Date: Wed, 09 Jun 1999 15:54:47 -0400
>From: Paul Karger <karger@watson.ibm.com>
Subject: Downloading Y2K fixes to Internet Explorer leads to clock problem

I was attempting to install service pack 2 of Internet Explorer 4.01 in
order to meet corporate Y2K requirements and ran into the following
interesting problem.

To install service pack 2, you first download a small program from
Microsoft.  You run that program, and after asking you some questions, it
then downloads the full service pack 2.  One of the questions was whether
you wanted to install the service pack or just download the files.  I
replied that I just wanted to download the files.  My intention was to virus
check them, before actually performing the install.

However, when it attempted to download the full service pack, the small
downloader complained that my system clock was not set correctly, and that
therefore it could not perform the download.  I checked, and my system clock
was set correctly.  Pushing the help button on the error screen gave
information about setting the clock, followed by a somewhat cryptic comment
about security settings in Internet Explorer.

My already installed version Internet Explorer was set to high security for
all zones, as the dangers of ActiveX, Java, and Javascript are well known.
As an experiment, I lowered the security setting for the Internet zone to
medium, and the download proceeded without error.  Note that ostensibly, I
was only downloading files, not running anything, yet the security
protection level had to be lowered, not to mention the bogus error message.

I then raised the setting back to high, performed the virus check, and then
tried to install the downloaded files.  Again it complained about the clock
setting, and again I had to lower the security setting to medium to permit
the install to proceed.  (This time, I was actually executing code, so I
suppose the lowered setting was appropriate, but it still complained about
the clock, rather than the security setting.)

I suppose that downloading any code (even if not executing it) from the
Microsoft web site could be considered a security risk and therefore not
compatible with "high security".  However, I don't think that was
Microsoft's intention, and surely it should not have been reported as a
clock setting problem.

(Footnote for technical accuracy: In the above description, I said that I
used the high security setting in Internet Explorer.  This was artistic
license on my part.  Actually, I used the custom setting to get an even more
conservative setting than what Microsoft calls "high security".  "High
security" still allows certain kinds of "safe" scripts to run, and I prefer
to disable even "safe" scripts.  However, the bogus error occurred not just
on the custom very high setting, but also on Microsoft's own high security
setting.)

(To be fair to Microsoft, a full viral scan of both the downloaded service
pack and of the system after the service pack was installed revealed no
problems, nor did I seriously expect any.  However, I routinely virus scan
any and all downloaded files, regardless of their source.)

 Paul


[RISKS-FORUM Digest 20.44]