IE Critical Security Update Q828750 kills menus?

Having problems with DHTML Menu? There is usually somebody here who knows the answer.
Post Reply
clmensch
Beginner
Beginner
Posts: 5
Joined: Wed Feb 25, 2004 5:27 pm

IE Critical Security Update Q828750 kills menus?

Post by clmensch »

One of our users has been complaining that he is not seeing any menus in IE6 since his company installed the IE Security Update Q828750 (http://www.microsoft.com/windows/ie/dow ... efault.asp). Is this a known issue? He said his company tech support told him that our site uses a DHTML security hole! We could not find any information on this topic in the forum, and can not replicate the problem ourselves...we applied the update and the menus still work fine. The only mention of DHTML in the security bulletin (http://www.microsoft.com/technet/treevi ... 03-040.asp) is this:
In addition, a change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone.
Just to be sure, I attempted to update Milonic to the current version (5.04). I copied/overwrote all of the .js files in our test server's "/js/menu" directory except for "menu_data.js" with the .js files in the 5.04 update .zip file, but now receive the following error when accessing the site:

Code: Select all

Error: _drawMenu is not defined
Source File: http://192.168.1.112/js/menu/milonic_src.js
Line: 16
Could I possibly be missing some information in our custom menu_data.js file? It is not clear what, if any, changes need to be made to our implementation of the Milonic objects to bring them up-to-date. We were using version 5.0 up until this point. Thoughts?
Top
User avatar
Maz
Milonic God
Milonic God
Posts: 1717
Joined: Fri Jun 06, 2003 11:39 pm
Location: San Francisco
Contact:
Contact Maz

Post by Maz »

Sounds like you have it correct, a url would be helpful to see if there is something wrong on menu-data.

This reminds me of jolly old England, when they put a tax on windoze no one got any light, in this case they may as well block off the internet then they wouldn't have to worry about security holes, so this is the answer to Bill Gates doing something about security :}

maz
Top
User avatar
Andy
Milonic
Milonic
Posts: 3308
Joined: Sun May 19, 2002 8:23 pm
Location: Menu Developer
Contact:
Contact Andy

Post by Andy »

Hi clmensch,

I can assure you that the menu isn't being blocked by the "October 2003, Cumulative Patch for Internet Explorer (828750)"

We run the very latest versions of ALL Microsoft software here and this WILL include the above patch. We see no problems with the menu and this is the first time this problem has been brought to my attention.

As the patch was released in October 2003 and due to the very high number of menu users, we would have heard something long ago if the patch did have an effect.

With regard to the menu not working on your local machine, http://192.168.1.112 - My guess is that the file locations are not being declared properly in the <SCRIPT> tags.

Hope this helps
Andy
Top
clmensch
Beginner
Beginner
Posts: 5
Joined: Wed Feb 25, 2004 5:27 pm

File locations didn't change

Post by clmensch »

Thanks...I had a feeling that the security update was not the issue.

I double checked the file locations in the script, and they seem to be OK. I did not alter any of the script tags when updating...I simply overwrite the old .js files with the new .js files...except for our custom menu_data.js. But the error is occurring in milonic_src.js. I'll continue playing with it...
Top
User avatar
kevin3442
Milonic God
Milonic God
Posts: 2460
Joined: Sat Sep 07, 2002 12:09 am
Location: Lincoln, NE
Contact:
Contact kevin3442

Re: File locations didn't change

Post by kevin3442 »

clmensch wrote:...But the error is occurring in milonic_src.js. I'll continue playing with it...
js error messages are often not very helpful, particularly from IE. The error message shows that the error takes place while something is being processed in milonic_src.js, but that doesn't mean that that there is an error in that particular code, at that particular location. In other words, the message results from a problem further up stream in the processing.

I'd suggest this: download another update, just to make sure something didn't get changed during the download. Upload milonic_src.js, mmenudom.js, and mmenuns4.js again, replacing the current ones one your site. Make sure the upload is in plain text. Trying this again will at least go some measure toward eliminating the possibiliy that there was a problem that changed a file during the download or the upload.

Kevin
Top
clmensch
Beginner
Beginner
Posts: 5
Joined: Wed Feb 25, 2004 5:27 pm

fixed?

Post by clmensch »

Well, I downloaded the 5.03 update, and replaced our current version with it, and we still got the same error. I tried copying it over AGAIN, just for kicks, and the error disappeared! Then I tried copying over the files with the 5.04 source, and the error was gone in that version as well! Odd. I swear we did not touch the code one bit...just copied files. Well, whatever works. We wrote to our user who was having issues, so now we'll just wait to hear if the update solves his problem.

By the way, I found the error in milonic_src.js by using Mozilla's (far superior) javascript debugging console. The IE error was ambigous ("Object Expected", line 17 in the source html file, not the js file), which is no surprise.

Thanks again for your help...
Top
User avatar
Maz
Milonic God
Milonic God
Posts: 1717
Joined: Fri Jun 06, 2003 11:39 pm
Location: San Francisco
Contact:
Contact Maz

Post by Maz »

That is usually a path error, make sure you have a slash before the path
/menu/milonic_src.js

maz
Top
Post Reply

Return to “Help & Support for DHTML Menu Version 5+”