HelpWithWindows | Windows Forum | RoseCitySoftware





Windows 98 > Internet Explorer 5 Tips


Security Patches

By:

October 2003 Cumulative Patch for Internet Explorer (October 3, 2003)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates two newly discovered vulnerabilities, and makes some changes to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone.

See Microsoft Security Bulletin (MS03-040) for more information.

June 2003 Cumulative Patch for Internet Explorer (June 4, 2003)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates two newly discovered vulnerabilities which could allow an attacker to execute code on a user's system.

See Microsoft Security Bulletin (MS03-020) for more information.

August 2003 Cumulative Patch for Internet Explorer (August 20, 2003)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates two newly discovered vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user's system

See Microsoft Security Bulletin (MS03-032) for more information.

June 2003 Cumulative Patch for Internet Explorer (June 4, 2003)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates two newly discovered vulnerabilities which could allow an attacker to execute code on a user's system.

See Microsoft Security Bulletin (MS03-020) for more information.

April 2003 Cumulative Patch for Internet Explorer (April 23, 2003)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates four newly discovered vulnerabilities.

See Microsoft Security Bulletin (MS03-015) for more information.

February 2003 Cumulative Patch for Internet Explorer (February 5, 2003)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates two newly discovered vulnerabilities involving Internet Explorer's cross-domain security model.

See Microsoft Security Bulletin (MS03-004) for more information.

December 2002 Cumulative Patch for Internet Explorer 5.5 and 6.0 (December 4, 2002)

Summary

Microsoft released a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model.

See Microsoft Security Bulletin (MS02-068) for more information.

November 2002 Cumulative Patch for Internet Explorer (November 20, 2002)

Summary

Microsoft released a cumulative patch for Internet Explorer that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, this patch eliminates six newly discovered vulnerabilities.

See Microsoft Security Bulletin (MS02-066) for more information.

August 2002 Cumulative Patch for Internet Explorer (August 22, 2002)

Summary

Microsoft Corp. released a cumulative patch to fix six new vulnerabilities in Internet Explorer, the most serious of which could allow code of attacker's choice to run.

See Microsoft Security Bulletin (MS02-047) for more information.

15 May 2002 Cumulative Patch for Internet Explorer (May 15, 2002)

Summary

Microsoft Corp. released a cumulative patch to fix six new vulnerabilities in Internet Explorer, the most serious of which could allow code of attacker's choice to run.

See Microsoft Security Bulletin (MS02-023) for more information.

28 March 2002 Cumulative Patch for Internet Explorer (March 28, 2002)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.01, 5.5 and 6.0. This patch includes the functionality of all previously released patches for Internet Explorer. In addition, it eliminates two newly discovered vulnerabilities.

See Microsoft Security Bulletin (MS02-015) for more information.

Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files (February 21, 2002)

Summary

Microsoft has posted a patch that fixes a security vulnerability in Internet Explorer, which can allow VB scripts of one domain to access the contents of another domain in a frame.

See Microsoft Security Bulletin (MS02-009) for more information.

11 February 2002 Cumulative Patch for Internet Explorer (February 11, 2002)

Summary

Microsoft has posted a (cumulative) patch for Internet Explorer that fixes all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates six newly discovered vulnerabilities.

See Microsoft Security Bulletin (MS02-005) for more information.

Cumulative Patch for Internet Explorer (December 13, 2001)

Summary

Microsoft has posted a cumulative patch for Internet Explorer 5.5 & 6 that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6. In addition, it eliminates three newly discovered vulnerabilities.

See Microsoft Security Bulletin (MS01-058) for more information.

Cookie Data in IE Can Be Exposed or Altered Through Script Injection (November 8, 2001)

Summary

Microsoft has posted a patch, for a vulnerability in Internet Explorer 5.5 and 6. The vulnerability opens the possibility that data stored in a cookie could be exposed.

See Microsoft Security Bulletin (MS01-055) for more information.

Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone (October 10, 2001)

Summary

Microsoft has released a patch for three security vulnerabilities in Microsoft® Internet Explorer.

See Microsoft Security Bulletin (MS01-051) for more information.

Flaws in Web Server Certificate Validation Could Enable Spoofing (May 16, 2001)

Summary

A patch is available to eliminate two newly discovered vulnerabilities affecting Internet Explorer, both of which could enable an attacker to spoof trusted web sites. The first vulnerability involves how digital certificates from web servers are validated.

See Microsoft Security Bulletin (MS01-027) for more information.

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment (March 29, 2001)

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Explorer. This vulnerability could enable an attacker to potentially run a program of his choice on the machine of another user. Such a program would be capable of taking any action that the user himself could take on his machine, including adding, changing or deleting data, communicating with web sites, or reformatting the hard drive.

See Microsoft Security Bulletin (MS01-020) for more information.

Internet Explorer can Divulge Location of Cached Content (March 7, 2001)

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Explorer and Windows Scripting Host. This vulnerability could enable an attacker to cause code of his choice to execute on the system of a user who either visited the attacker's web site or opened an HTML e-mail from him. The code would be able to do anything that the user herself could do, including adding, deleting or change files, communicating with web sites, or reformatting the hard drive.

See Microsoft Security Bulletin (MS01-015) for more information.

Patch Available for "Browser Print Template" and "File Upload via Form" Vulnerabilities (December 01, 2000)

Summary

Microsoft has released a patch that eliminates four security vulnerabilities in Microsoft® Internet Explorer 5.x

See Microsoft Security Bulletin (MS00-093) for more information.

Patch Available for "Cached Web Credentials" Vulnerability (October 13, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Explorer. Under a daunting set of conditions, the vulnerability could enable a malicious user to obtain another user's userid and password to a web site.

Issue

When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. If a malicious user had complete control of another user's network communications, he could wait until another user logged onto a secured site, then spoof a request for a non-secured page in order to collect the credentials.

The vulnerability does not provide a means by which the malicious user could force the other user to log onto a secure page of his choice, and could only be used to reveal credentials that had been cached during the current IE session.

Affected Software Versions

  • Microsoft Internet Explorer 4.x
  • Microsoft Internet Explorer 5.x prior to version 5.5

Patch Availability

Note I: The patch requires IE 5.01 SP1 to install. Customers who install this patch on other versions may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article 273868.

Note II: As discussed in Affected Software Versions, this vulnerability does not affect IE 5.5.

Note III: Per the normal security support policy for IE, security patches for Internet Explorer version 4.x are no longer being produced. Microsoft recommends that IE 4.x customers who are concerned about this issue consider upgrading to either IE 5.01 SP1 or IE 5.5.

Note IV: The fix for this issue will be included in IE 5.01 SP2.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Scriptlet Rendering" Vulnerability (August 10, 2000)

Summary

Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer. The vulnerabilities could allow a malicious web site operator to read - but not add, change, or delete - files on the computer of a visiting user.

As discussed in the Patch Availability section below, this patch also provides protection against several security vulnerabilities that have been discussed in previous security bulletins. We have delivered a comprehensive patch in order to minimize the number of patches customers need to apply.

Issue

There are two vulnerabilities at issue here:

  • The "Scriptlet Rendering" vulnerability. The ActiveX control that is used to invoked scriptlets is essentially a rendering engine for HTML. However, it will render any file type, rather than rendering HTML files only. This opens the door to a scenario in which a malicious web site operator could provide bogus information consisting of script, solely for the purpose of introducing it into an IE system file with a known name, then use the Scriptlet control to render the file. The net effect would be to make the script run in the Local Computer Zone, at which point it could access files on the user's local file system.
  • A new variant of the "Frame Domain Verification" vulnerability. As discussed in Microsoft Security Bulletin MS00-033, two functions do not enforce proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with the same flaw. The net effect of the vulnerability would be to enable a malicious web site operator to open two frames, one in his domain and another on the user's ocal file system, and enable the latter to pass information to the former.

In order to exploit either vulnerability, a malicious web site operator would need to know or guess the exact name and path of each file he wanted to view. Even then, he could only view file types that can be opened in a browser window - for instance, .txt or .doc files, but not .exe or .dat files. If the web site were in a Zone in which Active Scripting were disabled, neither vulnerability could be exploited.

Affected Software Versions

  • Microsoft Internet Explorer 4.x
  • Microsoft Internet Explorer 5.x

Patch Availability

Note I: In addition to eliminating the two vulnerabilities discussed above, this patch also protects against several previously-discussed vulnerabilities. Customers who apply this patch will also be protected against the vulnerabilities discussed in the following Security Bulletins:

In addition, for IE 5.5 systems only, this patch also eliminates the vulnerability discussed in Microsoft Security Bulletin MS00-042.

Note II: Customers who install this patch on versions other than IE 5.01, IE 5.01 SP1, or IE 5.5 may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article 266336 (available soon).

More Information

Please see the following references for more information related to this issue.

Patch Available for "Cache Bypass" Vulnerability (July 20, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Outlook® and Outlook Express. The vulnerability could allow a malicious user to send an HTML mail that, when opened, could read, but not add, change or delete, files on the recipient's computer. If coupled with other vulnerabilities, it could potentially be used in more advanced attacks as well.

A patch is available that eliminates this vulnerability as well as the "Malformed E-mail Header" Vulnerability and "Persistent Mail-Browser Link" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

Issue

By design, an HTML mail that creates a file on the recipient's computer should only be able to create it in the so-called cache. Files in the cache, when opened, do so in the Internet Zone. However, this vulnerability would allow an HTML mail to bypass the cache mechanism and create a file in a known location on the recipient's disk. If an HTML mail created an HTML file outside the cache, it would run in the Local Computer Zone when opened. This could allow it to open a file on the user's computer and send it a malicious user's web site. The vulnerability also could be used as a way of placing an executable file on the user's machine, which the malicious user would then seek to launch via some other means.

The vulnerability would not enable the malicious user to add, change or delete files on the user's computer. Only files that can be opened in a browser window, such as .txt, .jpg or .htm files, could be read via this vulnerability, and the malicious user would need to know or guess the full path and file name of every file he wished to read.

The vulnerability resides in a component that is shared by Outlook and Outlook Express, and as a result the vulnerability affects both products. A version of the component that is not affected by the vulnerability ships as part of Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5.

Affected Software Versions

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01
  • Microsoft Outlook 97
  • Microsoft Outlook 98
  • Microsoft Outlook 2000

Patch Availability

This vulnerability can be eliminated by taking any of the following actions:

Note I: The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 247638.

Note II: In addition to eliminating the vulnerability at issue here, the steps above also eliminate the "Malformed E-mail Header" Vulnerability and "Persistent Mail-Browser Link" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Persistent Mail-Browser Link" Vulnerability (July 20, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Outlook Express. The vulnerability could allow a malicious user to send an email that would "read over the shoulder" of the recipient as he previews subsequent emails in Outlook Express.

A patch is available that eliminates this vulnerability as well as the "Malformed E-mail Header" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

Issue

By design, HTML mail can contain script, and among the actions such a script can take is to open a browser window that links back to the Outlook Express windows. Also by design, script in the browser window could read the HTML mail that is displayed in Outlook Express. However, a vulnerability results because the link could be made persistent. This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user.

There are several significant restrictions on this vulnerability:

  • Only the recipient could open the HTML mail that established the link.
  • The attack would only persist until the user either closed the browser window that the HTML mail opened, or closed Outlook Express.
  • The malicious user could only read mails that were displayed in the preview pane. If the preview pane feature were disabled, he could not read mails under any conditions.

The vulnerability is eliminated in Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5. A patch is available for customers who prefer not to upgrade to Outlook Express 5.5.

Affected Software Versions

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01

Patch Availability

This vulnerability can be eliminated by taking any of the following actions:

Note I: The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 261255.

Note II: In addition to eliminating the vulnerability at issue here, the steps above also eliminate the "Malformed E-mail Header" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Malformed E-mail Header" Vulnerability (July 18, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Outlook® and Outlook Express. Under certain conditions, the vulnerability could allow a malicious user to cause code of his choice to execute on another user's computer.

A patch is available that eliminates this vulnerability as well as the "Persistent Mail-Browser Link" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

Issue

A component shared by Outlook and Outlook Express contains an unchecked buffer in the functionality that parses e-mail headers when downloading mail via either POP3 or IMAP4. By sending an e-mail that overruns the buffer, a malicious user could cause either of two effects to occur when the mail was downloaded from the server by an affected e-mail client:

  • If the affected field were filled with random data, the e-mail could be made to crash.
  • If the affected field were filled with carefully-crafted data, the e-mail client could be made to run code of the malicious user's choice.

Customers who have installed Internet Explorer 5.01 Service Pack 1, and customers who have installed Internet Explorer 5.5 on any system other than Windows 2000, would not be affected by this vulnerability. Likewise, Outlook users who have configured Outlook to use only MAPI services would not be affected, regardless of what version of Internet Explorer they have installed.

Affected Software Versions

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01
  • Microsoft Outlook 97
  • Microsoft Outlook 98
  • Microsoft Outlook 2000

Patch Availability

This vulnerability can be eliminated by taking any of the following actions:

Note I: The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 267884.

Note II: In addition to eliminating the vulnerability at issue here, the steps above also eliminate the "Persistent Mail-Browser Link" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

More Information

Please see the following references for more information related to this issue.

Patch Available for "The Office HTML Script" Vulnerability and a Workaround for "The IE Script" Vulnerability (July 14, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Office 2000 (Excel and PowerPoint) and in PowerPoint 97. Microsoft has also documented a workaround that prevents the use of Microsoft Access to exploit a vulnerability in Internet Explorer. A patch for the latter vulnerability will be available soon.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site

Issue

Two vulnerabilities have recently been discovered, one affecting Microsoft Office 2000, and PowerPoint 97, and the other Internet Explorer 4.01 SP2 and higher. We will refer to these issues as the "Office script" and "IE script" vulnerabilities. The names refer to the product where the vulnerability is present, but not necessarily how the vulnerability is exploited.

The Office HTML Script vulnerability, allows malicious script code on a web page to reference an Excel 2000 or PowerPoint file in such a way as to cause a remotely hosted file to be saved to a visiting user's hard drive.

This vulnerability can only be exploited by a reference to an Excel 2000 or PowerPoint file; it cannot be exploited using Excel 97, Microsoft Word or a Microsoft Access file.

The IE Script vulnerability, can allow malicious script code on a web page to reference a remotely hosted Microsoft Access file. The Microsoft Access file can in turn causes a VBA macro code in the file to be executed.

Affected Software Versions

  • Microsoft Excel 2000
  • Microsoft PowerPoint 97 and 2000
  • Microsoft Internet Explorer 5.5, 5.01 SP1, 5.01, 4.01 SP2

Patch Availability

The IE Script vulnerability

Internet Explorer allows the execution of a remotely or locally hosted Microsoft Access database that is referenced from a web page containing script code. By default Microsoft Access files are treated as unsafe for scripting; however, a certain script tag can be used to reference an Access (.mdb) file and execute VBA macro code even if scripting has been disabled in Internet Explorer.

Workaround for the IE Script vulnerability

The workaround for the IE Script vulnerability is to set an Administrator password for Microsoft Access. This will cause Microsoft Access to prompt the user for the Administrator password before VBA code within an Access database can be executed.

How do I implement the workaround for the IE vulnerability

From Access 2000:

  1. Start Access 2000 but don't open any databases
  2. From the Tools menu, choose Security
  3. Select User and Group Accounts
  4. Select the Admin user, which should be defined by sdefault
  5. Go to the Change Logon Password tab
  6. The Admin password should be blank if it has never been changed
  7. Assign a password to the Admin user
  8. Click OK to exit the menu

How can I tell if I applied the workaround for the IE Script vulnerability correctly?

You can test the workaround by starting Access and open any existing database file. It should prompt you for an Administrator password.

When will the IE Script vulnerability patch be available?

The patch is in the development process and should be available shortly.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Active Setup Download" Vulnerability (June 29, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability in an ActiveX control that ships with Microsoft® Internet Explorer. The vulnerability could be used to overwrite files on the computer of a user who visited a malicious web site operator's site.

Issue

The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has two flaws. First, it treats all Microsoft-signed .cab files as trusted, thereby allowing them to be installed without asking the user's approval. Second, it provides a method by which the caller can specify a download location on the user's hard drive. In combination, these two flaws would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable.

It is important to note that there is no capability via this vulnerability to actually install the software that has been downloaded - the vulnerability only allows files to be overwritten, in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: The patch also will be available shortly on WindowsUpdate.

Note II: The patch requires IE 4.01 Service Pack 2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 265258

More Information

Please see the following references for more information related to this issue.

Patch Available for "SSL Certificate Validation" Vulnerability (June 6, 2000)

Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer. The vulnerabilities involve how IE handles digital certificates; under a very daunting set of circumstances, they could allow a malicious web site operator to pose as a trusted web site.

In addition to eliminating the "SSL Certificate Validation" vulnerabilities, this patch also eliminates all vulnerabilities discussed in Microsoft Security Bulletin MS00-033.

Issue

Two vulnerabilities have been identified in the way IE handles digital certificates:

  • When a connection to a secure server is made via either an image or a frame, IE only verifies that the server's SSL certificate was issued by a trusted root - it does not verify the server name or the expiration date. When a connection is made via any other means, all expected validation is performed.
  • Even if the initial validation is made correctly, IE does not re-validate the certificate if a new SSL session is established with the same server during the same IE session.

The circumstances under which these vulnerabilities could be exploited are fairly restricted. In both cases, it is likely that the attacker would need to either carry out DNS cache poisoning or physically replace the server in order to successfully carry out an attack via this vulnerability. The timing would be especially crucial in the second case, as the malicious user would need to poison the cache or replace the machine during the interregnum between the two SSL sessions.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: This patch also eliminates all vulnerabilities discussed in Microsoft Security Bulletin MS00-033.

Note II: The patch requires IE 5.01 to install; a version that supports IE 4.01 Service Pack 2 will be released shortly. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 254902 (available soon).

More Information

Please see the following references for more information related to this issue.

Patch Available for "HTML Help File Code Execution" Vulnerability (June 3, 2000)

Summary

Microsoft has released a patch that eliminates a security vulnerability in the HTML Help facility that ships with Microsoft® Internet Explorer. Under certain conditions, the vulnerability could allow a malicious web site to take inappropriate action on the computer of a visiting user.

Issue

The HTML Help facility provides the ability to launch code via shortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site.

A web site could only invoke an HTML Help file if it resided on a UNC share accessible from the user's machine, or on the user's machine itself. A firewall that blocks Netbios would prevent the former case from being exploited. Adhering to standard security practices would prevent the latter. In addition, an HTML Help file could only be invoked if Active Scripting was permitted in the Security Zone that the malicious user's site resides in. The patch eliminates the vulnerability by only allowing an HTML Help file to use shortcuts if the help file resides on the local machine.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

More Information

Please see the following references for more information related to this issue.

Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", and "Malformed Component Attribute" Vulnerabilities (18 May 2000)

Summary

Microsoft has released a comprehensive patch that eliminates three security vulnerabilities in Microsoft® Internet Explorer 4 and 5:

  • The "Frame Domain Verification" vulnerability, which could allow a malicious web site operator to read, but not change or add, files on the computer of a visiting user.
  • The "Unauthorized Cookie Access" vulnerability, which could allow a malicious web site operator to access "cookies" belonging to a visiting user.
  • The "Malformed Component Attribute" vulnerability, which could allow a malicious web site operator to run code of his choice on the computer of a visiting user.

Issue

The three security vulnerabilities eliminated by this patch are unrelated to each other except by the fact that they all occur in the same .dll.

The vulnerabilities are:

  • Frame Domain Verification vulnerability. When a web server opens a frame within a window, the IE security model should only allow the parent window to access the data in the frame if they are in the same domain. However, two functions available in IE do not properly perform domain checking, with the result that the parent window could open a frame that contains a file on the local computer, then read it. This could allow a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window.
  • Unauthorized Cookie Access vulnerability. By design, the IE security model restricts cookies so that they can be read only by sites within the originator's domain. However, by using a specially-malformed URL, it is possible for a malicious web site operator to gain access to another site's cookie and read, add or change them. A malicious web site operator would need to entice a visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the cookies available on the visitor's system. Even after recovering a cookie, the type and amount of personal information would depend on the privacy practices followed by the site that placed it there.
  • Malformed Component Attribute vulnerability. The code used to invoke ActiveX components in IE has an unchecked buffer and could be exploited by a malicious web site operator to run code on the computer of a visiting user. The unchecked buffer is only exposed when certain attributes are specified in conjunction with each other.

The patch also eliminates a new variant of the previously-addressed WPAD Spoofing vulnerability.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: The patch for these issues has been incorporated into a subsequently-issued patch. See Microsoft Security Bulletin MS00-039 for more information.

Note II: The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in Microsoft Knowledge Base (KB) article Q262509 Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", "Malformed Component Attribute", and "WPAD Spoofing" Vulnerabilities.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Image Source Redirect" Vulnerability (16 February 2000)

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read - but not add, change or delete - certain types of files on the computer of a visiting user.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.0 and 4.01
  • Microsoft Internet Explorer 5 and 5.01

Patch Availability

Note I: Microsoft produces security patches for Internet Explorer 4.01 SP2 and higher. In the event that this package is applied to Internet Explorer 4.01 SP1, the package states that a fix is not needed. This message is incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1 or any earlier release. If you are using Internet Explorer 4.01 SP1 or any earlier release, please upgrade to the latest version of Internet Explorer to resolve this issue.

Note II: Additional security patches are available at the Microsoft Download Center.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Server-side Page Reference Redirect" Vulnerability (09 December 1999)

Microsoft has released a patch that eliminates a vulnerability in Microsoft® Internet Explorer 4.01, 5 and 5.01, that could allow a malicious web site operator to view a file on the computer of a visiting user, provided that the web site operator knew the name and folder of the file.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: This patch also includes the previously-released patch for the "ImportExportFavorites" vulnerability.

Note II: Microsoft produces security patches for Internet Explorer 4.01 SP2 and higher. In the event that this package is applied to Internet Explorer 4.01 SP1, the package states that a fix is not needed. This message is incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1 or any earlier release. If you are using Internet Explorer 4.01 SP1 or any earlier release, please upgrade to the latest version of Internet Explorer to resolve this issue.

Note III: The patch will be available shortly at the WindowsUpdate site.

More Information

Please see the following references for more information related to this issue.

Patch Available for "WPAD Spoofing" Vulnerability (02 December 1999)

Tim Adam of Open Software Associates discovered a vulnerability in Microsoft® Internet Explorer 5. Under very specific conditions, the vulnerability could allow a malicious user to provide proxy settings to web clients in another network.

Issue

The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

Affected Software Versions:

  • Microsoft Internet Explorer 5

Patch Availability

The vulnerability is eliminated by IE 5.01, which is available at:

More Information

Please see the following references for more information related to this issue.

Patch Available for "Javascript Redirect" Vulnerability (18 November 1999)

On October 18, 1999, Microsoft released a workaround for a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a user who visited the site, under certain circumstances. Microsoft has completed a patch that completely eliminates the vulnerability.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01 and 5

Patch Availability

Note I: The IE 4.01 patch requires IE 4.01 SP2 in order to install. IE 4.01 SP 2 is available at the Internet Explorer Web site.

Note II: The patch will be available shortly via the WindowsUpdate site.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Active Setup Control" Vulnerability (11 November 1999)

Summary

Microsoft has released a patch that eliminates a vulnerability that could allow a malicious user to embed an unsafe execuTABLE within an email and disguise it as a safe type of attachment. Through a complicated series of steps, the unsafe execuTABLE could be made to execute under certain conditions, if the user opened the attachment.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Issue

A particular ActiveX control allows cabinet files to be launched and executed. This could allow an HTML mail to contain a malicious cabinet file, disguised as a file of an innocuous type. If a user attempted to open this file, the operation would fail but could, depending on the mail package, leave a copy of the file in a known location. The ActiveX control could then be used via a script embedded in the mail to launch the copy, thereby executing the malicious code.

The vulnerability could only be exploited in cases where a mail reader were used that allowed scripts in HTML mail and stored temporary copies of launched programs in known locations. The patch restricts the ability of the control to launch unsigned cabinet files that have been downloaded from the local machine.

Affected Software Versions:

  • The affected ActiveX control ships as part of Microsoft Internet Explorer 4 and 5

Patch Availability

Note: Microsoft produces security patches for Internet Explorer 4.01 SP2 and higher. In the event that this package is applied to Internet Explorer 4.01 SP1, the package states that a fix is not needed. This message is incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1. If you are using Internet Explorer 4.01 SP1, please upgrade to the latest version of Internet Explorer to resolve this issue.

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Patch Available for "IFRAME ExecCommand" (15 October 1999)

Summary

On October 11, 1999, Microsoft released a workaround for a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a user who visited the site, under certain circumstances. Microsoft has completed a patch that completely eliminates the vulnerability.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Issue

The IE 5 security model normally restricts the Document.ExecCommand() method to prevent it from taking inappropriate action on a user's computer. However, at least one of these restrictions is not present if the method is invoked on an IFRAME. This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine

A patch that corrects this vulnerability is available at the location discussed below. This patch also includes the previously-released fix for the "Download Behavior" vulnerability.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01, versions prior to Service Pack 2
  • Microsoft Internet Explorer 5

Patch Availability

Note I: The IE5 patch also includes the previously-released fix for the Download Behavior vulnerability.

Note II: The IE5 patch also will be available shortly at the Windows Update Web site.

Original IE 5 Patch contained regression error (04 November 1999)

Microsoft determined that the original patch contained a regression error. While the patch did provide protection against the IFRAME ExecCommand vulnerability, it re-exposed a previously-patched security vulnerability. Microsoft has corrected the regression error and re-released the patch.

Patch Availability

Please note that the regression error only affected the Internet Explorer 5.0 version of the patch; the patch for Internet Explorer 4.01 was unaffected, and if you applied it you do not need to take any action.

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Patch Available for "Download Behavior" (08 October 1999)

Summary

On September 28, 1999, Microsoft released a workaround for a security vulnerability in Microsoft® Internet Explorer 5 that could allow a malicious web site operator to read files on the computer of a person who visited the site. Microsoft has completed a patch that completely eliminates the vulnerability.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Issue

IE 5 includes a feature called "download behavior" that allows web page authors to download files for use in client-side script. By design, a web site should only be able to download files that reside in its domain; this prevents client-side code from exposing files on the user's machine or local intranet to the web site. However, a server-side redirect can be used to bypass this restriction, thereby enabling a malicious web site operator to read files on the user's machine or the user's local intranet. This vulnerability would chiefly affect workstations that are connected to the Internet.

Affected Software Versions:

  • Microsoft Internet Explorer 5

Patch Availability

The patch is available for download at either of the following locations:

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Internet Explorer 5 "ImportExportFavorites" Vulnerability (24/10 September 1999)

Summary

On September 10, 1999, Microsoft provided a workaround for a security vulnerability in Microsoft© Internet Explorer 5 that could allow a malicious web site operator to take inappropriate action on the computer of a person who visited the site. Microsoft has completed a patch that completely eliminates the vulnerability. In addition to eliminating the "ImportExportFavorites" vulnerability, the patch also eliminates a security vulnerability posed by several ActiveX controls that ship as part of Internet Explorer 4.01 and 5.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Issue

IE 5 includes a feature that allows users to export a list of their favorite web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a web site to invoke this method, bypass this restriction and write files that could be used to execute system commands. The net result is that a malicious web site operator potentially could take any action on the computer that the user would be capable of taking.

This vulnerability would chiefly affect workstations that are connected to the Internet. The patch restores correct operation to the ImportExportFavorites() method. In addition, the patch addresses security problems posed by several ActiveX controls. The specific controls and the actions taken are discussed in the FAQ.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01 and 5

Patch Availability

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Patch for "Scriptlet.typlib/Eyedog" Vulnerability (31 August 1999)

Microsoft has released a patch that eliminates security vulnerabilities in two ActiveX controls. The net effect of the vulnerabilities is that a web page could take unauthorized action against a person who visited it. Specifically, the web page would be able to do anything on the computer that the user could do.

Affected Software Versions:

  • Microsoft Internet Explorer 4.0 and 5.0

More information is available in the Microsoft Knowledge Base Article's:

Here is the Scriptlet.typlib/Eyedog Patch.

Note: Circa September 7, 1999, the patch also will be available through WindowsUpdate.


Patch for "Malformed Favorites Icon" Vulnerability (28 May 1999)

Microsoft has released a single patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer 4.0 and 5. The first potentially could allow arbitrary code to be run on a user's computer. The second potentially could allow the local hard drive to be read. A fully supported patch is available to eliminate both vulnerabilities, and Microsoft recommends that affected customers download and install it, if appropriate.

Affected Software Versions:

  • Microsoft Internet Explorer 4.0 and 5.0

More information is available in the Microsoft Knowledge Base Article's:

The patch can be found at www.microsoft.com/windows/ie/security/favorites.asp.

Note I: The patch will determine the version of IE and the platform on which it is installed, and will apply only the appropriate fix. As a result, the single patch above is appropriate for use by customers who are affected by either or both of the vulnerabilities.

Note II: Windows 98 Second Edition contains all patches listed below, however this patch still needs to be installed on Windows 98 Second Edition. The patch installes an updated shdocvw.dll file. the Win98SE version of this file is 5.00.2614.3500, the updated version is 5.00.2717.2000.

When you attempt to install the update for the "Malformed Favorites Icon" security issue, you may receive one of the following error messages:

  • From the Microsoft Web Site:

      This update does not need to be installed on this system.

  • From the Microsoft Windows Update Web site:

      Download and Installation Failed
      The following software failed to properly download and install. To try again, click the Back button below.
      Favorites Security Updates

For more information and a resolution, see Microsoft Knowledge Base Article No. 243042.


Patch for "DHTML Edit" Vulnerability (21 April 1999)

Microsoft has released a patch that eliminates a vulnerability in an ActiveX control that is distributed in Internet Explorer 5 and downloadable for Internet Explorer 4.0. The vulnerability could allow a malicious web site operator to read information that a user had loaded into the control, and it also could allow files with known names to be copied from the user's local hard drive.

Affected Software Versions:

  • Microsoft Internet Explorer 5 on Windows 95, Windows 98, and Windows NT 4.0. Internet Explorer 5 on other platforms is not affected
  • Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and the x86 version of Windows NT 4.0. Internet Explorer 4.0 on other platforms, including the Alpha version of Windows NT 4.0, is not affected

More information is available in the Microsoft Knowledge Base Article No. Q226326 Update Available For "DHTML Edit" Security Issue.

The patch can be found at http://www.microsoft.com/windows/ie/security/dhtml_edit.asp.


MSHTML Update Available for Internet Explorer (21 April 1999)

Microsoft has released an updated version of a component of Internet Explorer 4.0 and 5. The updated version eliminates three security vulnerabilities described below.

MSHTML.DLL is the parsing engine for HTML in Internet Explorer. The vulnerabilities that are eliminated by the update are not related to each other except for the fact that all reside within the parsing engine.

  1. The first vulnerability is a privacy issue involving the processing of the "IMG SRC" tag in HTML files. This tag identifies and loads image sources - image files that are to be displayed as part of a web page. The vulnerability results because the tag can be used to point to files of any type, rather than only image files, after which point the document object model methods can be used to determine information about them. A malicious web site operator could use this vulnerability to determine the size and other information about files on the computer of a visiting user. It would not allow files to be read or changed, and the malicious web site operator would need to know the name of each file
  2. The second vulnerability is a new variant of a previously-identified cross-frame security vulnerability. A particular malformed URL could be used to execute scripts in the security context of a different domain. This could allow a malicious web site operator to execute a script on the web site, and gain privileges on visiting users' machines that are normally granted only to their trusted sites
  3. The third vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a malicious web site operator to create a particular type of web page control and paste into it the contents of a visiting user's clipboard

Affected Software Versions:

  • Internet Explorer 4.0 and 5 on Windows 95, Windows 98 and Windows NT 4.0

More information is available in the Microsoft Knowledge Base Article No. Q226325 Update Available For MSHTML Security Issues In Internet Explorer.

The patch can be found at http://www.microsoft.com/windows/ie/security/mshtml.asp.

Although not a direct IE5 security issue, we'll report it here anyway:

Patch Available for "File Access URL" Vulnerability

Summary

Microsoft has released a patch that eliminates a vulnerability in Microsoft Windows 95 or Windows 98. The vulnerability could allow a malicious web site or e-mail message to cause the Windows machine to crash, or to run arbitrary code.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site

Issue

There is a buffer overflow in the Windows 95 and Windows 98 networking software that processes file name strings. If the networking software were provided with a very long random string as input, it could crash the machine. If provided with a specially-malformed argument, it could be used to run arbitrary code on the machine via a classic buffer overrun attack.

The vulnerability could be exploited remotely in cases where a file:// URL or a Universal Naming Convention (UNC) string on a remote web site included a long file name or where a long file name was included in an e-mail message.

Affected Software Versions

  • The buffer overrun is present in the networking software in all versions of Windows 95 and Windows 98.

Patch Availability

More Information

Please see the following references for more information related to this issue.