FRAMINGHAM (03/20/2000) - Microsoft Corp. warned network administrators last week to halt distribution of a 128-bit encryption upgrade patch for Internet Explorer 5.0 because it blocks Windows 2000 users from logging on to their computers.
Users who are locked out by the bug may be forced to reinstall Windows 2000 and replace data by using backups.
"This is absolutely not being considered a security issue," said a Microsoft spokeswoman. She said users can find work-around instructions at the Microsoft product support Web site (http://support.microsoft.com/support/kb/articles/q244/6/71.asp).
The problem doesn't affect Windows 2000 users who have Internet Explorer 5.01, which comes with the operating system. But users who try to add it to Windows 2000 run into serious problems.
When adding the 128-bit encryption component (ie5dom.exe) from Version 5 of the Microsoft Internet Explorer Administration Kit, users receive a message that reads "system cannot log you on because domain (computername) is not available."
The problem lies with a faulty command-line "switch" in the 128-bit security patch for Versions 5.0, 5.0a and 5.0b that prompts an automated installation that replaces security files with older versions that lock out users. The older files are NT Dynamic Link Libraries that replace the Windows 2000 versions and aren't recognized by the Windows 2000 log-in sequence.
According to a Microsoft spokesman, 128-bit security installations for Windows 9x and Windows 4.x aren't affected.
Typical of New Platforms
"This is typical of what we can expect with the rollout of the new platform," said John Kronick, senior director of information security at Purdue Pharma LP in Norwalk, Conn. "The problem is, when you do come up with a fix, how do you know if it will cause other problems, which it often does?"
Locked-out users can use the Recovery Console to manually edit the Windows 2000 register and follow the procedure to replace the rsaenh.dll to also update the schannel.dll.