EXE from HTML: Critcal patches broke ShellExecute method. What now?

Re: EXE from HTML: Critcal patches broke ShellExecute method. What now?



Josh Mayfield wrote:[color=blue]
>
> Note: There is considerable background detail here, but I do have
> three questions, which are clearly marked and appear right before the
> sample code.[/color]

If you're running IE5.5 or better, try changing the file extension of
your "web" page to .hta (HyperText Application) -- which can be used to
turn IE into an application "shell". HTA's are automatically afforded
security permissions that should allow you to manipulate your system any
way you like (without certs, etc...).

[color=blue]
>
> I have a legitimate need to launch an EXE from an HTML page on Windows
> XP/Internet Explorer. The EXE is already locally installed, and the
> HTML page is also viewed locally on the PC- it's not a web site. I
> know of two ways to do this, both of which are featured in the sample
> HTML file at the bottom of my post.
>
> The first method, using the Shell.Applicati on ActiveX Object, used to
> work until I installed the latest critical Windows XP patches from
> Microsoft. Before these patches were installed, you could click the
> ‘Launch Notepad.exe' button in my sample HTML file and the program
> would start right up. (Note that my Internet security settings are
> always at Medium, my Local intranet security settings are at
> Medium-low, and I've never had to mess with the individual ActiveX
> security settings to get this code to work.)
>
> However, one of the following critical updates has broken the ‘Launch
> Notepad' code. It doesn't matter what my Internet/intranet security
> settings are, or whether I've enabled unsafe ActiveX scripting. My
> list of suspects is: KB842773, KB840315, KB841873, KB839645. (I have
> four computers running Windows XP SP-1 at my desk, and each has the
> same version of Internet Explorer installed-
> 6.0.2800.1106.x psp2.030422-1633. The Launch Notepad code stopped
> working on two of them this week, and still worked on the other two.
> As a test, I ran Windows Update on one of the working systems and
> found that after the patches were applied, my code no longer worked. I
> even restored that machine's pre-patched ghost image and confirmed
> that the code worked again. Next, I ran Windows Update a second time,
> and allowed the aforementioned patches to be installed. Again, it
> broke my code.)
>
> You can confirm whether you have these patches installed on your
> machine a number of ways, but perhaps the easiest is to open your
> Windows folder and look for ‘$NtUninstallKB xxxxxx' folders with names
> matching the patches I listed.
>
> And then there's the second method, used by the ‘Launch Regedit.exe'
> button. While this will actually still launch the EXE file, it's
> undesirable because it always prompts you with a dialog that starts
> out "An ActiveX control on this page might be unsafe…" Note that this
> even happened before the patches, again regardless of the
> Internet/Local intranet security settings.
>
> * QUESTION 1: Is there any way to get ShellExecute to work again once
> the new critical updates are installed?
>
> * QUESTION 2: Failing that, how can I get around the unsafe control
> warning with the Wscript.Shell method, for a local HTML file that's
> trying to launch a local EXE?
>
> * QUESTION 3: Is there any OTHER way for an honest guy like me to
> launch a local EXE from a local HTML file?
>
> Thanks, and here's the sample HTML file:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <script type="text/javascript" language="JavaS cript">
>
> function LaunchNotepad()
> {
> var launcher = new ActiveXObject(" Shell.Applicati on");
> launcher.ShellE xecute("Notepad .exe", "", "", "open", "1");
> }
>
> function LaunchRegedit()
> {
> var launcher = new ActiveXObject(" WScript.Shell") ;
> launcher.Run("R egedit.exe");
> }
>
> </script>
> </head>
> <body>
> <form name="Form1">
> <input name="ButtonNot epad" value="Launch Notepad.exe"
> onclick="Launch Notepad()" type="button"> <br>
> <br>
> <input name="ButtonReg edit" value="Launch Regedit.exe"
> onclick="Launch Regedit()" type="button">
> </form>
> </body>
> </html>[/color]

Re: EXE from HTML: Critcal patches broke ShellExecute method. What now?



Josh Mayfield wrote:[color=blue]
>
> Note: There is considerable background detail here, but I do have
> three questions, which are clearly marked and appear right before the
> sample code.[/color]

If you're running IE5.5 or better, try changing the file extension of
your "web" page to .hta (HyperText Application) -- which can be used to
turn IE into an application "shell". HTA's are automatically afforded
security permissions that should allow you to manipulate your system any
way you like (without certs, etc...).

[color=blue]
>
> I have a legitimate need to launch an EXE from an HTML page on Windows
> XP/Internet Explorer. The EXE is already locally installed, and the
> HTML page is also viewed locally on the PC- it's not a web site. I
> know of two ways to do this, both of which are featured in the sample
> HTML file at the bottom of my post.
>
> The first method, using the Shell.Applicati on ActiveX Object, used to
> work until I installed the latest critical Windows XP patches from
> Microsoft. Before these patches were installed, you could click the
> ‘Launch Notepad.exe' button in my sample HTML file and the program
> would start right up. (Note that my Internet security settings are
> always at Medium, my Local intranet security settings are at
> Medium-low, and I've never had to mess with the individual ActiveX
> security settings to get this code to work.)
>
> However, one of the following critical updates has broken the ‘Launch
> Notepad' code. It doesn't matter what my Internet/intranet security
> settings are, or whether I've enabled unsafe ActiveX scripting. My
> list of suspects is: KB842773, KB840315, KB841873, KB839645. (I have
> four computers running Windows XP SP-1 at my desk, and each has the
> same version of Internet Explorer installed-
> 6.0.2800.1106.x psp2.030422-1633. The Launch Notepad code stopped
> working on two of them this week, and still worked on the other two.
> As a test, I ran Windows Update on one of the working systems and
> found that after the patches were applied, my code no longer worked. I
> even restored that machine's pre-patched ghost image and confirmed
> that the code worked again. Next, I ran Windows Update a second time,
> and allowed the aforementioned patches to be installed. Again, it
> broke my code.)
>
> You can confirm whether you have these patches installed on your
> machine a number of ways, but perhaps the easiest is to open your
> Windows folder and look for ‘$NtUninstallKB xxxxxx' folders with names
> matching the patches I listed.
>
> And then there's the second method, used by the ‘Launch Regedit.exe'
> button. While this will actually still launch the EXE file, it's
> undesirable because it always prompts you with a dialog that starts
> out "An ActiveX control on this page might be unsafe…" Note that this
> even happened before the patches, again regardless of the
> Internet/Local intranet security settings.
>
> * QUESTION 1: Is there any way to get ShellExecute to work again once
> the new critical updates are installed?
>
> * QUESTION 2: Failing that, how can I get around the unsafe control
> warning with the Wscript.Shell method, for a local HTML file that's
> trying to launch a local EXE?
>
> * QUESTION 3: Is there any OTHER way for an honest guy like me to
> launch a local EXE from a local HTML file?
>
> Thanks, and here's the sample HTML file:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <script type="text/javascript" language="JavaS cript">
>
> function LaunchNotepad()
> {
> var launcher = new ActiveXObject(" Shell.Applicati on");
> launcher.ShellE xecute("Notepad .exe", "", "", "open", "1");
> }
>
> function LaunchRegedit()
> {
> var launcher = new ActiveXObject(" WScript.Shell") ;
> launcher.Run("R egedit.exe");
> }
>
> </script>
> </head>
> <body>
> <form name="Form1">
> <input name="ButtonNot epad" value="Launch Notepad.exe"
> onclick="Launch Notepad()" type="button"> <br>
> <br>
> <input name="ButtonReg edit" value="Launch Regedit.exe"
> onclick="Launch Regedit()" type="button">
> </form>
> </body>
> </html>[/color]

Re: EXE from HTML: Critcal patches broke ShellExecute method. What now?



Josh Mayfield wrote:[color=blue]
>
> Note: There is considerable background detail here, but I do have
> three questions, which are clearly marked and appear right before the
> sample code.[/color]

If you're running IE5.5 or better, try changing the file extension of
your "web" page to .hta (HyperText Application) -- which can be used to
turn IE into an application "shell". HTA's are automatically afforded
security permissions that should allow you to manipulate your system any
way you like (without certs, etc...).
[color=blue]
>
> I have a legitimate need to launch an EXE from an HTML page on Windows
> XP/Internet Explorer. The EXE is already locally installed, and the
> HTML page is also viewed locally on the PC- it's not a web site. I
> know of two ways to do this, both of which are featured in the sample
> HTML file at the bottom of my post.
>
> The first method, using the Shell.Applicati on ActiveX Object, used to
> work until I installed the latest critical Windows XP patches from
> Microsoft. Before these patches were installed, you could click the
> ‘Launch Notepad.exe' button in my sample HTML file and the program
> would start right up. (Note that my Internet security settings are
> always at Medium, my Local intranet security settings are at
> Medium-low, and I've never had to mess with the individual ActiveX
> security settings to get this code to work.)
>
> However, one of the following critical updates has broken the ‘Launch
> Notepad' code. It doesn't matter what my Internet/intranet security
> settings are, or whether I've enabled unsafe ActiveX scripting. My
> list of suspects is: KB842773, KB840315, KB841873, KB839645. (I have
> four computers running Windows XP SP-1 at my desk, and each has the
> same version of Internet Explorer installed-
> 6.0.2800.1106.x psp2.030422-1633. The Launch Notepad code stopped
> working on two of them this week, and still worked on the other two.
> As a test, I ran Windows Update on one of the working systems and
> found that after the patches were applied, my code no longer worked. I
> even restored that machine's pre-patched ghost image and confirmed
> that the code worked again. Next, I ran Windows Update a second time,
> and allowed the aforementioned patches to be installed. Again, it
> broke my code.)
>
> You can confirm whether you have these patches installed on your
> machine a number of ways, but perhaps the easiest is to open your
> Windows folder and look for ‘$NtUninstallKB xxxxxx' folders with names
> matching the patches I listed.
>
> And then there's the second method, used by the ‘Launch Regedit.exe'
> button. While this will actually still launch the EXE file, it's
> undesirable because it always prompts you with a dialog that starts
> out "An ActiveX control on this page might be unsafe…" Note that this
> even happened before the patches, again regardless of the
> Internet/Local intranet security settings.
>
> * QUESTION 1: Is there any way to get ShellExecute to work again once
> the new critical updates are installed?
>
> * QUESTION 2: Failing that, how can I get around the unsafe control
> warning with the Wscript.Shell method, for a local HTML file that's
> trying to launch a local EXE?
>
> * QUESTION 3: Is there any OTHER way for an honest guy like me to
> launch a local EXE from a local HTML file?
>
> Thanks, and here's the sample HTML file:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <script type="text/javascript" language="JavaS cript">
>
> function LaunchNotepad()
> {
> var launcher = new ActiveXObject(" Shell.Applicati on");
> launcher.ShellE xecute("Notepad .exe", "", "", "open", "1");
> }
>
> function LaunchRegedit()
> {
> var launcher = new ActiveXObject(" WScript.Shell") ;
> launcher.Run("R egedit.exe");
> }
>
> </script>
> </head>
> <body>
> <form name="Form1">
> <input name="ButtonNot epad" value="Launch Notepad.exe"
> onclick="Launch Notepad()" type="button"> <br>
> <br>
> <input name="ButtonReg edit" value="Launch Regedit.exe"
> onclick="Launch Regedit()" type="button">
> </form>
> </body>
> </html>[/color]

Re: EXE from HTML: Critcal patches broke ShellExecute method. What now?

Josh Mayfield wrote:
[color=blue]
> The first method, using the Shell.Applicati on ActiveX Object, used to
> work until I installed the latest critical Windows XP patches from
> Microsoft. Before these patches were installed, you could click the
> ‘Launch Notepad.exe' button in my sample HTML file and the program
> would start right up. (Note that my Internet security settings are
> always at Medium, my Local intranet security settings are at
> Medium-low, and I've never had to mess with the individual ActiveX
> security settings to get this code to work.)[/color]

Your code will work, if loaded in IE from a page located on either your
own hard drive, or a network resource (such as a network drive). Both of
these are considered the Local Computer zone and allow the code to work
properly. It will/should never automatically launch an executable if the
page is located on an HTTP/HTTPS server (assuming default security
settings).
[color=blue]
> * QUESTION 1: Is there any way to get ShellExecute to work again once
> the new critical updates are installed?[/color]

No, that's obviously the point of the patch(es).
[color=blue]
> * QUESTION 2: Failing that, how can I get around the unsafe control
> warning with the Wscript.Shell method, for a local HTML file that's
> trying to launch a local EXE?[/color]

You can't without changing your default security settings, or adding the
site you are loading the page from to your list of Trusted Sites.
[color=blue]
> * QUESTION 3: Is there any OTHER way for an honest guy like me to
> launch a local EXE from a local HTML file?[/color]

No. If there were a way for an "honest guy like you" to run a local EXE
unprompted, then there would be a way for a malicious person to run a
local EXE unprompted. Not being able to do what you want to do is a GOOD
thing.

--
Grant Wagner <gwagner@agrico reunited.com>
comp.lang.javas cript FAQ - http://jibbering.com/faq

Re: EXE from HTML: Critcal patches broke ShellExecute method. What now?

mayfalias-usenet@yahoo.co m (Josh Mayfield) wrote in message news:<92c81487. 0407221458.2039 222c@posting.go ogle.com>...
[color=blue]
> * QUESTION 1: Is there any way to get ShellExecute to work again once
> the new critical updates are installed?[/color]

Thanks to Fox for the tip about changing the file extension to .HTA.
This indeed worked (for both of my launching methods). Unfortunately,
I was unable to use it because my HTM files are hosted by a shell EXE
that was developed by another team and is hardcoded to load a specific
HTM file (which is the one I needed to change).

Additional thanks to Joker, for explaining that the patches affected a
different security zone from the ones I was messing with. I have
looked into this and found that it is called the "My Computer Zone"
and it's the only one that's not configurable in the Internet Options
UI. (Which completely baffles me.)

I located the My Computer Zone's registry key, which is:

[HKEY_CURRENT_US ER\Software\Mic rosoft\Windows\ CurrentVersion\ Internet
Settings\Zones\ 0]

And was able to tweak the settings there. Now both of my launching
methods work without popping up any annoying warnings, and without
requiring a filename change.

Re: EXE from HTML: Critcal patches broke ShellExecute method. Whatnow?

It's not a zone on the Internet is why it's not in Internet Properties.

Only Web based zones go there because that's what Internet Explorer was
designed for. It just happens to also work in the "My Computer" zone as
well.

Josh Mayfield wrote:
[color=blue]
> mayfalias-usenet@yahoo.co m (Josh Mayfield) wrote in message news:<92c81487. 0407221458.2039 222c@posting.go ogle.com>...
>
>[color=green]
>>* QUESTION 1: Is there any way to get ShellExecute to work again once
>>the new critical updates are installed?[/color]
>
>
> Thanks to Fox for the tip about changing the file extension to .HTA.
> This indeed worked (for both of my launching methods). Unfortunately,
> I was unable to use it because my HTM files are hosted by a shell EXE
> that was developed by another team and is hardcoded to load a specific
> HTM file (which is the one I needed to change).
>
> Additional thanks to Joker, for explaining that the patches affected a
> different security zone from the ones I was messing with. I have
> looked into this and found that it is called the "My Computer Zone"
> and it's the only one that's not configurable in the Internet Options
> UI. (Which completely baffles me.)
>
> I located the My Computer Zone's registry key, which is:
>
> [HKEY_CURRENT_US ER\Software\Mic rosoft\Windows\ CurrentVersion\ Internet
> Settings\Zones\ 0]
>
> And was able to tweak the settings there. Now both of my launching
> methods work without popping up any annoying warnings, and without
> requiring a filename change.[/color]

Re: EXE from HTML: Critcal patches broke ShellExecute method. What now?

Thanks to all for getting this started. YES - there are reasons t
execute an EXE from an HTML page that have nothing to do wit
vandalizing someones computer.

While it is obvious that en EXE should not be launched by the browse
without confirmation - it is just as sensible to provide for an "Alway
allow THIS file to run" option. The lack of options like that were th
root cause for the I LOVE YOU virus's vigor.

I will explain that: The ILY bug LOOKED like a TXT file - clicking o
it launched a window that end-users had been seeing for over a year o
TXT files, stupidly warning them that a harmless file might be harmful
The inability to stop the warnings led to the lack of attention on th
end-users part that fuled the spread of the virus.

I am careful and diligent - I am not ignorant about my computer'
weaknesses. A few weeks ago I clicked on continue on a file that I wa
99% positive was malware. WHy? Because I am so friggin programmed t
click that damn OK button when I dl things.

I SHOULD have the right to specify which locations are NEVER to b
questioned. Yep, some dummy is going to enable the ip range betwee
1.0.0.1 and 254.255.255.254 but that's HIS problem.

There's a MILLION legitimate reasons to want to launch an exe withou
having to get additional security warnings.

Here's another promissing approach:



The HTA thing works <sort of> for me - but I am trying to make a custo
interface using DHTML menu builder and I am not sure how to pluc the J
codes you posted into my pull-down HTML page
-
thestra

Re: EXE from HTML: Critcal patches broke ShellExecute method. Whatnow?

thestrae wrote:
[color=blue]
> Thanks to all for getting this started. YES - there are reasons to
> execute an EXE from an HTML page that have nothing to do with
> vandalizing someones computer.
>
> [snip "I Love You" misunderstandin g]
>
> There's a MILLION legitimate reasons to want to launch an exe without
> having to get additional security warnings.
>[/color]
So tell me one - you STILL have not done. As far as I can see there are
none at all - EVER.

Re: EXE from HTML: Critcal patches broke ShellExecute method. Whatnow?

thestrae wrote:
[color=blue]
> Thanks to all for getting this started. YES - there are reasons to
> execute an EXE from an HTML page that have nothing to do with
> vandalizing someones computer.[/color]

Yes but how is the user to tell that he can/should trust you? And how is
the user to tell that you are you?
[color=blue]
> While it is obvious that en EXE should not be launched by the browser
> without confirmation[/color]

No, it's called security!
[color=blue]
> - it is just as sensible to provide for an "Always allow THIS file to
> run" option.[/color]

And how is the user to know/trust "this file"? And why wouldn't a hacker
attack exactly that privilege and pretend to be "this file" or "this
site"? And what if the hacker hacks the site and places his favorite
virus in "this file"?
[color=blue]
> The lack of options like that were the root cause for the I LOVE YOU
> virus's vigor.[/color]

Ignorance! True ignorance! The "I Love You" virus came in email, not the
web, as an attachment that users opened up and where *not* given an
confirmation such as "Are you sure you want to run this?".
[color=blue]
> I will explain that: The ILY bug LOOKED like a TXT file - clicking on
> it launched a window that end-users had been seeing for over a year on
> TXT files, stupidly warning them that a harmless file might be harmful.[/color]

Clicking on txt files simply displays them. If it "looked" like a txt
file then it shouldn't have launched any window. If it looked like a txt
file and launched a window then that's a real good sign that it is not a
txt file and the warning should be heeded.
[color=blue]
> The inability to stop the warnings led to the lack of attention on the
> end-users part that fuled the spread of the virus.[/color]

Huh? You're attempting to say that warning the user of a possible virus
invocation causes the virus to spread!?! Amazing! So you're solution is
to not warn the user so that what? The virus can spread faster?!?
[color=blue]
> I am careful and diligent - I am not ignorant about my computer's
> weaknesses.[/color]

The computer's weakness is often it's owner.
[color=blue]
> A few weeks ago I clicked on continue on a file that I was 99%
> positive was malware. WHy? Because I am so friggin programmed to click
> that damn OK button when I dl things.[/color]

Bingo! Perhaps it's the MS mentality of "attach everything and have
everything attached run a separate program requiring the user to double
click just about everything in the normal course of doing their work"
that may make you programmed but it doesn't make me programmed. Oh yeah
I get the email messages that simply say see the attached Word/Excel/etc
document that contains content that could just as easily simply be
expressed in the email message itself. When I encounter such things I do
stop and think. Of course now I'm in the situation where I must open the
attachment but I've already thought about it and decided, based on the
sender (is it somebody I know, say from work, where I should open this
attachment), to open the attachment and read it. After reading it, if it
is one of those things that could have been as easily simply put in the
email message I respond and tell them "Hey why the doc file? Why not
simply write it directly into the email?" - but I guess I'm just like that.
[color=blue]
> I SHOULD have the right to specify which locations are NEVER to be
> questioned.[/color]

I believe in many instances, and with MS insecure applications, you can.
You may need to configure it. But please allow security to be the rule
since there are so many people like you who ruin it for everybody else.
[color=blue]
> Yep, some dummy is going to enable the ip range between 1.0.0.1 and
> 254.255.255.254 but that's HIS problem.[/color]

No, it becomes *our* problem as they open attachments and click on exe's
on web sites, run the contain virii which then takes over their computer
and spreads the virii to *other* computers such as ours!
[color=blue]
> There's a MILLION legitimate reasons to want to launch an exe without
> having to get additional security warnings.[/color]

The additional security warning is but a second or two of the end user's
time. Compare that with the millions of illegitimate reasons that
hackers and other such crooks have to launch an exe without security and
you should be able to see that the trade off is minimal.
[color=blue]
> Here's another promissing approach:
>
> http://www.whirlywiryweb.com/q/launchinie.asp[/color]

Yet another IE only Active/X insecure control! Geeze, guess they never
learn...
[color=blue]
> The HTA thing works <sort of> for me - but I am trying to make a
> custom interface using DHTML menu builder and I am not sure how to
> pluc the JS codes you posted into my pull-down HTML pages[/color]


--
I said "NO" to drugs, but they didn't listen.