Slashdot Mirror
The Story Behind a Windows Security Patch Recall
bheer writes "Raymond Chen's blog has always been popular with Win32 developers and those interested in the odd bits of history that contribute to Windows' quirks. In a recent post, he talks about how an error he committed led to the recall of a Windows security patch."
As he points out in his response to the second comment on his blog post, internal testing can't possible cover every single third party shell extension on the planet. (Nor does he try to use that as an excuse for his screw-up.)
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
On the day after Patch Tuesday, January 2006, I got a somewhat frantic call from a client. She's a lawyer, had a filing deadline, but could not save a document in MS Word. That's not all that this patch broke: you couldn't open My Computer or My Documents on the desktop (though you could navigate to them by typing the path in the Start -> Run box), and IE wouldn't let you type just "www.[website].com" in IE's address bar. You had to prepend the "http://".
.exe and .dll files that are named just like Windows system files. Keeps my foot bullet-free.
.exX.
I verified that "Save" and "Save As..." were not working in Word. Word would just hang and only Task Mangler could shut it down. I carry the Sysinternals utilities on CD and USB key, so I rebooted and ran FILEMON, REGMON, and PROCEXP to see what was happening when I tried to save a doc in Word. Sure enough, Word would spawn verclsid.exe as a child process and then hang.
I googled "verclsid" and "Explorer", got nothing on the web and about a dozen Usenet posts from people having the same problem. I played a hunch and renamed verclsid.exe to verclsid.exX. I do that when I'm manually hunting malware that leaves
Problem solved. When the patch for the patch came out, a working verclsid.exe was dropped in %system% and I deleted the
Oh, and the buggy third party shell extension came with a very common HP DeskJet printer. As for Google, the next day I googled "verclsid": there were hundreds of web results and Usenet hits. The day after, tens of thousands. This one bit a lot of people in the ass.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
This pretty much rendered Windows useless (explorer, file open / save dialogs and the IE7 addressbar were not working) if you had software installed for HP cameras, HP scanners, or any HP DeskJet printer that included a card reader.
h ell Extensions\Cached" /V "{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401" /T REG_DWORD /F /D 1
Courtesy of JSI FAQ:
You experience one or more of the following strange behaviors:
- You are unable to open special folders, like My Documents or My Pictures.
- Some 3rd party applications hang when accessing My Documents.
- Office files won't open in Microsoft Office if they are stored in My Documents.
- Entering an address into Internet Explorer's address bar does nothing.
- The Send TO context menu has no effect.
- The plus (+) sign on a folder in Windows Explorer does nothing.
- Opening a file via an applications File / Open menu causes the application to hang.
This behavior is caused by a new VERCLSID.EXE binary, which validates shell extensions before Explorer.exe, the Windows Shell, can use them. VERCLSID.EXE is installed by the MS06-015 (908531) security update.
The following 3rd party applications cause VERCLSID.EXE to hang:
Hewlett-Packard's Share-to-Web Namespace Daemon ("%ProgramFiles%\hewlett-packard\hp share-to-web\Hpgs2wnd.exe), auto-started from the Registry Run key and the Startup menu, which ships with:
HP PhotoSmart software
Any HP DeskJet printer that includes a card reader
HP Scanners
Some HP CD-DVD RWs
HP Cameras
Sunbelt Kerio Personal Firewall which has a feature that prompts when Explorer launches VERCLSID.EXE, but you can configure it not to prompt.
To workaround this behavior, add the HP shell extension to the VERCLSID.EXE white list:
1. Open a CMD.EXE window.
2. Type the following command and press Enter:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\S
3. Shutdown and restart your computer.
NOTE: If you find other COM controls or shell extensions that cause this behavior, you can add them to the white list.
Therefore they choose to make a separate process (that vert something exe) try and load the plugin and run some tests. Questionable heuristics I agree, but giving those circumstances, I can't come up with any other way of doing it.
The magic names are used for creating instances of COM objects which as far as I know both KDE and Gnome also use in the form of DCOP and DBUS.
You clearly have no clue how COM CLSIDs work, do you?
There is no "magic naming system". Each plugin implements the shell extention interface and registers its CLSID; when explorer needs to load the plugin for a particular CLSID, it looks it up in the registry, finds the corresponding dll, loads it, and accesses the shell extension's COM interface.
And to think that your post was modded "Insighful" rather than "Arrogantly Ignorant".
-- "I never gave these stories much credence." - HAL 9000
Thanks for your feedback ... The magic filenames are of the form {1768bcfe-9acf-4af5-b857-32eb9c640c4e} and if you name a file that way on the Desktop in Windows, Explorer looks up that UUID and loads the DLL, then QI's it into existence. The "magic" part here is that I can use _any_ DLL and Explorer will still try to QI it into a shell extension, which is obviously grossly unsafe, which is why they had to work around it.