COMMAND

    MS Internet Explorer

SYSTEMS AFFECTED

    MSIE 5

PROBLEM

    Thor  Kottelin  found  following.    After  running  the  MSIE   5
    installation  wizard  ie5setup.exe  on  two  separate  NT  4.0 SP4
    machines - one Workstation, one  Server - his screen saver  (Logon
    Screen Saver, password protected) no longer kicks in.  The  screen
    saver tab in the Display control panel states "None".  The  screen
    saver  selection  seems  to  disappear  when  starting to download
    files, and on  one occasion it  has reappeared after  he cancelled
    the download  immediately after  starting it.   This seems  like a
    serious  problem  which  could  leave  sensitive  systems  open to
    console abuse (if you trust sreen savers).

    The  screen  saver  (it  doesn't  matter  which  one  you  use) is
    disabled  by  the  IE  Setup  Wizard  as  soon as you select which
    download server you are going to use.  It stays disabled until the
    download completes, or, is canceled or aborted.

    Dimitry  Andric  reported  that,  in  addition to the screen saver
    being disabled, IE 5.0 Setup Wizard also disables/pauses the  Task
    Scheduler Service  (if present).   There's nothing  in the  IE 5.0
    Setup Wizard panels or help that indicates any of this is going to
    happen.  Let's focus on the idea that a password protected  screen
    saver may be part of a corporate security policy.  The fact that a
    program, any program,  would disable this  for any reason,  or any
    duration,  without  forewarning  the  user  makes  me  think  of a
    criminal act.   MS is obviously  doing this to  ensure the fastest
    download possible,  and that's  a laudable  goal, but  not without
    informing the user that its going to happen.

    Let's observe another MSIE 5 wierdness (not security related):

        - inability to install IE without VDOLive and Microsoft  Music
          Control on a mission critical server
        - inability to avoid rebooting to upgrade IE with an SP
        - inability to avoid installing OE
        - inability to simply upgrade the components already installed
          on a machine (like the NT SPs work)

    Sure,  IEAK  can  solve  some  of  these  problems,  but the basic
    installation of IE itself should have these options included.

    Claudio Valderrama  C. added  following (Note  that all  computers
    had NT 4 SP4 installed and it's the US version):

        - MSIE  5, when  installed, changes  silently the  setting for
          the cookies to "Accept always" no matter how did you have it
          in  IE4  before.   This   is  because  M$  changed   cookies
          configuration from the "Advanced" to the "Security" tab.
        - MSIE  5 cannot  be used  with cookies  set to "Prompt before
          accepting"  when  visiting  sites  that  send  many cookies:
          after choosing NO (reject) to each cookie more than three or
          four times, MSIE will crash with a memory error.  Tester was
          able  to  repeat  the  crash  in  some NT systems: a generic
          computer, a Dell computer, etc.  Look for a cookie intensive
          site, like www.celebsite.com and see for yourself (never saw
          this to happen on MSIE 4 SP1).
        - MSIE 5 includes a  new "Allow per session cookies"  setting,
          that's enabled by default. I think session cookies are  less
          dangerous than persistent cookies.
        - By default, AutoComplete  will offer to save  passwords used
          on  sites  you  visit.   Be  careful,  because while you are
          typing to fill  in a form,  if you continue  typing, you may
          press the "Y" as  part of your text  just in the moment  the
          popup window  ask you  to save  the pw  and you won't notice
          what happened.
        - MSIE  5  created  a  service  called "COM+ Event System"  no
          matter you  downloaded first  all files  and later installed
          custom.  What is this service intended for? I remember  that
          after installing RDS (part  of M$'UDA), one discovered  some
          RDS objects where opened to anyone that knew how to  connect
          to them.

    Apparently, if you accept one  cookie from a site, all  others are
    also accepted without prompting, regardless of the cookie setting.
    Also, if you have an old  cookie from some site on your  disk, and
    you revisit  that same  site with  the cookie  setting adjusted to
    prompt  for  acceptance,  no  prompt  is  given, and the cookie is
    automatically written to disk anyway (by Mark).

    Frank  Knobbe  also  found  something  and  it  has to do with ftp
    service introduced  by IE5.   Open the  regular Windows  Explorer.
    Enter an FTP  site you can  gain access to  under a username.   By
    default the site will be opened and displayed using the  anonymous
    account.  Now do a right-click on the site (in the left pane)  and
    select 'Login As'.  Enter your user name and password.  Note  that
    the password is masked with ***.  After hitting OK the site  opens
    in IE 5.0 with that user  account and password.  Now hover  over a
    directory (link).   In the  bottom line  it displays  the link  as
    FTP://username:password@server/dir (a little embarrassing to  show
    off your password to unknown persons after you).  Why bother  with
    the *** in the first place?

SOLUTION

    Let's put aside, for  the moment, the idea  of installing IE on  a
    Server (since so many of you feel this is just a Bad Thing(tm)  in
    the first place).  After  the installer had completed you  have to
    reboote the machine, the screen saver will be back.  It thus seems
    that  this  problem  might  be  really  relevant  only  when   the
    installation is aborted, such as  when the installer is unable  to
    connect to the download sites.  No workaround at the time.