Tue, 23 Mar 1999 11:41:24 +0200 
Thor Kottelin <tkottelin@TERRANOVA.FI> 
Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM> 
Thor Kottelin <tkottelin@TERRANOVA.FI> 
MSIE 5 installer disables screen saver 


After running the MSIE 5 installation wizard ie5setup.exe on two separate 
NT 4.0 SP4 machines - one Workstation, one Server - my screen saver (Logon 
Screen Saver, password protected) no longer kicks in. The screen saver tab 
in the Display control panel states "None". I have gone through the motions 
twice, thus reproducing the problem on both systems. The screen saver selection
seems to disappear when starting to download files, and on one occasion it 
has reappeared after I cancelled the download immediately after starting it. 

This seems like a serious problem which could leave sensitive systems open 
to console abuse. 

Thor 

-- tkottelin@terranova.fi 

--------------------------------------------------------------------------

Tue, 23 Mar 1999 12:02:19 +0200 
Thor Kottelin <tkottelin@TERRANOVA.FI> 
Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM> 
Thor Kottelin <tkottelin@TERRANOVA.FI> 
Re: MSIE 5 installer disables screen saver 


Thor Kottelin wrote: 
> 
> After running the MSIE 5 installation wizard ie5setup.exe on two 
> separate NT 4.0 SP4 machines - one Workstation, one Server - my screen 
> saver (Logon Screen Saver, password protected) no longer kicks in. 

I finally managed to finalize the installation on one of the machines, the 
Workstation. Before beginning the actual installation. I made sure the 
screen saver was enabled. After starting the installer, i.e. while it was 
running, the screen saver was again disabled. After the installer had 
completed and I had rebooted the machine, the screen saver was back 
though. It thus seems that this problem might be really relevant only 
when the installation is aborted, such as when the installer is unable 
to connect to the download sites. 
  
Thor 

-- tkottelin@terranova.fi 

--------------------------------------------------------------------------

Date: Tue, 23 Mar 1999 11:27:21 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: MSIE 5 installer disables screen saver

I just wanted to confirm Thor's observations. I have seen precisely the
same behavior on my SP4 and SP5 machines. The screen saver (it doesn't
matter which one you use) is disabled by the IE Setup Wizard as soon as
you select which download server you are going to use. It stays disabled
until the download completes, or, is canceled or aborted. Like Thor, I
was attempting to download the files, not do an interactive installation
(I don't know if that accounts for the one report I received saying it
didn't happen on their SP4 box).

Dare I say that this is yet another example of a lack of thought by MS
when it comes to IE and Servers? The list continues to grow. This gets
added to;

- inability to install IE without VDOLive and Microsoft Music Control on
a mission critical server.
- inability to avoid rebooting to upgrade IE with an SP.
- inability to avoid installing OE.
- inability to simply upgrade the components already installed on a
machine (like the NT SPs work).

Sure, IEAK can solve some of these problems, but the basic installation
of IE itself should have these options included, IMNSHO.

Cheers,
Russ - NTBugtraq moderator

--------------------------------------------------------------------------

Date: Tue, 23 Mar 1999 12:55:29 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: MSIE 5 installer disables screen saver

Correction, "IE 5.0 Setup Wizard also disables/pauses the Task Manager
(if present)" should have read;

"IE 5.0 Setup Wizard also disables/pauses the Task Scheduler Service (if
present)"

Apologies for any confusion.

Cheers,
Russ - NTBugtraq moderator

-----Original Message-----
>From: Russ [mailto:Russ.Cooper@RC.ON.CA]
Sent: Tuesday, March 23, 1999 12:35 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: MSIE 5 installer disables screen saver


<tirade>
I'm going to editorialize here for a moment, but I think this issue
needs some emphasis.

Dimitry Andric <dim@xs4all.nl> reported that, in addition to the screen
saver being disabled, IE 5.0 Setup Wizard also disables/pauses the Task
Manager (if present).

Now this is some serious stuff here. There's nothing in the IE 5.0 Setup
Wizard panels or help that indicates any of this is going to happen.
<http://www.microsoft.com/windows/ie/download/instruct.htm> makes no
mention of it either.

Let's put aside, for the moment, the idea of installing IE on a Server
(since so many of you feel this is just a Bad Thing(tm) in the first
place).

Instead, let's focus on the idea that a password protected screen saver
may be part of a corporate security policy. The fact that a program, any
program, would disable this for any reason, or any duration, without
forewarning the user makes me think of a criminal act. MS is obviously
doing this to ensure the fastest download possible, and that's a
laudable goal, but not without informing the user that its going to
happen.

Couple that with the disabling/pausing of the Task Manager, thereby
causing scheduled jobs to be skipped (and who knows how critical those
jobs might be), and you might come to the same conclusion as me. Namely,
this isn't a benefit for the end user, its a benefit for Connexion or MS
or whomever is trying to provide the download.

MS rides shotgun over the user's system, arbitrarily changing settings
and disabling functions without informing the user. Now if I were doing
an interactive installation, I might understand why some things need to
be disabled in order for the installation to complete successfully (like
it is with the installation of many services). But when all I'm trying
to do is download the components for an installation later at a more
appropriate time, why would I think anything would be stopped on my
machine?

As Microsoft, and other vendors, move further towards on-line
distribution of software components...this problem, if not rectified,
will only become worse.

- If anything is going to alter my security policy, I should be asked
first to confirm it should do so.

- If anything is going to disable/pause a service, I should be asked
first to confirm it should do so.

Anything less is tantamount to a malicious act being performed on my
machine, no different than a DoS invoked remotely by a malicious hacker.
Strong words, I realize, but if their interest in getting me off of
their download site as fast as possible overrides my interest in the
operation of my system, you can bet my words are going to be strong!

They can talk all they want about the support issues surrounding the
downloading of software, none of that gives them the right to alter my
system's operational parameters without asking me first, especially when
all I want to do is download files.

All they had to do was put up a big warning box that explained precisely
what they were going to do to my system to effect a faster, more
efficient, download. The fact they didn't is a big problem!

Cheers,
Russ - NTBugtraq moderator
</tirade>