New IE6-SP1 vulnerability

[Guest wsxedcrfv]

Was the Win-2K patch for KB978207 supposed to implement or activate DEP on that OS? Did it?

No, Windows 2000 never had those functions implemented, and is not DEP aware. And this mere Internet Explorer patch (which installs only web browser files) cannot do that.

I was asking because according to Galahs post (post 19 in this thread), he quoted the following which I believe was written by Microsoft:

---------

We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do not need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms.

---------

It was Galah's post that started the discussion about DEP and PAE on win-2k.

That's why I'm wondering if it was really Microsoft's intention to release a 2K patch for IE6 that enables DEP, as mentioned in the above quote. Now that we actually have the patch in question -> does it give DEP capability to Win-2K?

If not, then where did all this talk about DEP and this IE6 patch come from?

[submix8c]

In (e.g.) XP:

System Properties - Performance Options (button)

Visual Effects/Advanced/Data Execution Prevention (tabs)

Data Execution Prevention (DEP) helps protect against damage from viruses and other security threats.

How does it work?

* Turn on DEP for essential Windows programs and services only

* Turn on DEP for all programs and services except those I select:

(a list box to select/deselect is here, one being Internet Explorer)

Your computer's processor does not support hardware-based DEP. However, Windows can use DEP software to help prevent some types of attacks.

Does this help understanding just a little?

Basically, the phrasing you are reading is muddling the issue. No relevance to any other operating systems except those stated. In your case, N/A...

Edited January 30, 2010 by submix8c

[Guest wsxedcrfv]

A google search for this phrase (without the quotes):

"We have also created an application compatibility database that will enable Data Execution Prevention"

Comes back with this as the third hit: http://support.microsoft.com/kb/979352

Google provides a little bit of the content of that hit, but does not provide a cached link:

------------

14 Jan 2010 ... We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet ...

-----------

When you look at that page today (even the html source) you won't find that statement on that page.

That statement is also reproduced here:

http://djtechnocrat.blogspot.com/2010/01/o...ing-dep-in.html

"We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer."

So perhaps Microsoft did indeed create an application compatibility database that would enable DEP for *all* versions of IE (presumably even for the still supported IE6 sp1 as run on win-2k) but has decided to withdraw that statement from it's KB article and to not offer this as a patch solution for win-2K.

But remember that DEP is possible on certain versions of Win-2k (such as advanced server and data-center server). So it's not like it couldn't be done for desktop versions of 2k.

[MDGx]

I was asking because according to Galahs post (post 19 in this thread), he quoted the following which I believe was written by Microsoft:

---------

We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do not need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms.

---------

It was Galah's post that started the discussion about DEP and PAE on win-2k.

That's why I'm wondering if it was really Microsoft's intention to release a 2K patch for IE6 that enables DEP, as mentioned in the above quote. Now that we actually have the patch in question -> does it give DEP capability to Win-2K?

If not, then where did all this talk about DEP and this IE6 patch come from?

Oh, I didn't know about the app comp patch for IE.

Tx for bringing it up to my attention.

But I've dug up a lil, and found this MSKB article:

http://support.microsoft.com/kb/875352

which mentions the Application Compatibility Toolkit, which allows users to opt-out [disable] DEP in their apps, implicitly IE. But this MSKB article refers only to XP SP2 + 2003 SP1. No mention about Win2000 or which editions of IE that applies to.

Alrighty then... that lead me to the MS ACT main page:

http://technet.microsoft.com/en-us/windows/aa905066.aspx

And it gets even stranger... Google cache still has Galah's quoted statement [from above] at this MSKB page:

http://support.microsoft.com/kb/979352

but when you access the updated version of that page, the ACT statement is gone. ;( Looks like they've initially posted that in error [?], and later removed it. [!]

The Security Bulletin that MSKB refers to:

http://www.microsoft.com/technet/security/...n/MS10-002.mspx

lists all IE patches we're talking about, but has no mention about ACT or DEP.

I've tried archive.org [Way Back Machine = Internet Archive] for a cached version of the old MSKB article, but they don't have it, it is probably too new to be cached by their spiders [i believe their spider scripts cache new a web page ~ 6 months after it has been released].

Then I found this MS TechNet blog:

http://blogs.technet.com/srd/archive/2009/...ogy-part-1.aspx

which mentions the ACT programming settings that relate to DEP, but it says those apply only to Windows XP SP2 and Windows Server 2003 SP1 (and newer).

I haven't found anything about Windows 2000 or older IE editions.

This is ACT 5.5 main page [English]:

http://www.microsoft.com/downloads/details...;displaylang=en

No mention there either.

I've had an ACT topic for a long time actually [some of those links may be outdated thou] at my site:

http://www.mdgx.com/xptoy.htm#ACT

because older editions of ACT 4.x helped me play some old DOS games in XP SP1 and XP RTM.

But as far as I can recall I don't remember seeing anything about Win2000, older IE editions and DEP.

True, ACT 5.5 is compatible (and works great) with Win2000 SP4 (not any other older SP), but there is no mention about DEP.

So I'm thinking that quote Galahs found, was probably a temporary MS fluke, some web site designer posted that statement either not knowing the actual specs of the new IE patch/ACT database [only XP and newer files are patched to include DEP functions], or maybe they tried to implement those DEP functions into the IE patch files [which to me sounds like science fiction, because as I said before, DEP API functions require a rewritten kernel32, which was never available to Win2000], without realizing they have to patch the Win2K core files too, and then they remembered Win2000 is already in extended support phase [duh!], which means no core/system patches, only critical security patches.

Although [thank you wsxedcrfv] it seems that Win2000 Advanced Server + Data Center Server support DEP in the core. But I have no knowledge of these OSes. Are they 64-bit perhaps, or they have 64-bit extensions/partial support?

But I'm sure some1 with access to all these OSes, and a lil knowledge can compile an installer with updated core files with DEP support for "normal"/end-user editions of Win2000.

Pls post here if you [or some1 else] uncover something I may have missed.

HTH