Date: Wed, 09 Jun 1999 15:54:47 -0400 >From: Paul Karger Subject: Downloading Y2K fixes to Internet Explorer leads to clock problem I was attempting to install service pack 2 of Internet Explorer 4.01 in order to meet corporate Y2K requirements and ran into the following interesting problem. To install service pack 2, you first download a small program from Microsoft. You run that program, and after asking you some questions, it then downloads the full service pack 2. One of the questions was whether you wanted to install the service pack or just download the files. I replied that I just wanted to download the files. My intention was to virus check them, before actually performing the install. However, when it attempted to download the full service pack, the small downloader complained that my system clock was not set correctly, and that therefore it could not perform the download. I checked, and my system clock was set correctly. Pushing the help button on the error screen gave information about setting the clock, followed by a somewhat cryptic comment about security settings in Internet Explorer. My already installed version Internet Explorer was set to high security for all zones, as the dangers of ActiveX, Java, and Javascript are well known. As an experiment, I lowered the security setting for the Internet zone to medium, and the download proceeded without error. Note that ostensibly, I was only downloading files, not running anything, yet the security protection level had to be lowered, not to mention the bogus error message. I then raised the setting back to high, performed the virus check, and then tried to install the downloaded files. Again it complained about the clock setting, and again I had to lower the security setting to medium to permit the install to proceed. (This time, I was actually executing code, so I suppose the lowered setting was appropriate, but it still complained about the clock, rather than the security setting.) I suppose that downloading any code (even if not executing it) from the Microsoft web site could be considered a security risk and therefore not compatible with "high security". However, I don't think that was Microsoft's intention, and surely it should not have been reported as a clock setting problem. (Footnote for technical accuracy: In the above description, I said that I used the high security setting in Internet Explorer. This was artistic license on my part. Actually, I used the custom setting to get an even more conservative setting than what Microsoft calls "high security". "High security" still allows certain kinds of "safe" scripts to run, and I prefer to disable even "safe" scripts. However, the bogus error occurred not just on the custom very high setting, but also on Microsoft's own high security setting.) (To be fair to Microsoft, a full viral scan of both the downloaded service pack and of the system after the service pack was installed revealed no problems, nor did I seriously expect any. However, I routinely virus scan any and all downloaded files, regardless of their source.) Paul [RISKS-FORUM Digest 20.44]