in and doublecheck your settings to make sure this is what you want/need. then move to next steps.

3)      Log on to the computer used in step 1 with a domain administrator account.

4)      Click Start, right-click Computer, and then click Properties.

5)       Click Start, right-click Computer, and then click Properties.

6)      Click Advanced System Settings. Under User Profiles, click Settings.

7)       The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.

8)      In the Copy To dialog box, click on Browse button and find path to the Windows default user folder.

9)      In Permitted to use, click Change. Type the name Everyone ,and then click OK.

10)    Click OK to commit the changes.

NOTE:  You can copy the working profile to your Sysvol netlogon share if you like to affect everyone on your domain. Windows will use the local default profile when it cannot locate a default network profile.

                  It may be favorable to perform these steps during off-peak hours, if you are using a production environment. A default network profile is optional.

                  You can also use the .exe as a logon script, but this will be executed every time the user log on to your network and it is not the best case scenario.

 

Download:

You can download the zip file that contains the .exe from here.

 

Have fun,

Cheli

View the Compatibility list with in Internet Explorer 8.0.

Place the following in the IE address bar and press enter: res://iecompat.dll/iecompatdata.xml

iecompatdata.xml is a resource object inside of iecompat.dll. Unless you program you may not know what this means which is okay. The take away is that iecompatdata.xml is not a physical file on the hard disk but is stored inside of iecompat.dll.

If you are not familiar with the new compatibility view list feature the following is a good starting point. To have your site added, removed, or dispute the addition or removal of a site review the end of the following article on how to properly contact Microsoft.

Understanding the Compatibility View List

http://msdn.microsoft.com/en-us/library/dd567845(VS.85).aspx

Summary from the above article:

By default, Internet Explorer 8 displays standards-based Web sites as closely to industry standards as possible. Certain Web sites do not display properly when viewed in Internet Explorer 8 Standards mode. To try to display such sites correctly, users can enable Compatibility View.

There are three ways to enable Compatibility View.

  • Clicking the Compatibility View button in the Address bar. When displayed, this button appears to the left of the Refresh button and contains an image of a broken piece of paper. This enables Compatibility mode for all documents in the domain of the Web site being viewed.
  • Enabling the "Display all websites in Compatibility Mode setting" in the Compatibility View Settings.
  • Enabling the Compatibility View List, which defines a list of Web sites that are automatically displayed in Compatibility View.

This article describes the Compatibility View List, also known as the Compatibility List. It explains how the Compatibility View List was created, how to determine if your site is in the list, and how to have your site removed from the list.

For the user Microsoft provides the Compatibility View icon is the one circled in RED.

Compatibility View icon

Sites in the Compatibility List, sites you have added to the compatibility list or sites that may have elected to send the special HTTP to emulate header will not show the icon.

There are two ways to implement the x-UA-COMPATIBLE options.

The first is via a META tag in the <HEAD> section of the page.

<META HTTP-EQUIV="X-UA-COMPATIBLE" CONTENT="IE=EmulateIE7">

The second at the web server level at the HTTP header level.

X-UA-Compatible: IE=EmulateIE7

The following list outlines the supported values that can applied.

IE=8 – Web page supports IE8 mode, which is also called "IE8 standards mode."

IE=7 – Web page supports IE7 mode, which is also called "IE7 standards mode."

IE=5 – Web page supports IE5 mode, which is also called "quirks mode."

IE=EmulateIE8 – If the Web page specifies a standards-based DOCTYPE directive, the page supports IE8 mode; otherwise, it supports IE5 mode ("quirks mode").

IE=EmulateIE7 – If the Web page specifies a standards-based DOCTYPE directive, the page supports IE7 mode; otherwise, it supports IE5 mode ("quirks mode").

IE=Edge – Web page supports the highest mode available to the version of Internet Explorer used to display the page. This option is generally intended for testing purposes.

There is a nice write up about compatibility at the following..

Internet Explorer Compatibility

http://msdn.microsoft.com/en-us/ie/cc405106.aspx

 

 

99% of the time starting IE is just a simple click of the mouse.

iexplore.exe -embedding -extoff -framemerging -k -noframemerging -private URL

-embedding Used to start Internet Explorer via OLE Embedding.

-extoff Internet Explorer 7 and later. Starts Internet Explorer in No Add-ons mode, which can be used to troubleshoot problems with browser add-ons.

-framemerging Internet Explorer 8 and later. Allows Internet Explorer to opportunistically merge new frame processes into existing frame processes.

-k Starts Internet Explorer in kiosk mode; the browser is opened in a maximized window that does not display the address bar, the navigation buttons, or the status bar.

-noframemerging Internet Explorer 8 and later. Prevents Internet Explorer from opportunistically merging new frame processes into existing frame processes.

-private Internet Explorer 8 and later. Starts Internet Explorer with InPrivate Browsing set to active.

URL After starting, Internet Explorer navigates to the page or resource specified as the URL.

Web Browser Control
http://msdn.microsoft.com/en-au/library/aa752040(VS.85).aspx

Troubleshooting Internet Explorer Add-ons
http://blogs.msdn.com/ie/archive/2006/07/25/678113.aspx

Internet Explorer 8 and Reliability
http://blogs.msdn.com/ie/archive/2008/07/28/ie8-and-reliability.aspx

InPrivate Browsing: Frequently Asked Questions
http://blogs.msdn.com/ie/archive/2006/07/25/678113.aspx

Options that are no longer valid starting with IE8.

-channelband –e –eval –nomerge –new –nowait –remote –v -version

Two interesting options are –framemerging and –noframemerging. We will try to find some real world examples that show the plus and minus of these options and update the post.

I know this is IE 6 and who cares about IE 6 right?  Well lots of corporations still use IE 6 for their day to day business activities. So here it is…

Environment

Internet Explorer 6 on Windows XP (sp2\3), you are using a .pac file to configure your proxy settings. Users access websites that require them to supply Kerberos credentials.

Results

Users see the informative error message “HTTP Error 401 – Unauthorized: Access is denied due to invalid credentials.” At this point your phone lights up like a Christmas tree.

Reason

Bug resolved with http://support.microsoft.com/kb/921400 

 

This is great I just blogged about something that Microsoft fixed back in 2006. But I promise I am not wasting your time. Here is why; after you install this fix or a much later version of wininet.dll that is on the Microsoft QFE branch you must add the following registry key to actually “turn on the fix”

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
Value Name: iexplore.exe
Data Type: REG_DWord
Value: = 1

NOTE: you will need to create a key named FEATURE_AUTOPROXY_CACHE_ANAME_KB921400 before you can specify the process.

NOTE 2: If you have a process other than iexplore.exe that you feel needs this fix then just add your process under this registry key.

NOTE 3: Or if you just want this on for all processes use an asterisk * in the place of the process name.

Ok that it for IE 6 today oh and btw this does not apply to IE 7 or IE 8 seems like they fixed the glitch.

I felt this was important to re-document and see if we can expand on it. Please see the ping back to where most of this content came from. The guy does a great job and deserves the credit. I am going to work to expand this information where possible so think of this post as a living post subject to updates :-)

Pingback: http://www.innovation.ch/personal/ronald/ntlm.html

Introduction

This is an attempt at documenting the undocumented NTLM authentication scheme used by M$’s browsers, proxies, and servers (MSIE and IIS); this scheme is also sometimes referred to as the NT challenge/response (NTCR) scheme. Most of the info here is derived from three sources (see also the Resources section at the end of this document): Paul Ashton’s work on the NTLM security holes, the encryption documentation from Samba, and network snooping. Since most of this info is reverse-engineered it is bound to contain errors; however, at least one client and one server have been implemented according to this data and work successfully in conjunction with M$’s browsers, proxies and servers.

Note that this scheme is not as secure as Digest and some other schemes; it is slightly better than the Basic authentication scheme, however.

Also note that this scheme is not an http authentication scheme – it’s a connection authentication scheme which happens to (mis-)use http status codes and headers (and even those incorrectly).

NTLM Handshake

When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; "C" is the client, "S" the server):

    1: C  --> S   GET ...
    
    2: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM
    
    3: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-1-message>
    
    4: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM <base64-encoded type-2-message>
    
    5: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-3-message>
    
    6: C <--  S   200 Ok

Messages

The three messages sent in the handshake are binary structures. Each one is described below as a pseudo-C struct and in a memory layout diagram. byte is an 8-bit field; short is a 16-bit field. All fields are unsigned. Numbers are stored in little-endian order. Struct fields named zero contain all zeroes. An array length of "*" indicates a variable length field. Hexadecimal numbers and quoted characters in the comments of the struct indicate fixed values for the given field.

The field flags is presumed to contain flags, but their significance is unknown; the values given are just those found in the packet traces.

Type-1 Message

This message contains the host name and the NT domain name of the client.

    struct {
        byte    protocol[8];     // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
        byte    type;            // 0x01
        byte    zero[3];
        short   flags;           // 0xb203
        byte    zero[2];

        short   dom_len;         // domain string length
        short   dom_len;         // domain string length
        short   dom_off;         // domain string offset
        byte    zero[2];

        short   host_len;        // host string length
        short   host_len;        // host string length
        short   host_off;        // host string offset (always 0x20)
        byte    zero[2];

        byte    host[*];         // host string (ASCII)
        byte    dom[*];          // domain string (ASCII)
    } type-1-message
                 0       1       2       3
             +-------+-------+-------+-------+
         0:  |  'N'  |  'T'  |  'L'  |  'M'  |
             +-------+-------+-------+-------+
         4:  |  'S'  |  'S'  |  'P'  |   0   |
             +-------+-------+-------+-------+
         8:  |   1   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        12:  | 0x03  | 0xb2  |   0   |   0   |
             +-------+-------+-------+-------+
        16:  | domain length | domain length |
             +-------+-------+-------+-------+
        20:  | domain offset |   0   |   0   |
             +-------+-------+-------+-------+
        24:  |  host length  |  host length  |
             +-------+-------+-------+-------+
        28:  |  host offset  |   0   |   0   |
             +-------+-------+-------+-------+
        32:  |  host string                  |
             +                               +
             .                               .
             .                               .
             +             +-----------------+
             |             | domain string   |
             +-------------+                 +
             .                               .
             .                               .
             +-------+-------+-------+-------+

The host and domain strings are ASCII (or possibly ISO-8859-1), are uppercased, and are not nul-terminated. The host name is only the host name, not the FQDN (e.g. just "GOOFY", not "GOOFY.DISNEY.COM"). The offsets refer to the offset of the specific field within the message, and the lengths are the length of specified field. For example, in the above message host_off = 32 and dom_off = host_off + host_len. Note that the lengths are included twice (for some unfathomable reason).

Type-2 Message

This message contains the server’s NTLM challenge.

    struct {
        byte    protocol[8];     // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
        byte    type;            // 0x02
        byte    zero[7];
        short   msg_len;         // 0x28
        byte    zero[2];
        short   flags;           // 0x8201
        byte    zero[2];

        byte    nonce[8];        // nonce
        byte    zero[8];
    } type-2-message
                 0       1       2       3
             +-------+-------+-------+-------+
         0:  |  'N'  |  'T'  |  'L'  |  'M'  |
             +-------+-------+-------+-------+
         4:  |  'S'  |  'S'  |  'P'  |   0   |
             +-------+-------+-------+-------+
         8:  |   2   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        12:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        16:  |  message len  |   0   |   0   |
             +-------+-------+-------+-------+
        20:  | 0x01  | 0x82  |   0   |   0   |
             +-------+-------+-------+-------+
        24:  |                               |
             +          server nonce         |
        28:  |                               |
             +-------+-------+-------+-------+
        32:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        36:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+

The nonce is used by the client to create the LanManager and NT responses (see Password Hashes). It is an array of 8 arbitrary bytes. The message length field contains the length of the complete message, which in this case is always 40.

Type-3 Message

This message contains the username, host name, NT domain name, and the two "responses".

    struct {
        byte    protocol[8];     // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
        byte    type;            // 0x03
        byte    zero[3];

        short   lm_resp_len;     // LanManager response length (always 0x18)
        short   lm_resp_len;     // LanManager response length (always 0x18)
        short   lm_resp_off;     // LanManager response offset
        byte    zero[2];

        short   nt_resp_len;     // NT response length (always 0x18)
        short   nt_resp_len;     // NT response length (always 0x18)
        short   nt_resp_off;     // NT response offset
        byte    zero[2];

        short   dom_len;         // domain string length
        short   dom_len;         // domain string length
        short   dom_off;         // domain string offset (always 0x40)
        byte    zero[2];

        short   user_len;        // username string length
        short   user_len;        // username string length
        short   user_off;        // username string offset
        byte    zero[2];

        short   host_len;        // host string length
        short   host_len;        // host string length
        short   host_off;        // host string offset
        byte    zero[6];

        short   msg_len;         // message length
        byte    zero[2];

        short   flags;           // 0x8201
        byte    zero[2];

        byte    dom[*];          // domain string (unicode UTF-16LE)
        byte    user[*];         // username string (unicode UTF-16LE)
        byte    host[*];         // host string (unicode UTF-16LE)
        byte    lm_resp[*];      // LanManager response
        byte    nt_resp[*];      // NT response
    } type-3-message
                 0       1       2       3
             +-------+-------+-------+-------+
         0:  |  'N'  |  'T'  |  'L'  |  'M'  |
             +-------+-------+-------+-------+
         4:  |  'S'  |  'S'  |  'P'  |   0   |
             +-------+-------+-------+-------+
         8:  |   3   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        12:  |  LM-resp len  |  LM-Resp len  |
             +-------+-------+-------+-------+
        16:  |  LM-resp off  |   0   |   0   |
             +-------+-------+-------+-------+
        20:  |  NT-resp len  |  NT-Resp len  |
             +-------+-------+-------+-------+
        24:  |  NT-resp off  |   0   |   0   |
             +-------+-------+-------+-------+
        28:  | domain length | domain length |
             +-------+-------+-------+-------+
        32:  | domain offset |   0   |   0   |
             +-------+-------+-------+-------+
        36:  |  user length  |  user length  |
             +-------+-------+-------+-------+
        40:  |  user offset  |   0   |   0   |
             +-------+-------+-------+-------+
        44:  |  host length  |  host length  |
             +-------+-------+-------+-------+
        48:  |  host offset  |   0   |   0   |
             +-------+-------+-------+-------+
        52:  |   0   |   0   |   0   |   0   |
             +-------+-------+-------+-------+
        56:  |  message len  |   0   |   0   |
             +-------+-------+-------+-------+
        60:  | 0x01  | 0x82  |   0   |   0   |
             +-------+-------+-------+-------+
        64:  | domain string                 |
             +                               +
             .                               .
             .                               .
             +           +-------------------+
             |           | user string       |
             +-----------+                   +
             .                               .
             .                               .
             +                 +-------------+
             |                 | host string |
             +-----------------+             +
             .                               .
             .                               .
             +   +---------------------------+
             |   | LanManager-response       |
             +---+                           +
             .                               .
             .                               .
             +            +------------------+
             |            | NT-response      |
             +------------+                  +
             .                               .
             .                               .
             +-------+-------+-------+-------+

The host, domain, and username strings are in Unicode (UTF-16, little-endian) and are not nul-terminated; the host and domain names are in upper case. The lengths of the response strings are 24.

Password Hashes

To calculate the two response strings two password hashes are used: the LanManager password hash and the NT password hash. These are described in detail at the beginning of the Samba ENCRYPTION.html document. However, a few things are not clear (such as what the magic constant for the LanManager hash is), so here is some almost-C code which calculates the two responses. Inputs are passw and nonce, the results are in lm_resp and nt_resp.

    /* setup LanManager password */

    char  lm_pw[14];
    int   len = strlen(passw);
    if (len > 14)  len = 14;

    for (idx=0; idx<len; idx++)
        lm_pw[idx] = toupper(passw[idx]);
    for (; idx<14; idx++)
        lm_pw[idx] = 0;


    /* create LanManager hashed password */

    unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
    unsigned char lm_hpw[21];
    des_key_schedule ks;

    setup_des_key(lm_pw, ks);
    des_ecb_encrypt(magic, lm_hpw, ks);

    setup_des_key(lm_pw+7, ks);
    des_ecb_encrypt(magic, lm_hpw+8, ks);

    memset(lm_hpw+16, 0, 5);


    /* create NT hashed password */

    int   len = strlen(passw);
    char  nt_pw[2*len];
    for (idx=0; idx<len; idx++)
    {
        nt_pw[2*idx]   = passw[idx];
        nt_pw[2*idx+1] = 0;
    }

    unsigned char nt_hpw[21];
    MD4_CTX context;
    MD4Init(&context);
    MD4Update(&context, nt_pw, 2*len);
    MD4Final(nt_hpw, &context);

    memset(nt_hpw+16, 0, 5);


    /* create responses */

    unsigned char lm_resp[24], nt_resp[24];
    calc_resp(lm_hpw, nonce, lm_resp);
    calc_resp(nt_hpw, nonce, nt_resp);

Helpers:

    /*
     * takes a 21 byte array and treats it as 3 56-bit DES keys. The
     * 8 byte plaintext is encrypted with each key and the resulting 24
     * bytes are stored in the results array.
     */
    void calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
    {
        des_key_schedule ks;

        setup_des_key(keys, ks);
        des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) results, ks, DES_ENCRYPT);

        setup_des_key(keys+7, ks);
        des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+8), ks, DES_ENCRYPT);

        setup_des_key(keys+14, ks);
        des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+16), ks, DES_ENCRYPT);
    }


    /*
     * turns a 56 bit key into the 64 bit, odd parity key and sets the key.
     * The key schedule ks is also set.
     */
    void setup_des_key(unsigned char key_56[], des_key_schedule ks)
    {
        des_cblock key;

        key[0] = key_56[0];
        key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
        key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
        key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
        key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
        key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
        key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
        key[7] =  (key_56[6] << 1) & 0xFF;

        des_set_odd_parity(&key);
        des_set_key(&key, ks);
    }

Keeping the connection alive

As mentioned above, this scheme authenticates connections, not requests. This manifests itself in that the network connection must be kept alive during the second part of the handshake, i.e. between the receiving of the type-2 message from the server (step 4) and the sending of the type-3 message (step 5). Each time the connection is closed this second part (steps 3 through 6) must be repeated over the new connection (i.e. it’s not enough to just keep sending the last type-3 message). Also, once the connection is authenticated, the Authorization header need not be sent anymore while the connection stays open, no matter what resource is accessed.

For implementations wishing to work with M$’s software this means that they must make sure they use either HTTP/1.0 keep-alive’s or HTTP/1.1 persistent connections, and that they must be prepared to do the second part of the handshake each time the connection was closed and is reopened. Server implementations must also make sure that HTTP/1.0 responses contain a Content-length header (as otherwise the connection must be closed after the response), and that HTTP/1.1 responses either contain a Content-length header or use the chunked transfer encoding.

Example

Here is an actual example of all the messages. Assume the host name is "LightCity", the NT domain name is "Ursa-Minor", the username is "Zaphod", the password is "Beeblebrox", and the server sends the nonce "SrvNonce". Then the handshake is:

    C -> S   GET ...
    
    S -> C   401 Unauthorized
             WWW-Authenticate: NTLM
    
    C -> S   GET ...
             Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
    
    S -> C   401 Unauthorized
             WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
    
    C -> S   GET ...
             Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
    
    S -> C   200 Ok

and the unencoded messages are:

Type-1 Message:

       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
   0:  4e 54 4c 4d 53 53 50 00 01 00 00 00 03 b2 00 00  "NTLMSSP........."
  10:  0a 00 0a 00 29 00 00 00 09 00 09 00 20 00 00 00  "....)....... ..."
  20:  4c 49 47 48 54 43 49 54 59 55 52 53 41 2d 4d 49  "LIGHTCITYURSA-MI"
  30:  4e 4f 52                                         "NOR"

Type-2 Message:

       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
   0:  4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00  "NTLMSSP........."
  10:  28 00 00 00 01 82 00 00 53 72 76 4e 6f 6e 63 65  "(.......SrvNonce"
  20:  00 00 00 00 00 00 00 00                          "........"

Type-3 Message:

       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
   0:  4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00  "NTLMSSP........."
  10:  72 00 00 00 18 00 18 00 8a 00 00 00 14 00 14 00  "r..............."
  20:  40 00 00 00 0c 00 0c 00 54 00 00 00 12 00 12 00  "@.......T......."
  30:  60 00 00 00 00 00 00 00 a2 00 00 00 01 82 00 00  "`..............."
  40:  55 00 52 00 53 00 41 00 2d 00 4d 00 49 00 4e 00  "U.R.S.A.-.M.I.N."
  50:  4f 00 52 00 5a 00 61 00 70 00 68 00 6f 00 64 00  "O.R.Z.a.p.h.o.d."
  60:  4c 00 49 00 47 00 48 00 54 00 43 00 49 00 54 00  "L.I.G.H.T.C.I.T."
  70:  59 00 ad 87 ca 6d ef e3 46 85 b9 c4 3c 47 7a 8c  "Y....m..F...<Gz."
  80:  42 d6 00 66 7d 68 92 e7 e8 97 e0 e0 0d e3 10 4a  "B..f}h.........J"
  90:  1b f2 05 3f 07 c7 dd a8 2d 3c 48 9a e9 89 e1 b0  "...?....-<H....."
  a0:  00 d3                                            ".."

For reference, the intermediate hashed passwords are:

lm_hpw (LanManager hashed password):
91 90 16 f6 4e c7 b0 0b a2 35 02 8c a5 0c 7a 03 00 00 00 00 00
nt_hpw (NT hashed password):
8c 1b 59 e3 2e 66 6d ad f1 75 74 5f ad 62 c1 33 00 00 00 00 00

Resources

* LM authentication in SMB/CIFS
http://www.ubiqx.org/cifs/SMB.html#SMB.8.3
* A document on cracking NTLMv2 authentication
http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt
* Squid’s NLTM authentication project
http://squid.sourceforge.net/ntlm/
* Encryption description for Samba
http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.html
* Info on the MSIE security hole
http://oliver.efri.hr/~crv/security/bugs/NT/ie6.html
* FAQ: NT Cryptographic Password Attacks & Defences
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=17
* M$’s hotfix to disable the sending of the LanManager response
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lm-fix
* A description of M$’s hotfix
http://www.tryc.on.ca/archives/bugtraq/1997_3/0070.html

Acknowledgements

Special thanks to the following people who helped with the collection and debugging of the above information:

Okay, you got me.  You can’t actually run IE6 (or IE7) on Windows 7 like you can with IE8, but it’s virtually possible using Windows XP Mode.

First off, your computer needs to contain a CPU with the Intel® Virtualization Technology or AMD-V™ feature turned on.  Next, you need to download and install Windows Virtual PC and the Windows XP Mode Virtual Machine.

Note:  As of today, Microsoft has yet to make the release versions of these products available.  It will probably happen around the same time the release version of Windows 7 is available.

So far, all of the XP Mode documentation available states that an application must first be installed within the Windows XP Mode Virtual Machine before it can be launched as a Virtual Application under Windows 7, but luckily there is a quick way to work around this.

To allow IE to show up and run as a virtual application, you only need to add a shortcut for IE6 (just drag and drop in from the desktop) within the All Users Start Menu folder (c:\Documents and Settings\All Users\Start Menu\).   With the shortcut added within the XP Mode VM, a new IE6 shortcut will now show up on your Windows 7 All Programs menu under Windows Virtual PC->Windows XP Mode Applications.

Now you can run IE8, as well as a down-level version of IE on Windows 7!

IE6 Windows XP Mode Virtual PC on Windows 7

We started to take apart some the Windows XP Mode Links and have uncovered some interesting items.

The following is for the shortcut labeled “Windows XP Mode

%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchDefaultVM

We then took a look at the link that was created when we placed a shortcut for Internet Explorer in c:\document and settings\all users\start menu.

%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchVMSal "Windows XP Mode" "||14c0ece8" "Internet Explorer"

Now we just need to figure out how to duplicate the the default XP Mode VM which is IE6 and create another option with a copy of the XP Mode VM that runs Internet Explore 7.0. Stay tuned, we think we may have figured this out, but need to perfect the write up.

The next section contains the tweaks, of course if you try this on your own we at IE8Blog assume NO risk for errors you may experience so be careful. We suspect that the following is most likely unsupported but hey what fun are computers if you do not tweak, mod, and take things apart.

As you can see from the screen shot IE6 and, IE7 are all running as XP Mode applications launched from the start menu of Windows 7. Of course IE8 is running natively on Windows 7. Sure there are two Virtual Machines running and sure it would be nice to have a true SIDE-BY-SIDE situation native on Windows 7 but this is what we have for now. If you are web developer this is a huge leap forward since the XP MODE VM is a free download. It is not always about rendering, you have the network layer and the various features of each browser in an pure state.

For now the trick was to clone the VHD in C:\Users\<username>\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines\ which happens to be a differencing disk. The parent disk is located at C:\Program Files\Windows XP Mode\Windows XP Mode base.vhd.

1. Copied the differencing disk over and renamed to Windows XP Mode – IE7.VHD

2. Cloned the short cut link that we created for Internet Explore and modified the link to Windows XP Mode – IE7.

%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchVMSal "Windows XP Mode – IE7" "||14c0ece8" "Internet Explorer"

3. Cloned the Windows XP Mode.vmcx to Windows XP Mode – IE7.vmcx and modified via notepad everything from Windows XP Mode to Windows XP Mode – IE7

We are sure there is a step that was left out some place but you get the idea for now. We at IE8Blog will refine the cloning procedures as needed. But the proof of concept to launch IE7 as a Application from the Windows 7 start menu is possible.

XP Mode with Internet Explorer 7 (IE7) and Internet Explorer 6 (IE6) 

We need to learn more about VMCPropertyHandler.dll. A quick search on the internet turns up a few items but the following provided some useful insight.

Windows 7 Virtual PC Management

Link Back: http://www.slickit.ca/2009/05/windows-7-virtual-pc-management.html

 

UPDATE 10/20/2009:

It appears there is a bug introduced with MS09-054 which is the latest Internet Explorer Cumulative Security Update just released last Tuesday, Oct 13 2009. From the review the situation appears to be isolated to VBSCRIPT and only with very specific usage scenarios. Not sure about the rest of the world but we at IE8Blog gave on VBSCRIPT several years ago. 

KB976749 You receive a VBScript "Type Mismatch" script error message in Internet Explorer after you install cumulative security update 974455

http://support.microsoft.com/kb/976749

A couple tests were run using the examples provided in the knowledge base article and it appears the issue involves MSHTML.DLL.

Hot off the security press Microsoft rev’s IE with the latest in security goodness.

Microsoft security updates for October 2009

http://www.microsoft.com/security/updates/bulletins/200910.aspx

Microsoft Security Bulletin MS09-054 – Critical

Cumulative Security Update for Internet Explorer (974455)

http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

MS09-054: Cumulative security update for Internet Explorer

http://support.microsoft.com/kb/974455

Affected Software

Operating System

Component

Maximum Security Impact

Aggregate Severity Rating

Bulletins Replaced by This Update

Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1

Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 5.01 Service Pack 4

Remote Code Execution

Critical

MS09-034

Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 6 Service Pack 1

Remote Code Execution

Critical

MS09-034

Internet Explorer 6

Windows XP Service Pack 2 and Windows XP Service Pack 3

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows XP Professional x64 Edition Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows Server 2003 Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows Server 2003 x64 Edition Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS09-034

Internet Explorer 7

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2003 Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2*

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2*

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-034

Internet Explorer 8

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2003 Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2*

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2*

Windows Internet Explorer 8

Remote Code Execution

Critical

MS09-034

Windows 7 for 32-bit Systems

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Windows 7 for x64-based Systems

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Windows Server 2008 R2 for x64-based Systems*

Windows Internet Explorer 8

Remote Code Execution

Critical

None

Windows Server 2008 R2 for Itanium-based Systems

Windows Internet Explorer 8

Remote Code Execution

Critical

None