Security Patches
Workaround Available for
"Javascript Redirect" Vulnerability (19 October 1999)
Summary
Microsoft has learned of a vulnerability in Microsoft®
Internet Explorer that could allow a malicious web site operator
to read files on the computer of a user who visited the site,
under certain circumstances. Microsoft is developing a patch that
will eliminate the vulnerability; in the meantime, a temporary
workaround is discussed below.
Frequently asked questions regarding this vulnerability can be
found on the Microsoft security
Web site.
Issue
IClient-local data that is displayed in the browser window can
be made available to the server by using a redirect to a
Javascript applet running in the same window. This in effect
bypasses cross-domain security and makes the data available to the
applet, which could then send the data to a hostile server. This
could allow a malicious web site operator to read the contents of
files on visiting users' computers, if he or she knew the name of
the file and the folder in which it resided. The vulnerability
would not allow the malicious user to list the contents of
folders, create, modify or delete files, or to usurp any
administrative control over the machine.
Affected Software Versions:
- Microsoft Internet Explorer 4.01 and 5
Workaround
As an interim step while the patch is under development,
Microsoft recommends that customers add sites that they trust to
the Trusted Zone, and disable Active Scripting in the Internet
Zone. This will provide full functionality for all trusted sites,
while preventing untrusted sites from being able to exploit this
vulnerability. The FAQ
provides details on how to do this, and how to manage Security
Zones in general.
More Information
Please see the following references for more information
related to this issue.
Obtaining Support on this Issue
If you require technical assistance with this issue, please
contact Microsoft
Technical Support.
|
Patch Available for "IFRAME
ExecCommand" (15 October 1999)
Summary
On October 11, 1999, Microsoft released a workaround
for a vulnerability in Microsoft® Internet Explorer. The
vulnerability could allow a malicious web site operator to read
files on the computer of a user who visited the site, under
certain circumstances. Microsoft has completed a patch that
completely eliminates the vulnerability.
Frequently asked questions regarding this vulnerability can be
found on the Microsoft security
Web site.
Issue
The IE 5 security model normally restricts the
Document.ExecCommand() method to prevent it from taking
inappropriate action on a user's computer. However, at least one
of these restrictions is not present if the method is invoked on
an IFRAME. This could allow a malicious web site operator to read
the contents of files on visiting users' computers, if he or she
knew the name of the file and the folder in which it resided. The
vulnerability would not allow the malicious user to list the
contents of folders, create, modify or delete files, or to usurp
any administrative control over the machine
A patch that corrects this vulnerability is available at the
location discussed below. This patch also includes the
previously-released fix for the "Download Behavior"
vulnerability.
Affected Software Versions:
- Microsoft Internet Explorer 4.01, versions prior to Service
Pack 2
- Microsoft Internet Explorer 5
Patch Availability
Note I: The IE5 patch also
includes the previously-released fix for the Download
Behavior vulnerability.
Note II: The IE5 patch also
will be available shortly at the Windows
Update Web site.
More Information
Please see the following references for more information
related to this issue.
Obtaining Support on this Issue
If you require technical assistance with this issue, please
contact Microsoft
Technical Support.
|
Patch Available for "Download
Behavior" (08 October 1999)
Summary
On September 28, 1999, Microsoft released a workaround
for a security vulnerability in Microsoft® Internet Explorer 5 that could
allow a malicious web site operator to read files on the computer of a
person who visited the site. Microsoft has completed a patch that
completely eliminates the vulnerability.
Frequently asked questions regarding this vulnerability can be found on
the Microsoft security
Web site.
Issue
IE 5 includes a feature called "download behavior" that
allows web page authors to download files for use in client-side script.
By design, a web site should only be able to download files that reside in
its domain; this prevents client-side code from exposing files on the
user's machine or local intranet to the web site. However, a server-side
redirect can be used to bypass this restriction, thereby enabling a
malicious web site operator to read files on the user's machine or the
user's local intranet. This vulnerability would chiefly affect
workstations that are connected to the Internet.
Affected Software Versions:
- Microsoft Internet Explorer 5
Patch Availability
The patch is available for download at either of the following
locations:
More Information
Please see the following references for more information related to
this issue.
Obtaining Support on this Issue
If you require technical assistance with this issue, please contact Microsoft
Technical Support.
Internet Explorer 5
"ImportExportFavorites" Vulnerability (24/10 September 1999)
Summary
On September 10, 1999, Microsoft provided a workaround for a security
vulnerability in Microsoft© Internet Explorer 5 that could allow a
malicious web site operator to take inappropriate action on the computer
of a person who visited the site. Microsoft has completed a patch that
completely eliminates the vulnerability. In addition to eliminating the
"ImportExportFavorites" vulnerability, the patch also eliminates
a security vulnerability posed by several ActiveX controls that ship as
part of Internet Explorer 4.01 and 5.
Frequently asked questions regarding this vulnerability can be found on
the Microsoft security
Web site.
Issue
IE 5 includes a feature that allows users to export a list of their
favorite web sites to a file, or to import a file containing a list of
favorite sites. The method that is used to perform this function, ImportExportFavorites(),
should only allow particular types of files to be written, and only to
specific locations on the drive. However, it is possible for a web site to
invoke this method, bypass this restriction and write files that could be
used to execute system commands. The net result is that a malicious web
site operator potentially could take any action on the computer that the
user would be capable of taking.
This vulnerability would chiefly affect workstations that are connected
to the Internet. The patch restores correct operation to the
ImportExportFavorites() method. In addition, the patch addresses security
problems posed by several ActiveX controls. The specific controls and the
actions taken are discussed in the FAQ.
Affected Software Versions:
- Microsoft Internet Explorer 4.01 and 5
Patch Availability
More Information
Please see the following references for more information related to
this issue.
Obtaining Support on this Issue
If you require technical assistance with this issue, please contact Microsoft
Technical Support.
Patch for "Scriptlet.typlib/Eyedog"
Vulnerability (31 August 1999)
Microsoft has released a patch that eliminates security vulnerabilities
in two ActiveX controls. The net effect of the vulnerabilities is that a
web page could take unauthorized action against a person who visited it.
Specifically, the web page would be able to do anything on the computer
that the user could do.
Affected Software Versions:
- Microsoft Internet Explorer 4.0 and 5.0
More information is available in the Microsoft Knowledge Base
Article's:
Here is the Scriptlet.typlib/Eyedog
Patch.
Note: Circa September 7, 1999, the
patch also will be available through WindowsUpdate.
Patch for "Malformed Favorites Icon"
Vulnerability (28 May 1999)
Microsoft has released a single patch that eliminates two security
vulnerabilities in Microsoft® Internet Explorer 4.0 and 5. The first
potentially could allow arbitrary code to be run on a user's computer. The
second potentially could allow the local hard drive to be read. A fully
supported patch is available to eliminate both vulnerabilities, and
Microsoft recommends that affected customers download and install it, if
appropriate.
Affected Software Versions:
- Microsoft Internet Explorer 4.0 and 5.0
More information is available in the Microsoft Knowledge Base
Article's:
The patch can be found at www.microsoft.com/windows/ie/security/favorites.asp.
Note I: The patch will determine the
version of IE and the platform on which it is installed, and will apply
only the appropriate fix. As a result, the single patch above is
appropriate for use by customers who are affected by either or both of the
vulnerabilities.
Note II: Windows 98 Second Edition
contains all patches listed below, however this
patch still needs to be installed on Windows 98 Second Edition. The patch
installes an updated shdocvw.dll file.
the Win98SE version of this file is 5.00.2614.3500,
the updated version is 5.00.2717.2000.
When you attempt to install the
update for the "Malformed Favorites Icon" security issue, you
may receive one of the following error messages:
- From the Microsoft Web Site:
- From the Microsoft Windows Update Web site:
Download and Installation Failed
The following software failed to properly download and install. To
try again, click the Back button below.
Favorites Security Updates
For more information and a resolution, see Microsoft Knowledge Base
Article No. Q243042.
Patch for "DHTML Edit" Vulnerability
(21 April 1999)
Microsoft has released a patch that eliminates a vulnerability in an
ActiveX control that is distributed in Internet Explorer 5 and
downloadable for Internet Explorer 4.0. The vulnerability could allow a
malicious web site operator to read information that a user had loaded
into the control, and it also could allow files with known names to be
copied from the user's local hard drive.
Affected Software Versions:
- Microsoft Internet Explorer 5 on Windows 95, Windows 98, and Windows
NT 4.0. Internet Explorer 5 on other platforms is not affected
- Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and the
x86 version of Windows NT 4.0. Internet Explorer 4.0 on other
platforms, including the Alpha version of Windows NT 4.0, is not
affected
More information is available in the Microsoft Knowledge Base Article
No. Q226326 Update
Available For "DHTML Edit" Security Issue.
The patch can be found at http://www.microsoft.com/windows/ie/security/dhtml_edit.asp.
MSHTML Update Available for Internet Explorer
(21 April 1999)
Microsoft has released an updated version of a component of Internet
Explorer 4.0 and 5. The updated version eliminates three security
vulnerabilities described below.
MSHTML.DLL is the parsing engine for HTML in Internet Explorer. The
vulnerabilities that are eliminated by the update are not related to each
other except for the fact that all reside within the parsing engine.
- The first vulnerability is a privacy issue involving the processing
of the "IMG SRC" tag in HTML files. This tag identifies and
loads image sources - image files that are to be displayed as part of
a web page. The vulnerability results because the tag can be used to
point to files of any type, rather than only image files, after which
point the document object model methods can be used to determine
information about them. A malicious web site operator could use this
vulnerability to determine the size and other information about files
on the computer of a visiting user. It would not allow files to be
read or changed, and the malicious web site operator would need to
know the name of each file
- The second vulnerability is a new variant of a previously-identified
cross-frame security vulnerability. A particular malformed URL could
be used to execute scripts in the security context of a different
domain. This could allow a malicious web site operator to execute a
script on the web site, and gain privileges on visiting users'
machines that are normally granted only to their trusted sites
- The third vulnerability affects only Internet Explorer 5.0, and is a
new variant of a previously-identified untrusted scripted paste
vulnerability. The vulnerability would allow a malicious web site
operator to create a particular type of web page control and paste
into it the contents of a visiting user's clipboard
Affected Software Versions:
- Internet Explorer 4.0 and 5 on Windows 95, Windows 98 and Windows NT
4.0
More information is available in the Microsoft Knowledge Base Article
No. Q226325 Update
Available For MSHTML Security Issues In Internet Explorer.
The patch can be found at http://www.microsoft.com/windows/ie/security/mshtml.asp. |