Outlook exploit fix opens old hole?

[bda20 () CAM AC UK (Ben)]

Everyone clear that most people and their pet iguana who own Windows98 (and
possibly Windows 2000, I haven't used it) are going to want to visit
http://windowsupdate.microsoft.com/?  Even the most simple-minded Windows user
is going to want make sure they're as up to date as Microsoft want them to be
with respect to security patches and new versions of Microsoft applications,
right?

Now.  If you're running IE5.0, as many people were a few months ago, you heard
about Windows Scripting Host and decided that you didn't need it installed.  So
you uninstalled it, thus closing a hole.  Now this _new_ hole has come up and
you've been told to install IE5.01SP1 with all new spangly bits.  Your iguana
fires up http://windowsupdate.microsoft.com/ and you download the installer for
the Service Pack.  As an iguana of Very Little Brain, it choses the default
install path and sits back as the funky magic happens.  When you reboot (iguana
can't reach the power switch) you don't notice that WSH has been reinstalled.

Hole now back.

If you ran the custom install routine and didn't select WSH then you're O.K...

Until you try to return to http://windowsupdate.microsoft.com/

It seems WSH needs to be installed for IE5.01 to access the site.  Don't
install it and there's no way to see the site.

On the up side, it seems that if you do use the ActiveX thingy to install WSH
at that time (accessing the site) and then use 'Add/Remove Programs' to remove
it afterwards, the site continues to work.

I've tried this on two machines now.  As far as I can tell it'll be the same
for any machines you may have.  I've done some odd things with mine though so
your milege may vary.

Good luck,

Ben

--
Sysadmin, Faculty of History, Cambridge University, England
Tel: +44 (0)1223 (3)35315  |  Email: Ben () hist cam ac uk
Plugger of wire, typer of keyboard, imparter of Clue