| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Mar 2003 16:39:27 -0700 From: Garry_Stewart@...itasdgc.com To: kenf@...rs.junebug.org, bugtraq@...urityfocus.com Subject: Re: Unknown trust error when downloading ocget.dll I've been battling this for a couple of days now too ... I have one thing to add to what Ken said, and that is ... If you turn on the Prompt for Unsigned ActiveX Controls, then I've found that you get a prompt to install and run http://codecs.microsoft.com/objects/ocget.dll Which clearly is a bug to me ... since it should be installing the activex control and not the ocget.dll. My page is simply trying to install the mscomctl.cab from http://activex.microsoft.com/controls/vb6/mscomctl.cab#version=-1,-1,-1,-1 Another interesting thing I found was Microsoft's KB article Q323207. Their resolution is to remove the two URL's for the ocget.dll from the CodeBaseSearchPath in the registry. I tried that, and decided to add http://codecs.microsoft.com/objects/ocget.dll to it too, and that worked. Hardly a viable solution though, as I'd hate to have modifying the registry as a requirement for using my web page. Comments? Thanks, Garry Stewart. |---------+---------------------------> | | Tim Finnigan | | | | | | 03/14/03 04:23 | | | PM | | | | |---------+---------------------------> >-----------------------------------------------------------------------------------------------------------------| | | | To: Garry Stewart/CGY/LP/VDGC@VES, Donald Wong/CGY/LP/VDGC@VES, Terry Brost/CGY/LP/VDGC@VES, Bill | | Armstrong/CGY/LP/VDGC@VES | | cc: | | Subject: Unknown trust error when downloading ocget.dll | >-----------------------------------------------------------------------------------------------------------------| It's been posted to bugtraq... ----- Forwarded by Tim Finnigan/CGY/LP/VDGC on 03/14/2003 04:22 PM ----- |---------+---------------------------> | | Ken Fischer | | | <kenf@...rs.june| | | bug.org> | | | | | | 03/14/2003 03:45| | | PM | | | Please respond | | | to kenf | | | | |---------+---------------------------> >-----------------------------------------------------------------------------------------------------------------| | | | To: bugtraq@...urityfocus.com | | cc: | | Subject: Unknown trust error when downloading ocget.dll | >-----------------------------------------------------------------------------------------------------------------| Greetings, We have run into a problem this afternoon with the copy of ocget.dll that is located at: http://codecs.microsoft.com/objects/ocget.dll It seems that it is either signed improperly, or not at all. This .dll is loaded automatically by IE when .cab files are downloaded from the server. Usually it is transparent, if the signature is ok. Since that is no longer the case, our users are getting an access denied message due to the security settings on their browser. Since ocget.dll is not really a required download, according to Microsoft ( http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b323207 ) the pages still display correctly. The users are still blaming our programmers for the problem, of course :) Not to mention the possible security implications here. Is anyone else seeing this behavior? ( Verified on: Win2K/IE5.5-SP2, Win2K/IE6.0-SP1 and WinXP/IE6.0 ) Thanks. -- Ken Fischer, CCNA <kenf@...ebug.org> PGP Fingerprint: 9523 54B6 D67B BBFB 53B3 2F3B 7E81 0891 C495 CB50 --
Powered by blists - more mailing lists