Information Security Consulting for free!: March 2008

Microsoft will provide free, unlimited customer support for IE7 throughout the product lifecycle. At the moment only English has been released; other languages will be available in coming weeks.

As a reminder, IE7 will be offered as an automatic update. Those of you who are using WSUS in a corporate environment, even at its default settings, need not be concerned that your users will somehow end up with IE7 without warning. IE7 is an "update rollup" therefore it is not auto-approved.

If you don't use WSUS, instead preferring the traditional Automatic Updates set to download and install automatically, IE7 will not install without permission. The user will see a large window advising that IE7 is available to install, and the user will have three choices; install, don't Install, or install later.

If you are responsible for a corporate network and want to be sure that IE7 is not offered to users, and you're not using something like WSUS, there is an IE blocker available here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en

Tips for if you have trouble installing IE7:

Sometimes the install may fail - no error message - right click on the downloaded IE7 installation file, select properties, then select "unblock".

Try running the install in safe mode with networking support.

Review the files:

%windir%\ie7beta3_main.log
%windir%\ie7beta3.log
%windir%\ie7beta3Uninst.log

You may see 'access denied' errors, or write errors. If you see such errors, check the permissions of the registry key as per the instructions for msfeed.dll errors shown below. Important note: this may need to be done several times, because the problem keys appear one at a time, that is, a different key will appear on each attempt until all problem keys are found and fixed.

Installation errors referencing msfeeds.dll

Our tests revealed that different keys are the source of the problem for different users. Any HKEY_CLASSES_ROOT\ key may be the source of an msfeeds.dll error. You need to review the file updspapi.log to work out exactly which keys are affected when you are attempting installation. You will see "Access Denied" errors.

The IE Team have posted confirming this advice:
http://blogs.msdn.com/ie/archive/2006/03/27/562265.aspx

Windows Genuine Advantage Validation is an integral part of the IE7 installation. If your copy of Windows is not genuine you will not be able to install the Beta.

Error message: IE7 must be uninstalled from the User Account that installed it or IE7 Gold or RC installation fails - no specific error message.

Go to the key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.

Right click on Internet Explorer and select New DWORD. Name that value InstalledByUser. The value of the new DWORD should be 00000000.

RSS functionality requires at least Microsoft XML Parser (MSXML) 3.0 Service Pack 5 (SP5). Service Pack 7 can be downloaded here.

Troubleshooting Internet Explorer after installation

First, make sure you have rebooted TWICE after installation.

Then, run IE in no add-ons mode.

Internet Explorer (No Add-ons) via Start menu

Internet Explorer (No Add-ons) via right click on desktop icon

Some weird and wonderful problems have been "fixed" by running IE7 in no add-ons mode. If no add-ons mode fixes your problems, then you are going to have to try and work out what third party product is causing your problems by disabling one add-on at a time, restarting IE, then testing. If disabling one doesn't work, re-enable it, restart IE, and try the next one. Once you work out what is wrong, feel free to post a comment here and share what you have learned.. you will do good.

Problems with Web sites that use Add-ons (Active X controls)

Use Manage Add-Ons to check all installed add-ons. You may find that the one you need has been disabled.

Firstly, Internet Explorer follows certain rules when it comes to add-ons. If the add-ons are in use at the time IE7 is installed they will automatically be enabled. It is only new add-ons that are disabled until you give them permission to run.

Secondly, the add-on you need may have been disabled if it caused problems for IE.

You may have an old add-on that has been updated to work with IE7. Delete the add-on for the affected site and install a new copy.

The control you need may be damaged. You can not see this via Manage Add-Ons - you must go in the old way (Tools, Internet Options, Browsing History Settings, View Objects). If a Control is damaged it will say so in the Status column. If it is damaged, right click and select Delete, then download a new copy.

So, what do we do if the advice about add-ons doesn't help? Well, that all depends on what the problem is, so let's go look at some common causes of breakage.

Problems with Web sites that won't work with IE7

Sometimes Web pages are coded to detect the version of IE7 that is being used by a visitor. Far too often these sites have been coded to detect *up to a particular version* instead of *from a particular version upwards*. If the site does not recognise IE7, it may stop you from viewing the site, or serve up broken CSS code.

If you see a broken Web site, or a message such as "This Web site only supports Internet Explorer..." you may be able to fix the problem by adjusting your User Agent String.

There are REG files available for download at Fiddlertool that will make your copy of IE7 simulate other versions. Alternatively, you can use the User Agent String Utility Tool available here. It is a *very* cool tool that opens an Internet Explorer 7.0 window which is configured to report its identity to websites as being Internet Explorer 6.0 - an excellent way to work with Web sites that are improperly coded to only recognise IE6 and earlier.

When you run the UAS utility, you will see this window. I encourage you to choose the option to send problem URLs to Microsoft.

Make no mistake, there is going to be some pain for Web developers who have used various hacks and workarounds to get their sites to work with IE6. Many of those hacks are breaking in IE7, sometimes making Web sites completely unuseable - like this:

Unfortunately, when a site breaks as badly as this example, there is not much you can do.

MS have been pro-active in addressing what they know is a real issue, contacting the owners of sites that MS knows do not work with IE7 to notify them of problems and encourage them to update, and their efforts are bearing fruit. Many Web pages that I use regularly have already been updated to suit IE7, including www.telstra.com.au and www.qantas.com.au. But, there is only so much MS can discover on their own. If you come across a site that does not work in IE7, please use the UAS utility tool to report the problem to MS so that MS can alert the site owners and help them do what needs to be done to adjust their sites to work in IE7.

General troubleshooting advice

Adjust the size of your cache and delete your History and Cookies

Traditionally Internet Explorer has set the size of its temporary internet files folder to a percentage of total disk space. In recent years, with the massive increases in hard drive capacity, this has led to the cache being set to ridiculously large sizes... far too large for IE to be able to cope reliably. Web sites may slow down, pictures may stop displaying, hyperlinks may stop working (actually, they haven't stopped working, its just that IE is collapsing under the weight of all that saved data), you may see the classic "page cannot be displayed" error... and that's just for starters.

If your cache is set far too large, IE7 will reduce it to 1024MB the first time that you click on the Settings button for Browsing History Settings button, but I have found this is still too large.

Click on IE, Tools, Internet Options, General Tab, Settings

Set your IE cache to between 50 and 250 Meg (I recommend 50 - 100)

Next, delete all temporary internet files, including offline content (IE tools, Internet Options, General tab, Delete button). Delete your IE history and all cookies. Then, restart IE.

Third party software interference

This is not the same as disabling add-ons. Shut down all other programmes, not including your firewall, to see if things improve (don't forget about the icons in the system tray). Antivirus and antispyware products that are set to scan internet data can cause problems. Your firewall may be set to block pictures.. your antivirus or anti-spyware scanner may be removing data or disabling features to protect you from the bad guys.

Spybot and other programs, for example, may stop you from changing your home page. Some firewalls may block advertisements (and other graphics) so that you only see a red x, or block scripting. Some will block access to sites according to keywords.

Example: Just last week I was tasked with fixing a PC that was unable to access any Web site. "Page cannot be displayed" was all that we saw, no matter what site we checked.. yet at the same time Messenger was working, Outlook Express was working, I was able to Telnet to sites, Ping worked as did Tracert. Under such circumstances you'd assume that Internet Explorer was broken, yes? After all, everything else Internet related was working. Nope! It wasn't IE.

An essential clue was that it was only programmes that used Port 80 that were broken (including the ability of the antivirus programme to update, because it used Port 80 for updates).

On this occasion a previous technician had installed, and then tried to remove, ZoneAlarm, but something had gone wrong. The True Vector service was still in services.msc, and set to Automatic, but could not be set to disabled (access denied) or removed from the registry (permissions error). In addition there was a "network monitoring device" in Hardware Device Manager. It took some careful work with a special third party tool to delete the True Vector service registry entry despite the broken security permissions, and disable the "network monitoring device" via Device Manager, to "fix" Internet Explorer.

Second example: I was working with Nick of softeq.com to try and resolve a problem with his banking site... the login button wasn't working. It was an interesting problem. Running IE is no add-ons mode fixed the problem therefore that tells me, right there, that IE itself is not the root cause of the site's failure. If we disabled a TrendMicro add-in (for a Trend product that has been uninstalled) then the log-in button worked (the add-in was WinNTCheck.dll and is related to the Trend Micro Client/Server Agent for SMB). But, the "fix" was not dependable. IE would suddenly fail again.

If we enabled SSL 2.0 and "Allow pop up block to show input prompts" the site also started working. But, it is important to note that I have always disabled "Allow pop up block to show input prompts" on my machines and the site worked for me - Nick and I use the same Bank, therefore if there was a problem with their sites then I would know about it. Something else was wrong.

The basic fact that running IE in no add-ins mode fixed the problem points to a problem with a third party product, not IE per se.

Try spoofing IE6

Many sites serve different CSS styles to suit the Web browser that is visiting the site. Reality is that IE has done a real bad job in the past when it comes to CSS, and it is inevitable, when MS suddenly starts getting things right, that a lot of sites are suddenly going to break.

If changing the UAS (User Agent String) does not help your problem, please report the site in the newsgroups and to MS using the standard feedback options. Also, please send feedback to the site's owners so that they will be aware that they have to update their sites.

Malware

Yes, malware. Viruses, spyware, foist ware, malware. There is stuff that may have been undetectable when it was installed. The real bad guys use cutting edge code to try and infect you. There is no antivirus or antispyware product on this planet that can protect us from everything. There will always be a window of opportunity between a virus/exploit being used, and detection being added to various protective software's. This is why you *must* rescan on a daily basis, even if previous scans were clean and you have not been on the internet since.

Try a different Web browser

If an alternative browser works, at least we can rule out a basic problem with your internet connection.

I understand that by focusing on third party software and sites as being "at fault" I am going to frustrate some people, but the reality is that it is not possible for IE to be coded to suit the myriad internet related software programs out there and all the different ways of doing things. If MS codes to suit one programme, another *WILL* break. So, do what you can to track down what may be causing your problem and report it to the programmer's owners. Encourage 'best practice' (as far as it is possible to quantify 'best practice').

Other issues

If you previously used Sean Alexander's registry script to add a slew of Search Providers, all the entries created by the script will be broken. This is because the Wildcard has been changed from %s to {Search Terms}. You'll need to edit the original registry file to replace %s with {Search Terms} then remerge the file, or edit the registry manually.

IE7 enables 'clear type'. You can turn it off via the runonce page that appears the first time you start IE7. If you have left it on, and decide that you don't like it, turn it off via Tools, Internet Options, Advanced, Multimedia tab.

There was a bug where Clear Type continues to affect OE even when disabled. If you are affected by this navigate to key:

HKCU\Identities\{56561DBF-E736-4516-B63E-80BB99D3E6AD}\Software\Microsoft\Outlook Express\5.0\Trident\Main\

Create STRING UseClearType if it does not exist. Set value to no.

Some users reported a flurry of connection windows - try setting IE to "never dial a connection" (Tools, Internet Options, and Connection Tab). If you are using ADSL, set your router to control authentication, not IE.

Problems with favorites not appearing in the Organize Favorites window

It has been noticed that if Favorites folders (including subfolders) lose their system attribute they may not appear in the Organize Favorites window.

Try resetting the system attribute from the cmd window using the following command (make sure the path is correct for your machine).

ATTRIB -S C:\Documents and Settings\username\Favorites /S /D

Problems with printing after IE7 is installed (missing headers and very tiny fonts)

Top of Form

A hotfix has been released by Microsoft to the QFE branch (Quick Fix Engineering) that fixes the infamous "shrink to fit" issue that some customers are experiencing after they install IE7. Basically, when affected users try to print an email it is printed in extremely small font and is completely unreadable.

The hotfix is "by request" for the time being. I am unable to advise when it will be released for general distribution.

The associated Knowledgebase article, being KB 932538, is not live as at time of publication.

If you have been affected by the shrink to fit problem, you will need to contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support

Note: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

IMPORTANT INFORMATION

What is the QFE branch, why is this important, and why should I only install a hotfix if it is absolutely necessary?

There are two development environments at Microsoft, being General Distribution Releases (GDR) and Quick Fix Engineering (QFE).

QFE branch releases are cumulative hotfixes that have been issued by Microsoft Product Support Services to address specific customer issues. QFE releases do not get the same quality of testing as the GDR branch. Please keep this fact in mind when deciding whether you will install the QFE fix for the shrink to fit issue.

I don't want to install the Hotfix but need to fix the shrink to fit problem. What can I do until the fix hits general release?

lf your emails are causing a problem for recipients, have a close look at your email header or footer because that is often the cause of the problem. Now, I'm not sure I can explain this properly, but my understanding of what is often happening is that very long headers or footers, if incorrectly formatted, will not "wrap" properly, and IE's shrink to fit engine will try to shrink the resulting long, unbreakable, string of text enough to allow it to fit on to the page. The shrink to fit engine cannot selectively shrink some bits of text more than others, so if you have one line (that long header or footer) that is a problem, the *entire* print job will be shrunk by the same amount, leading to the tiny fonts that people see.

A point of interest is that such a failure of text to wrap to the page properly has been around for a long time; for example, newsgroup postings made using Outlook Express and Mime Quoted Printable formatting are notorious for failing to wrap properly in Non-MS News readers. Xnews is a product that comes to mind - I have to enable the "Word Wrap" feature before newsgroup postings made using OE and MQP will wrap properly. I also see an occasional problem with emails when using my Webmail client (Mail Express).

If you are having problems with emails that are being received, forward them to yourself (deleting any header or signature) and then print. If you can, view the message in plain text and print that way as well. A workaround that you can try if you need to preserve the original format, is print to PDF and then print the resulting PDF file - I'll admit, I have not tried that, but it occurs to me now that it just might work. If you do not have Adobe or NitroPDF that give you the ability to print to PDF, then there are many freeware PDFing products out there.

The email message header does not print when you try to print an email message by using either Microsoft Office Outlook 2003 or Microsoft Outlook Express - also related to Shrink to Fit
http://support.microsoft.com/default.aspx/kb/931657

Bottom of Form

Third party applications

First, remember to read the Release Notes which has information about software that will have problems when run with IE7. We have also discovered the following issues that are/may not be covered in the Release Notes.

Visio 2003
Hyperlink Problem in Internet Explorer 7 - VML output generated by Visio 2003
http://msmvps.com/blogs/spywaresucks/archive/2006/11/05/247900.aspx

Digital Persona
Not yet compatible with tabbed browsing. More information here:
http://www.digitalpersona.com/support/faq/IE7update.php

PSAPI errors

Affected software includes Exchange System Manager Help (Exchange 2000/2003) (note that the ESM embedded in Server Management Console is not affected), McAfee software, BT Broadband Help (BT Yahoo Help), Motive Smart Bridge, Hal Screen Reader and Supernova Reader Magnifier by Dolphin.

The fix is to go to the installation location for the affected software.

Find PSAPI.DLL in the installation location for the affected software and rename it to something else, such as PSAPIOLD.DLL.

**Do not rename the PSAPI.DLL file in your \\Windows\System32 directory. **

Restart the computer.

Problems with IE and NitroPDF:
http://msmvps.com/blogs/spywaresucks/archive/2006/10/21/193880.aspx

Thomson Speed Touch routers

Users of IE7 have discovered that they are unable to access their routers via IE7. Mike Maltby has been talking to Speed Touch about this problem, and advises that the problem is not with the IE7 User Agent String but rather with changes in http authentication in IE7.

This means that users have various options open to them to resolve the problem pending the release of updated firmware which in the case of the ST585iv6 will be v6.2.0.x firmware that has yet to be released.

The workarounds being advised are to temporarily use an alternative browser such as FF or Opera Or Temporarily remove the administrator password.

To remove the password requires the user to telnet into the router (Start | Run | Telnet speedtouch.lan), logon and then remove the password.

Username: Administrator (or whatever userid has been set)
Password: ********

=> user config name Administrator password ""

Mike advises that by default the Administrator can only log on from the LAN. That being said, I recommend that you *not* remove the Administrator password and, instead, use an alternative browser until Speed Touch release some updates.

HP Director software

This has been broken since beta 2 - a workaround is listed on my blog:
http://msmvps.com/blogs/spywaresucks/archive/2006/10/22/197647.aspx

It is reported that a fix has been released, available at:
ftp://ftp.hp.com/pub/softlib/software7/COL10861/sj-31873-2/COL10861.exe

Use at your own risk. I have not had a chance to test it yet. Further information about the download can be found here:
http://h10025.www1.hp.com/ewfrf/wc/genericSoftwareDownloadIndex?cc=us&lc=en&softwareitem=sj-31873-2&jumpid=reg_R1002_USEN

Norton software is not yet supported with IE7. Script errors are being experienced by users, so you may have to choose between Norton, and IE7.

IE7 may cause confusion for people who use Outlook Web Access - see my previous Blog post:
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82198.aspx

Fix for OWA problems here (not certificate errors):
http://support.microsoft.com/kb/911829

Information Security Consulting for free!

Search me

Saturday, March 29, 2008

What is Network Security?

Sunday, March 2, 2008

Internet Explorer 7 Tips & Tricks

Check this and Publish Your Adds..

Visitors