Problem with IIS and MS07-045 update

Greetings;

We installed the latest round of patches last week, and on our dev web
server found that after install we were receiving an error when trying to
access the site.  The error was "Server object error 'ASP 0115 : 8000ffff'"
on a specific line of the script running for the page requested.

The application in question is an Classic ASP application that calls a .Net
dll for backend processing.  The line that causes the error is always a line
containing a Server.CreateObject call to our dll.

I'm asking here instead of in an ASP or .Net programming forum because I
don't believe the issue is related to the code that's running - identical
code runs successfully on our production server without the above referenced
update (all other updates in the patches from last week have been applied),
and when we rolled back the patches we installed last week one at a time to
troubleshoot this issue, the code stared to run successfully again
immediately after we uninstalled MS07-045, but did not run until that update
was uninstalled.

I know that some folks are having issues with this update and IE
connectivity, but this problem exhibits itself when connections are made from
both patched and unpatched client systems, and is shown in at least Firefox
and IE7 - the only difference seems to be the patch state of the web server.

Thanks in advance.

--
Thanks;
cori

Hi Cori,Does the ASP page include some special ActiveX?

Hi Cori,

Does the ASP page include some special ActiveX?

MS07-045 is Cumulative Security Update for Internet Explorer. It only
contains 3 updates: one for CSS and the other are for ActiveX
vulnerabilities. So if there is indeed ActiveX involved, I suspect the root
cause of the problem is on some parameters gathered by client side ActiveX
that leads the Server.CreateObject call fails.

Regardless if the MS07-045 patch is installed on the IIS server. Please
test accessing the problematic web application from clients with and
without MS07-045. If IE without MS07-045 works, we can then narrow down the
problem is on client side.

Look forward to your result.

Have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

We are not using any ActiveX components in the dll itself, but when we deploy

We are not using any ActiveX components in the dll itself, but when we deploy
the dll to the webserver (and if there are new objects or interfaces exposed
by the dll) we register it on the server using regasm.exe, which allows the
classic ASP pages to use the dll as though it is a COM object.  Perhaps that
might be the source of our problem.  If so, what solutions are available for
us to patch the server without this problem?

We have already tested this from both patched and unpatched systems running
IE 7 and Firefox; when the server is patched the site is broken no matter
what the state of the client.

--
Thanks;
cori

More instance of the same problem

Cori



We are seeing exactly this problem with the software product we sell.  It is occuring on in-house and customer servers with this patch, although some servers with the patch seem OK.



Our ASP pages can't CreateObject on a DLL/COM object rewritten in VB.Net unless the IIS session has logged on as administrator.  It is just as you describe.



Oddly, some copies of the DLL with different name/CLSID of the DLL work will, but then again some seem to develop the same problem after a while, as though some knowledge of the DLL is being saved somewhere.



Since we have about 150 server running this software it is going to cause us a lot of fun! Uninstalling fixes the problem, but its not exactly idea.



Microsoft, please tell us what is happening here?  I am hoping iit can be solved by a few config tweaks, but it looks a awefully like you have screwed-up big time.

MJT

A server-side problem

I'll back this up again.

It is a server-side problem with IIS / ASP / COM.  The issue is when the patch in installed on the server, and uninstalling the patch in the server fixes it.



I can get the same problem with different browsers.



The patch might say it is only fixing three unrelated  things, but there seems to be some nasty side-effect in there.



This strongly believe MS need to pick this up in-house ASAP.  It is a real and serious problem, and not one for third-party forums.

Hi Cori,I need to perform some researching on this issue and discuss with our

Hi Cori,

I need to perform some researching on this issue and discuss with our
internal IIS/ASP group folks to see if there was anybody else also
encountered the same problem with MS07-045.

If there is any findings or results, I will update here to let you know.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks WenJun.

Thanks WenJun.  If you're looking for other wictims, the fellow above (thread
http://msdn.microsoft.com/newsgroups/managed/default.aspx?dg=microsoft.public.inetserver.iis&mid=c708e1b9-0d67-4778-bc01-1274d6c3ccc2)
seems to be having the same issue.

I look forward to hearing from you.
--
Thanks;
cori

Definitely sounds similar, mark.

Definitely sounds similar, mark. Our component in written in C#, but that's
probably not important for the purposes of this issue.

Do I understand you properly, that you're not seeing the problem when IIS is
running as a machine administrator?  The Application pool running our web app
uses a machine admin identity, and we still saw the problem.

--
Thanks;
cori

Cori,Our experience is consistent with yours.

Cori,
Our experience is consistent with yours.  Our application pool always runs
under an account with local admin rights.  However, our default user account
for the web site uses a low-privilege account.
If I change this to an admin account, or logon to the IIS session (using
basic authentication) with an admin account then the problem goes away.  This
is because the IIS session is (correctly) using the credentials of the
default user / logged on user when doing the createobject, not using the pool
account directly (which you can do with a RevertToSelf).

More instance of the same problem

"cori" wrote:

Dear Cori and Mark,I'm still watiing for the response of our IIS group.

Dear Cori and Mark,

I'm still watiing for the response of our IIS group. Hopefully there will
be a known reference case which has worked out a solution of the problem.
If not, we may need to open a support incident to address the issue since
it's not like a specific and odd one.

Please wait for the message of mine.

Have a nice weekend.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

WenJunThanks.

WenJun
Thanks. I have a test server with this problem, so can gather further info
if anyone needs any.  I can install and uninstall the windows update to
create and remove the problem at will.
Mark

Mark & WenJun;We don't have a server exhibiting the beahvior at the moment,

Mark & WenJun;
We don't have a server exhibiting the beahvior at the moment, but have a dev
server upon which we can create the issue as well, if multiple test cases are
valuable.
--
Thanks;
cori

Hello, we are seeing the same server side problem after installation MS07-045.

Hello,  we are seeing the same server side problem after installation
MS07-045.  Uninstalling MS07-045 results in the problem going away.  This has
been confirmed on multiple IIS servers regardless of web browser or client
workstation operating system. (Windows or Mac OS X)

Hi Cori and Mark,Due to t he problem is calling .

Hi Cori and Mark,

Due to t he problem is calling .net managed Dll from ASP code, one of our
net gurus stated a possible cause is with the version of the CLR that is
loaded into memory when the managed DLL is referenced. If the managed DLL
was written for 1.1, and the 2.0 CLR is loaded, it could adversely affect
its operation. There are some former cases where a seemingly unrelated
patch was installed and it affected the CLR version that loaded first.

A suggestion is that you may firsts determine the correct version of the
runtime that is should be loaded for the managed module.  It might be as
simple as requesting a fake .aspx page on the machine where it's working
fine.  If you request a non-existent .aspx page, ASP.NET will throw an
error and will show the version of the loaded CLR at the bottom of that
error.  Compare the versions running on the working and non-working
machines to ensure they are the same.  If they are not, then I think that's
your problem.

There are two possible fixes for this problem:

1)       Write a w3wp.exe.config file that will load an
explicitly-determined version of the CLR (see KB 928607).  Be aware that
this will force *all* applications running in IIS to load the same version
of the runtime, probably not a good thing.

2)      Write some ASP code in the application_onstart method that loads an
ASP.net page on the same server, running in the same application pool, that
is running under the version of the CLR that you require. Since one
w3wp.exe can only load one version CLR runtime, this will work around the
problem. For example:

Add the following code to the global.asa file (not global.asax but
global.asa) in the parent classic asp application to force the loading of
the 1.1 CLR into the w3wp.exe before any classic asp page and/or com object
could have a chance to trigger the loading of the 2.0 CLR. Also place the
nested asp.net web application into the same application pool as the parent
asp application.

Sub Application_OnStart
dim winhttp
Set winhttp = Server.Createobject("winHTTP.WinHttpRequest.5.1")
winhttp.Open
false
winhttp.send()
Set winhttp = nothing
End Sub


I look forward to your update.

Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

I can confirm that when we see the problem with MS07-045 installed, IIS is

I can confirm that when we see the problem with MS07-045 installed, IIS is
indeed loading .Net Framework 2.0.50727.

WenJun, your solutions seems a little byzantine for my liking, so I added
the following into web.config, before <system.web>:


This seems to have resolved the issue for now on our dev server.  We'll give
it a few days' development time and if it still seems stable we'll push the
change to Prod.

Thanks for your help.
--
Thanks;
cori

Actually, seems that my solution did not work as I had hoped - error is back.

Actually, seems that my solution did not work as I had hoped - error is back.
I will try another of the listed solutions later today.
--
Thanks;
cori

Hi Cori,You may double-check if there are no ASP.net 2.

Hi Cori,

You may double-check if there are no ASP.net 2.0 applications(virtual
directories, sites) using the same application pool as well. A suggestion
of mine is you can create a new dedicated application pool with the same
setting and specify the ASP application to run in this new pool only. See
if the worker process will still load the incorrect CLR after the isolation
setting. The global.asa work around may also fail if the 2.0 CLR has
already been loaded before the pool instance receives any ASP requests.

I look forward to your test results.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

No joy, WenJun - changing to an App Pool with only that site running under it,

No joy, WenJun - changing to an App Pool with only that site running under
it, and that site specified to load .Net 1.1 (and all page types mapped to
the 1.1 Framework - we do have some native ASP.Net (1.1) pages on this site),
IIS Still loads the 2.0 Framework.
--
Thanks;
cori

Hi Cori,We may need to deeply diagnose into the problem to check what causes

Hi Cori,

We may need to deeply diagnose into the problem to check what causes
w3wp.exe loads the 2.0 CLR. Could you please give me your real email
address for me to talk with your offline? You can send an email to me at:

wjzhang@online.microsoft.com (please remove online.)

I wait for your message.

Have a great weekend.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

It's a fix!

Thanks massively guys. Changing the registry permissions seems to fix the problem for me too. Some clarification for others:



1) I think the SID specified is for the Network Service. If, like me, you are using different identity for your application pool, you will use the SID for that account.



2) I found I had to set the everyone:R permission on Zones, ZoneMap and Lockdown_Zones keys to make this work. If you are struggling, breaking out RegMon.exe and looking for the "Access Denied"s. I think you need to recycle the pool immediately before running the test though.

Sorry for my delay in testing - other things became a priority, of course

Sorry for my delay in testing - other things became a priority, of course
until patch day.

Nope, that didn't do it for us.  Set Everyone Read perms on the Network
Service user, on the user that the app pool is running under, and looked at
regmon - a few access denied for the internet guest account on some HKCU
keys, including the zone keys.  Set Everyone Read and Internet Guest Full
Control on all of these keys (the ones causing access denied errors) and
still no joy.

Perhaps these are 2 different problems - I'll work back up the thread and
try one of the more complicated resolutions next.
--
Thanks for the idea, though;
cori

It's a fix!...or not.

for those whose browsers do not habndle newlines in urls:
http://dwarfurl.com/eda4a
--
Thanks;
cori