Security Patches

Patch Available for "IFRAME ExecCommand" (15 October 1999)   Summary On October 11, 1999, Microsoft released a workaround for a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a user who visited the site, under certain circumstances. Microsoft has completed a patch that completely eliminates the vulnerability. Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site. Issue The IE 5 security model normally restricts the Document.ExecCommand() method to prevent it from taking inappropriate action on a user's computer. However, at least one of these restrictions is not present if the method is invoked on an IFRAME. This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine A patch that corrects this vulnerability is available at the location discussed below. This patch also includes the previously-released fix for the "Download Behavior" vulnerability. Affected Software Versions:   Microsoft Internet Explorer 4.01, versions prior to Service Pack 2 Microsoft Internet Explorer 5 Patch Availability   Internet Explorer 4.01 users should apply IE 4.01 Service Pack 2 Microsoft Internet Explorer 5 (Intel Platform) Microsoft Internet Explorer 5 (Alpha Platform) Note I: The IE5 patch also includes the previously-released fix for the Download Behavior vulnerability. Note II: The IE5 patch also will be available shortly at the Windows Update Web site. More Information Please see the following references for more information related to this issue.   Microsoft Security Bulletin MS99-042: Frequently Asked Questions Microsoft Knowledge Base (KB) article Q243638, Update Available for "IFRAME ExecCommand" Vulnerability in Internet Explorer 5 (Note: It may take 24 hours from the original posting of this bulletin for the KB article to be visible; however, a copy will be immediately available in the patch folder.) Obtaining Support on this Issue If you require technical assistance with this issue, please contact Microsoft Technical Support.

Patch Available for "Download Behavior" (08 October 1999)

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Internet Explorer 5 "ImportExportFavorites" Vulnerability (24/10 September 1999)

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Patch for "Scriptlet.typlib/Eyedog" Vulnerability (31 August 1999)

Note: Circa September 7, 1999, the patch also will be available through WindowsUpdate.

Patch for "Malformed Favorites Icon" Vulnerability (28 May 1999)

Microsoft has released a single patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer 4.0 and 5. The first potentially could allow arbitrary code to be run on a user's computer. The second potentially could allow the local hard drive to be read. A fully supported patch is available to eliminate both vulnerabilities, and Microsoft recommends that affected customers download and install it, if appropriate.

Affected Software Versions:

 

• Microsoft Internet Explorer 4.0 and 5.0

More information is available in the Microsoft Knowledge Base Article's:

 

• Q231450 - Update Available For "Malformed Favorites Icon" Security Issue in Internet Explorer 5
• Q231452 - Update Available For "Legacy ActiveX Control" Security Issue in Internet Explorer 5

The patch can be found at www.microsoft.com/windows/ie/security/favorites.asp.

Note I: The patch will determine the version of IE and the platform on which it is installed, and will apply only the appropriate fix. As a result, the single patch above is appropriate for use by customers who are affected by either or both of the vulnerabilities.

Note II: Windows 98 Second Edition contains all patches listed below, however this patch still needs to be installed on Windows 98 Second Edition. The patch installes an updated shdocvw.dll file. the Win98SE version of this file is 5.00.2614.3500, the updated version is 5.00.2717.2000.

When you attempt to install the update for the "Malformed Favorites Icon" security issue, you may receive one of the following error messages:

 

• From the Microsoft Web Site:

  This update does not need to be installed on this system.

   

• From the Microsoft Windows Update Web site:

  Download and Installation Failed
  The following software failed to properly download and install. To try again, click the Back button below.
  Favorites Security Updates

For more information and a resolution, see Microsoft Knowledge Base Article No. Q243042.

Patch for "DHTML Edit" Vulnerability (21 April 1999)

Microsoft has released a patch that eliminates a vulnerability in an ActiveX control that is distributed in Internet Explorer 5 and downloadable for Internet Explorer 4.0. The vulnerability could allow a malicious web site operator to read information that a user had loaded into the control, and it also could allow files with known names to be copied from the user's local hard drive.

Affected Software Versions:

 

• Microsoft Internet Explorer 5 on Windows 95, Windows 98, and Windows NT 4.0. Internet Explorer 5 on other platforms is not affected
• Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and the x86 version of Windows NT 4.0. Internet Explorer 4.0 on other platforms, including the Alpha version of Windows NT 4.0, is not affected

More information is available in the Microsoft Knowledge Base Article No. Q226326 Update Available For "DHTML Edit" Security Issue.

The patch can be found at http://www.microsoft.com/windows/ie/security/dhtml_edit.asp.

MSHTML Update Available for Internet Explorer (21 April 1999)

Microsoft has released an updated version of a component of Internet Explorer 4.0 and 5. The updated version eliminates three security vulnerabilities described below.

MSHTML.DLL is the parsing engine for HTML in Internet Explorer. The vulnerabilities that are eliminated by the update are not related to each other except for the fact that all reside within the parsing engine.

 

1. The first vulnerability is a privacy issue involving the processing of the "IMG SRC" tag in HTML files. This tag identifies and loads image sources - image files that are to be displayed as part of a web page. The vulnerability results because the tag can be used to point to files of any type, rather than only image files, after which point the document object model methods can be used to determine information about them. A malicious web site operator could use this vulnerability to determine the size and other information about files on the computer of a visiting user. It would not allow files to be read or changed, and the malicious web site operator would need to know the name of each file
2. The second vulnerability is a new variant of a previously-identified cross-frame security vulnerability. A particular malformed URL could be used to execute scripts in the security context of a different domain. This could allow a malicious web site operator to execute a script on the web site, and gain privileges on visiting users' machines that are normally granted only to their trusted sites
3. The third vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a malicious web site operator to create a particular type of web page control and paste into it the contents of a visiting user's clipboard

Affected Software Versions:

 

• Internet Explorer 4.0 and 5 on Windows 95, Windows 98 and Windows NT 4.0

More information is available in the Microsoft Knowledge Base Article No. Q226325 Update Available For MSHTML Security Issues In Internet Explorer.

The patch can be found at http://www.microsoft.com/windows/ie/security/mshtml.asp.