[ISN] IE patch breaks Siebel client

From: InfoSec News (isn@private)
Date: Sun Apr 16 2006 - 23:35:39 PDT


By Robert McMillan
IDG News Service

Significant changes made in a security patch from Microsoft to the way
Internet Explorer processes ActiveX can cause Siebel 7 client software
to lock up and become unusable.

The Siebel problem is one of several issues that prompted Microsoft to
release a "compatibility patch" in conjunction with this month's
security updates, which undoes the ActiveX changes for another 60

The ActiveX changes in question were made in response to a 2003 court
ruling, which found that Microsoft had violated a software patent held
by Eolas Technology and the University of California. Microsoft has
been including the changes in optional releases of Internet Explorer
for months, now, but on Tuesday they were rolled into a set of
security patches, called MS06-013, effectively making them mandatory.

MS06-013 changes the way ActiveX processes dynamic content, forcing
some users to click on pop-up "tool tip" windows before being able to
run things like Flash or Quicktime animation.

But with Siebel client software, which runs inside a browser using
ActiveX controls, the application can appear to be completely broken,
according to Wayne Smiley, operations manager with Quest Software in
Aliso Viejo, Calif.

"In most cases it shows you the proper thing, but you can't actually
interact with it," he said. "It's like it's frozen in front of you."

Smiley, who is in the early stages of rolling out a company-wide IE
update has also added the Microsoft compatibility patch in order to
keep his Siebel software working. Thanks to that, he says he has
experienced "no issues so far."

But he believes that there may be other Siebel users who were unaware
of the ActiveX issue. "It was by sheer luck that we happened to
stumble on this before it was an issue," Smiley said. "I'll bet a lot
of people got caught completely off guard."

Though there have been some reports of problems with "very minor"  
issues with the Eolas ActiveX changes following Tuesday's security
update, the Siebel issue is "the only one that seems to have a larger
impact," said Gary Schare, director of IE product management with

Oracle Corp., which completed its acquisition of Siebel in January of
this year, plans to issue a software patch that fixes this problem in
May, the company said Friday. This will be just in time for users like
Smiley, because Microsoft's compatibility patch is expected to be
available only until June.

In fact, Oracle's plan to patch the problem just one month before
Microsoft's deadline is too close for comfort, according to some

"If [Oracle] doesn't act quickly even a 60-day reprieve won't be
adequate," said one IT consultant working with a client who has 3,200
users, who asked not to be identified without the approval of his
customer. "Business apps like Siebel aren't the kind you can just
upgrade and patch on a whim. There will be at least seven business
days of testing before my current client can release the Siebel patch
to production, and that is on their expedited release."

LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference

This archive was generated by hypermail 2.1.3 : Mon Apr 17 2006 - 00:09:05 PDT