msie.high.sec.y2k.patch.txt

`Date: Wed, 09 Jun 1999 15:54:47 -0400  
>From: Paul Karger <[email protected]>  
Subject: Downloading Y2K fixes to Internet Explorer leads to clock problem  
  
I was attempting to install service pack 2 of Internet Explorer 4.01 in  
order to meet corporate Y2K requirements and ran into the following  
interesting problem.  
  
To install service pack 2, you first download a small program from  
Microsoft. You run that program, and after asking you some questions, it  
then downloads the full service pack 2. One of the questions was whether  
you wanted to install the service pack or just download the files. I  
replied that I just wanted to download the files. My intention was to virus  
check them, before actually performing the install.  
  
However, when it attempted to download the full service pack, the small  
downloader complained that my system clock was not set correctly, and that  
therefore it could not perform the download. I checked, and my system clock  
was set correctly. Pushing the help button on the error screen gave  
information about setting the clock, followed by a somewhat cryptic comment  
about security settings in Internet Explorer.  
  
My already installed version Internet Explorer was set to high security for  
all zones, as the dangers of ActiveX, Java, and Javascript are well known.  
As an experiment, I lowered the security setting for the Internet zone to  
medium, and the download proceeded without error. Note that ostensibly, I  
was only downloading files, not running anything, yet the security  
protection level had to be lowered, not to mention the bogus error message.  
  
I then raised the setting back to high, performed the virus check, and then  
tried to install the downloaded files. Again it complained about the clock  
setting, and again I had to lower the security setting to medium to permit  
the install to proceed. (This time, I was actually executing code, so I  
suppose the lowered setting was appropriate, but it still complained about  
the clock, rather than the security setting.)  
  
I suppose that downloading any code (even if not executing it) from the  
Microsoft web site could be considered a security risk and therefore not  
compatible with "high security". However, I don't think that was  
Microsoft's intention, and surely it should not have been reported as a  
clock setting problem.  
  
(Footnote for technical accuracy: In the above description, I said that I  
used the high security setting in Internet Explorer. This was artistic  
license on my part. Actually, I used the custom setting to get an even more  
conservative setting than what Microsoft calls "high security". "High  
security" still allows certain kinds of "safe" scripts to run, and I prefer  
to disable even "safe" scripts. However, the bogus error occurred not just  
on the custom very high setting, but also on Microsoft's own high security  
setting.)  
  
(To be fair to Microsoft, a full viral scan of both the downloaded service  
pack and of the system after the service pack was installed revealed no  
problems, nor did I seriously expect any. However, I routinely virus scan  
any and all downloaded files, regardless of their source.)  
  
Paul  
  
  
[RISKS-FORUM Digest 20.44]  
`