HelpWithWindows | Windows Forum | RoseCitySoftware





Windows 98 > Internet Explorer 4 Tips


Security Patches

By:

Please note that IE4 is no longer supported by Microsoft! Consider upgrading to Internet Explorer 6 Service Pack 1. A number of links on this page will not work. Don't bother contacting us about them, like I said, MS doesn't support IE4 any longer, and so updates will not be available.

Patch Available for "Cached Web Credentials" Vulnerability (October 13, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Explorer. Under a daunting set of conditions, the vulnerability could enable a malicious user to obtain another user's userid and password to a web site.

Issue

When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. If a malicious user had complete control of another user's network communications, he could wait until another user logged onto a secured site, then spoof a request for a non-secured page in order to collect the credentials.

The vulnerability does not provide a means by which the malicious user could force the other user to log onto a secure page of his choice, and could only be used to reveal credentials that had been cached during the current IE session.

Affected Software Versions

  • Microsoft Internet Explorer 4.x
  • Microsoft Internet Explorer 5.x prior to version 5.5

Patch Availability

Note I: The patch requires IE 5.01 SP1 to install. Customers who install this patch on other versions may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article 273868.

Note II: As discussed in Affected Software Versions, this vulnerability does not affect IE 5.5.

Note III: Per the normal security support policy for IE, security patches for Internet Explorer version 4.x are no longer being produced. Microsoft recommends that IE 4.x customers who are concerned about this issue consider upgrading to either IE 5.01 SP1 or IE 5.5.

Note IV: The fix for this issue will be included in IE 5.01 SP2.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Scriptlet Rendering" Vulnerability (August 10, 2000)

By:

Summary

Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer. The vulnerabilities could allow a malicious web site operator to read - but not add, change, or delete - files on the computer of a visiting user.

As discussed in the Patch Availability section below, this patch also provides protection against several security vulnerabilities that have been discussed in previous security bulletins. We have delivered a comprehensive patch in order to minimize the number of patches customers need to apply.

Issue

There are two vulnerabilities at issue here:

  • The "Scriptlet Rendering" vulnerability. The ActiveX control that is used to invoked scriptlets is essentially a rendering engine for HTML. However, it will render any file type, rather than rendering HTML files only. This opens the door to a scenario in which a malicious web site operator could provide bogus information consisting of script, solely for the purpose of introducing it into an IE system file with a known name, then use the Scriptlet control to render the file. The net effect would be to make the script run in the Local Computer Zone, at which point it could access files on the user's local file system.
  • A new variant of the "Frame Domain Verification" vulnerability. As discussed in Microsoft Security Bulletin MS00-033, two functions do not enforce proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with the same flaw. The net effect of the vulnerability would be to enable a malicious web site operator to open two frames, one in his domain and another on the user's ocal file system, and enable the latter to pass information to the former.

In order to exploit either vulnerability, a malicious web site operator would need to know or guess the exact name and path of each file he wanted to view. Even then, he could only view file types that can be opened in a browser window - for instance, .txt or .doc files, but not .exe or .dat files. If the web site were in a Zone in which Active Scripting were disabled, neither vulnerability could be exploited.

Affected Software Versions

  • Microsoft Internet Explorer 4.x
  • Microsoft Internet Explorer 5.x

Patch Availability

Note I: In addition to eliminating the two vulnerabilities discussed above, this patch also protects against several previously-discussed vulnerabilities. Customers who apply this patch will also be protected against the vulnerabilities discussed in the following Security Bulletins:

In addition, for IE 5.5 systems only, this patch also eliminates the vulnerability discussed in Microsoft Security Bulletin MS00-042.

Note II: Customers who install this patch on versions other than IE 5.01, IE 5.01 SP1, or IE 5.5 may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article 266336 (available soon).

More Information

Please see the following references for more information related to this issue.

Patch Available for "Cache Bypass" Vulnerability (July 20, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Outlook® and Outlook Express. The vulnerability could allow a malicious user to send an HTML mail that, when opened, could read, but not add, change or delete, files on the recipient's computer. If coupled with other vulnerabilities, it could potentially be used in more advanced attacks as well.

A patch is available that eliminates this vulnerability as well as the "Malformed E-mail Header" Vulnerability and "Persistent Mail-Browser Link" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

Issue

By design, an HTML mail that creates a file on the recipient's computer should only be able to create it in the so-called cache. Files in the cache, when opened, do so in the Internet Zone. However, this vulnerability would allow an HTML mail to bypass the cache mechanism and create a file in a known location on the recipient's disk. If an HTML mail created an HTML file outside the cache, it would run in the Local Computer Zone when opened. This could allow it to open a file on the user's computer and send it a malicious user's web site. The vulnerability also could be used as a way of placing an executable file on the user's machine, which the malicious user would then seek to launch via some other means.

The vulnerability would not enable the malicious user to add, change or delete files on the user's computer. Only files that can be opened in a browser window, such as .txt, .jpg or .htm files, could be read via this vulnerability, and the malicious user would need to know or guess the full path and file name of every file he wished to read.

The vulnerability resides in a component that is shared by Outlook and Outlook Express, and as a result the vulnerability affects both products. A version of the component that is not affected by the vulnerability ships as part of Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5.

Affected Software Versions

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01
  • Microsoft Outlook 97
  • Microsoft Outlook 98
  • Microsoft Outlook 2000

Patch Availability

This vulnerability can be eliminated by taking any of the following actions:

Note I: The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 247638.

Note II: In addition to eliminating the vulnerability at issue here, the steps above also eliminate the "Malformed E-mail Header" Vulnerability and "Persistent Mail-Browser Link" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Persistent Mail-Browser Link" Vulnerability (July 20, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Outlook Express. The vulnerability could allow a malicious user to send an email that would "read over the shoulder" of the recipient as he previews subsequent emails in Outlook Express.

A patch is available that eliminates this vulnerability as well as the "Malformed E-mail Header" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

Issue

By design, HTML mail can contain script, and among the actions such a script can take is to open a browser window that links back to the Outlook Express windows. Also by design, script in the browser window could read the HTML mail that is displayed in Outlook Express. However, a vulnerability results because the link could be made persistent. This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user.

There are several significant restrictions on this vulnerability:

  • Only the recipient could open the HTML mail that established the link.
  • The attack would only persist until the user either closed the browser window that the HTML mail opened, or closed Outlook Express.
  • The malicious user could only read mails that were displayed in the preview pane. If the preview pane feature were disabled, he could not read mails under any conditions.

The vulnerability is eliminated in Outlook Express 5.5, and customers who have installed it do not need to take any additional action. Outlook Express 5.5 is available as part of Internet Explorer 5.01 Service Pack 1, and, except when installed on Windows 2000, Internet Explorer 5.5. A patch is available for customers who prefer not to upgrade to Outlook Express 5.5.

Affected Software Versions

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01

Patch Availability

This vulnerability can be eliminated by taking any of the following actions:

Note I: The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 261255.

Note II: In addition to eliminating the vulnerability at issue here, the steps above also eliminate the "Malformed E-mail Header" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Malformed E-mail Header" Vulnerability (July 18, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Outlook® and Outlook Express. Under certain conditions, the vulnerability could allow a malicious user to cause code of his choice to execute on another user's computer.

A patch is available that eliminates this vulnerability as well as the "Persistent Mail-Browser Link" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

Issue

A component shared by Outlook and Outlook Express contains an unchecked buffer in the functionality that parses e-mail headers when downloading mail via either POP3 or IMAP4. By sending an e-mail that overruns the buffer, a malicious user could cause either of two effects to occur when the mail was downloaded from the server by an affected e-mail client:

  • If the affected field were filled with random data, the e-mail could be made to crash.
  • If the affected field were filled with carefully-crafted data, the e-mail client could be made to run code of the malicious user's choice.

Customers who have installed Internet Explorer 5.01 Service Pack 1, and customers who have installed Internet Explorer 5.5 on any system other than Windows 2000, would not be affected by this vulnerability. Likewise, Outlook users who have configured Outlook to use only MAPI services would not be affected, regardless of what version of Internet Explorer they have installed.

Affected Software Versions

  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.01
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.01
  • Microsoft Outlook 97
  • Microsoft Outlook 98
  • Microsoft Outlook 2000

Patch Availability

This vulnerability can be eliminated by taking any of the following actions:

Note I: The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 267884.

Note II: In addition to eliminating the vulnerability at issue here, the steps above also eliminate the "Persistent Mail-Browser Link" Vulnerability and "Cache Bypass" Vulnerability. If you already have taken the corrective action discussed in either of these articles do not need to take any additional action.

More Information

Please see the following references for more information related to this issue.

Patch Available for "The Office HTML Script" Vulnerability and a Workaround for "The IE Script" Vulnerability (July 14, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Office 2000 (Excel and PowerPoint) and in PowerPoint 97. Microsoft has also documented a workaround that prevents the use of Microsoft Access to exploit a vulnerability in Internet Explorer. A patch for the latter vulnerability will be available soon.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site

Issue

Two vulnerabilities have recently been discovered, one affecting Microsoft Office 2000, and PowerPoint 97, and the other Internet Explorer 4.01 SP2 and higher. We will refer to these issues as the "Office script" and "IE script" vulnerabilities. The names refer to the product where the vulnerability is present, but not necessarily how the vulnerability is exploited.

The Office HTML Script vulnerability, allows malicious script code on a web page to reference an Excel 2000 or PowerPoint file in such a way as to cause a remotely hosted file to be saved to a visiting user's hard drive.

This vulnerability can only be exploited by a reference to an Excel 2000 or PowerPoint file; it cannot be exploited using Excel 97, Microsoft Word or a Microsoft Access file.

The IE Script vulnerability, can allow malicious script code on a web page to reference a remotely hosted Microsoft Access file. The Microsoft Access file can in turn causes a VBA macro code in the file to be executed.

Affected Software Versions

  • Microsoft Excel 2000
  • Microsoft PowerPoint 97 and 2000
  • Microsoft Internet Explorer 5.5, 5.01 SP1, 5.01, 4.01 SP2

Patch Availability

The IE Script vulnerability

Internet Explorer allows the execution of a remotely or locally hosted Microsoft Access database that is referenced from a web page containing script code. By default Microsoft Access files are treated as unsafe for scripting; however, a certain script tag can be used to reference an Access (.mdb) file and execute VBA macro code even if scripting has been disabled in Internet Explorer.

Workaround for the IE Script vulnerability

The workaround for the IE Script vulnerability is to set an Administrator password for Microsoft Access. This will cause Microsoft Access to prompt the user for the Administrator password before VBA code within an Access database can be executed.

How do I implement the workaround for the IE vulnerability

From Access 2000:

  1. Start Access 2000 but don't open any databases
  2. From the Tools menu, choose Security
  3. Select User and Group Accounts
  4. Select the Admin user, which should be defined by sdefault
  5. Go to the Change Logon Password tab
  6. The Admin password should be blank if it has never been changed
  7. Assign a password to the Admin user
  8. Click OK to exit the menu

How can I tell if I applied the workaround for the IE Script vulnerability correctly?

You can test the workaround by starting Access and open any existing database file. It should prompt you for an Administrator password.

When will the IE Script vulnerability patch be available?

The patch is in the development process and should be available shortly.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Active Setup Download" Vulnerability (June 29, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability in an ActiveX control that ships with Microsoft® Internet Explorer. The vulnerability could be used to overwrite files on the computer of a user who visited a malicious web site operator's site.

Issue

The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has two flaws. First, it treats all Microsoft-signed .cab files as trusted, thereby allowing them to be installed without asking the user's approval. Second, it provides a method by which the caller can specify a download location on the user's hard drive. In combination, these two flaws would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable.

It is important to note that there is no capability via this vulnerability to actually install the software that has been downloaded - the vulnerability only allows files to be overwritten, in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: The patch also will be available shortly on WindowsUpdate.

Note II: The patch requires IE 4.01 Service Pack 2 or IE 5.01 to install. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 265258

More Information

Please see the following references for more information related to this issue.

Patch Available for "SSL Certificate Validation" Vulnerability (June 6, 2000)

By:

Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer. The vulnerabilities involve how IE handles digital certificates; under a very daunting set of circumstances, they could allow a malicious web site operator to pose as a trusted web site.

In addition to eliminating the "SSL Certificate Validation" vulnerabilities, this patch also eliminates all vulnerabilities discussed in Microsoft Security Bulletin MS00-033.

Issue

Two vulnerabilities have been identified in the way IE handles digital certificates:

  • When a connection to a secure server is made via either an image or a frame, IE only verifies that the server's SSL certificate was issued by a trusted root - it does not verify the server name or the expiration date. When a connection is made via any other means, all expected validation is performed.
  • Even if the initial validation is made correctly, IE does not re-validate the certificate if a new SSL session is established with the same server during the same IE session.

The circumstances under which these vulnerabilities could be exploited are fairly restricted. In both cases, it is likely that the attacker would need to either carry out DNS cache poisoning or physically replace the server in order to successfully carry out an attack via this vulnerability. The timing would be especially crucial in the second case, as the malicious user would need to poison the cache or replace the machine during the interregnum between the two SSL sessions.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: This patch also eliminates all vulnerabilities discussed in Microsoft Security Bulletin MS00-033.

Note II: The patch requires IE 5.01 to install; a version that supports IE 4.01 Service Pack 2 will be released shortly. Customers who install this patch on versions other than these may receive a message reading This update does not need to be installed on this system. This message is incorrect. More information is available in KB article 254902 (available soon).

More Information

Please see the following references for more information related to this issue.

Patch Available for "HTML Help File Code Execution" Vulnerability (June 3, 2000)

By:

Summary

Microsoft has released a patch that eliminates a security vulnerability in the HTML Help facility that ships with Microsoft® Internet Explorer. Under certain conditions, the vulnerability could allow a malicious web site to take inappropriate action on the computer of a visiting user.

Issue

The HTML Help facility provides the ability to launch code via shortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site.

A web site could only invoke an HTML Help file if it resided on a UNC share accessible from the user's machine, or on the user's machine itself. A firewall that blocks Netbios would prevent the former case from being exploited. Adhering to standard security practices would prevent the latter. In addition, an HTML Help file could only be invoked if Active Scripting was permitted in the Security Zone that the malicious user's site resides in. The patch eliminates the vulnerability by only allowing an HTML Help file to use shortcuts if the help file resides on the local machine.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

More Information

Please see the following references for more information related to this issue.

Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", and "Malformed Component Attribute" Vulnerabilities (May 18, 2000)

Summary

Microsoft has released a comprehensive patch that eliminates three security vulnerabilities in Microsoft® Internet Explorer 4 and 5:

  • The "Frame Domain Verification" vulnerability, which could allow a malicious web site operator to read, but not change or add, files on the computer of a visiting user.
  • The "Unauthorized Cookie Access" vulnerability, which could allow a malicious web site operator to access "cookies" belonging to a visiting user.
  • The "Malformed Component Attribute" vulnerability, which could allow a malicious web site operator to run code of his choice on the computer of a visiting user.

Issue

The three security vulnerabilities eliminated by this patch are unrelated to each other except by the fact that they all occur in the same .dll.

The vulnerabilities are:

  • Frame Domain Verification vulnerability. When a web server opens a frame within a window, the IE security model should only allow the parent window to access the data in the frame if they are in the same domain. However, two functions available in IE do not properly perform domain checking, with the result that the parent window could open a frame that contains a file on the local computer, then read it. This could allow a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window.
  • Unauthorized Cookie Access vulnerability. By design, the IE security model restricts cookies so that they can be read only by sites within the originator's domain. However, by using a specially-malformed URL, it is possible for a malicious web site operator to gain access to another site's cookie and read, add or change them. A malicious web site operator would need to entice a visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the cookies available on the visitor's system. Even after recovering a cookie, the type and amount of personal information would depend on the privacy practices followed by the site that placed it there.
  • Malformed Component Attribute vulnerability. The code used to invoke ActiveX components in IE has an unchecked buffer and could be exploited by a malicious web site operator to run code on the computer of a visiting user. The unchecked buffer is only exposed when certain attributes are specified in conjunction with each other.

The patch also eliminates a new variant of the previously-addressed WPAD Spoofing vulnerability.

Affected Software Versions

  • Microsoft Internet Explorer 4.0
  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: The patch for these issues has been incorporated into a subsequently-issued patch. See Microsoft Security Bulletin MS00-039 for more information.

Note II: The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in Microsoft Knowledge Base (KB) article Q262509 Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", "Malformed Component Attribute", and "WPAD Spoofing" Vulnerabilities.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Image Source Redirect" Vulnerability (February 16, 2000)

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read - but not add, change or delete - certain types of files on the computer of a visiting user.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.0 and 4.01
  • Microsoft Internet Explorer 5 and 5.01

Patch Availability

Note I: Microsoft produces security patches for Internet Explorer 4.01 SP2 and higher. In the event that this package is applied to Internet Explorer 4.01 SP1, the package states that a fix is not needed. This message is incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1 or any earlier release. If you are using Internet Explorer 4.01 SP1 or any earlier release, please upgrade to the latest version of Internet Explorer to resolve this issue.

Note II: Additional security patches are available at the Microsoft Download Center.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Server-side Page Reference Redirect" Vulnerability (09 December 1999)

Microsoft has released a patch that eliminates a vulnerability in Microsoft® Internet Explorer 4.01, 5 and 5.01, that could allow a malicious web site operator to view a file on the computer of a visiting user, provided that the web site operator knew the name and folder of the file.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01

Patch Availability

Note I: Microsoft produces security patches for Internet Explorer 4.01 SP2 and higher. In the event that this package is applied to Internet Explorer 4.01 SP1, the package states that a fix is not needed. This message is incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1 or any earlier release. If you are using Internet Explorer 4.01 SP1 or any earlier release, please upgrade to the latest version of Internet Explorer to resolve this issue.

Note II: The patch will be available shortly at the WindowsUpdate site.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Javascript Redirect" Vulnerability (18 November 1999)

On October 18, 1999, Microsoft released a workaround for a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a user who visited the site, under certain circumstances. Microsoft has completed a patch that completely eliminates the vulnerability.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01 and 5

Patch Availability

Note I: The IE 4.01 patch requires IE 4.01 SP2 in order to install. IE 4.01 SP 2 is available at the Internet Explorer Web site.

Note II: The patch will be available shortly via the WindowsUpdate site.

More Information

Please see the following references for more information related to this issue.

Patch Available for "Active Setup Control" Vulnerability (11 November 1999)

By:

Summary

Microsoft has released a patch that eliminates a vulnerability that could allow a malicious user to embed an unsafe execuTABLE within an email and disguise it as a safe type of attachment. Through a complicated series of steps, the unsafe execuTABLE could be made to execute under certain conditions, if the user opened the attachment.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Issue

A particular ActiveX control allows cabinet files to be launched and executed. This could allow an HTML mail to contain a malicious cabinet file, disguised as a file of an innocuous type. If a user attempted to open this file, the operation would fail but could, depending on the mail package, leave a copy of the file in a known location. The ActiveX control could then be used via a script embedded in the mail to launch the copy, thereby executing the malicious code.

The vulnerability could only be exploited in cases where a mail reader were used that allowed scripts in HTML mail and stored temporary copies of launched programs in known locations. The patch restricts the ability of the control to launch unsigned cabinet files that have been downloaded from the local machine.

Affected Software Versions:

  • The affected ActiveX control ships as part of Microsoft Internet Explorer 4 and 5

Patch Availability

Note: Microsoft produces security patches for Internet Explorer 4.01 SP2 and higher. In the event that this package is applied to Internet Explorer 4.01 SP1, the package states that a fix is not needed. This message is incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1. If you are using Internet Explorer 4.01 SP1, please upgrade to the latest version of Internet Explorer to resolve this issue.

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Microsoft Technical Support.

Patch Available for "IFRAME ExecCommand" Vulnerability (18 October 1999)

On October 11, 1999, Microsoft released a workaround for a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a user who visited the site, under certain circumstances. Microsoft has completed a patch that completely eliminates the vulnerability.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site.

Affected Software Versions:

  • Microsoft Internet Explorer 4.01, versions prior to Service Pack 2
  • Microsoft Internet Explorer 5

Patch Availability

Note I: The IE5 patch also includes the previously-released fix for the Download Behavior vulnerability.

Note II: The IE5 patch also will be available shortly at the Windows Update Web site.

More Information

Please see the following references for more information related to this issue.

Patch for "Scriptlet.typlib/Eyedog" Vulnerability (31 August 1999)

Microsoft has released a patch that eliminates security vulnerabilities in two ActiveX controls. The net effect of the vulnerabilities is that a web page could take unauthorized action against a person who visited it. Specifically, the web page would be able to do anything on the computer that the user could do.

Affected Software Versions:

  • Microsoft Internet Explorer 4.0 and 5.0

More information is available in the Microsoft Knowledge Base Article's:

Here is the Scriptlet.typlib/Eyedog Patch.

Note: Circa September 7, 1999, the patch also will be available through WindowsUpdate.

Patch for "Malformed Favorites Icon" Vulnerability (28 May 1999)

Microsoft has released a single patch that eliminates two security vulnerabilities in Microsoft® Internet Explorer 4.0 and 5. The first potentially could allow arbitrary code to be run on a user's computer. The second potentially could allow the local hard drive to be read. A fully supported patch is available to eliminate both vulnerabilities, and Microsoft recommends that affected customers download and install it, if appropriate.

Affected Software Versions:

  • Microsoft Internet Explorer 4.0 and 5.0

More information is available in the Microsoft Knowledge Base Article's:

The patch can be found at www.microsoft.com/windows/ie/security/favorites.asp.

Note: The patch will determine the version of IE and the platform on which it is installed, and will apply only the appropriate fix. As a result, the single patch above is appropriate for use by customers who are affected by either or both of the vulnerabilities.

Patch for "DHTML Edit" Vulnerability (21 April 1999)

Microsoft has released a patch that eliminates a vulnerability in an ActiveX control that is distributed in Internet Explorer 5 and downloadable for Internet Explorer 4.0. The vulnerability could allow a malicious web site operator to read information that a user had loaded into the control, and it also could allow files with known names to be copied from the user's local hard drive.

Affected Software Versions:

  • Microsoft Internet Explorer 5 on Windows 95, Windows 98, and Windows NT 4.0. Internet Explorer 5 on other platforms is not affected
  • Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and the x86 version of Windows NT 4.0. Internet Explorer 4.0 on other platforms, including the Alpha version of Windows NT 4.0, is not affected

More information is available in the Microsoft Knowledge Base Article No. Q226326 Update Available For "DHTML Edit" Security Issue.

The patch can be found at http://www.microsoft.com/windows/ie/security/dhtml_edit.asp.

MSHTML Update Available for Internet Explorer (21 April 1999)

Microsoft has released an updated version of a component of Internet Explorer 4.0 and 5. The updated version eliminates three security vulnerabilities described below.

MSHTML.DLL is the parsing engine for HTML in Internet Explorer. The vulnerabilities that are eliminated by the update are not related to each other except for the fact that all reside within the parsing engine.

  1. The first vulnerability is a privacy issue involving the processing of the "IMG SRC" tag in HTML files. This tag identifies and loads image sources - image files that are to be displayed as part of a web page. The vulnerability results because the tag can be used to point to files of any type, rather than only image files, after which point the document object model methods can be used to determine information about them. A malicious web site operator could use this vulnerability to determine the size and other information about files on the computer of a visiting user. It would not allow files to be read or changed, and the malicious web site operator would need to know the name of each file
  2. The second vulnerability is a new variant of a previously-identified cross-frame security vulnerability. A particular malformed URL could be used to execute scripts in the security context of a different domain. This could allow a malicious web site operator to execute a script on the web site, and gain privileges on visiting users' machines that are normally granted only to their trusted sites
  3. The third vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a malicious web site operator to create a particular type of web page control and paste into it the contents of a visiting user's clipboard

Affected Software Versions:

  • Internet Explorer 4.0 and 5 on Windows 95, Windows 98 and Windows NT 4.0

More information is available in the Microsoft Knowledge Base Article No. Q226325 Update Available For MSHTML Security Issues In Internet Explorer.

The patch can be found at http://www.microsoft.com/windows/ie/security/mshtml.asp.

"Frame Spoof" Issue (22 Dec. 98)

By:

Microsoft has released a patch that fixes a vulnerability in Internet Explorer that could allow a malicious web site operator to impersonate a window on a legitimate web site. The threat posed by this vulnerability is that the bogus window could collect information from the user and send it back to the malicious site.

The "Frame Spoof" vulnerability exists because Internet Explorer's cross domain protection does not extend to navigation of frames. This makes it possible for a malicious web site to insert content into a frame within another web site's window. If done properly, the user might not be able to tell that the frame contents were not from the legitimate site, and could be tricked into providing personal data to the malicious site. Non-secure (HTTP) and secure (HTTPS) sites are equally at risk from this vulnerability.

Affected Software Versions

  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service Pack 1 for Windows 95
  • Microsoft Internet Explorer versions 4.01 Service Pack 1 for Windows 98
  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service Pack 1 for Windows NT 4.0
  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows 3.1
  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows NT 3.51
  • Microsoft Internet Explorer versions 3.X, 4.X for Macintosh
  • Microsoft Internet Explorer version 4 for UNIX on HPUX
  • Microsoft Internet Explorer version 4 for UNIX on Sun Solaris

No other products or versions of Internet Explorer are affected.

The Fix

NOTE: The patch for the "Frame Spoof" Vulnerability also includes two previously-released patches, for the "Untrusted Scripted Paste" and "Cross Frame Navigate" vulnerabilities. If you have not yet downloaded and installed these two patches, you only need to download and apply the patch for the "Frame Spoof" Vulnerability. If you have applied either or both of the patches, you should apply the patch for the "Frame Spoof" Vulnerability to ensure that you have the latest protection against all three vulnerabilities.

Windows 98 users:

Windows 98 customers can obtain the patch using Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click Product Updates. When prompted, select Yes to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the Critical Updates section of the page.

For more information on the other versions, see the Security Patches document on the Windows 95 site.

More information can be found in this Microsoft Knowledge Base Article No. 167614

"Untrusted Scripted Paste" Issue (16 Oct. 98 - Updated 18 Nov. 98)

By:

Affected Software Versions

  • Microsoft Internet Explorer 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95
  • Microsoft Windows 98, with integrated Internet Explorer
  • Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51

This vulnerability could also affect software that uses HTML functionality provided by Internet Explorer, even if Internet Explorer is not used as your default browser. All customers that have affected versions of Internet Explorer on their systems should install this patch, whether or not they use Internet Explorer for web browsing.

This vulnerability does not affect Internet Explorer 3.x or 4.0 on any platform.

This does not affect any Macintosh or UNIX versions of Internet Explorer

The "Untrusted Scripted Paste" issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of a file on the user's computer if the hacker knows the exact name and path of the targeted file.

This could also be used to view the contents of a file on the user's network to which the user has access, and whose direct path name is known by the attacker.

The nature of this problem is that a script is able to use the Document.ExecCommand function to paste a filename into the file upload intrinsic control, which should only be possible by explicit user action. As a result, a subsequent form submission could send the file to a remote web site not known to the user if the user has disabled the default warning that is displayed when submitting unencrypted forms.

While there have not been any reports of customers being adversely affected by these problems, Microsoft released a patch to address any risks posed by this issue.

The Fix

Windows 98 users:

Windows 98 customers can obtain the patch using Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click Product Updates. When prompted, select Yes to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the Critical Updates section of the page.

For more information on the other versions, see the Security Patches document on the Windows 95 site.

More information can be found in this Microsoft Knowledge Base Article No. 169245

On November 18th Microsoft released an updated version of the patch for the "Untrusted Scripted Paste" vulnerability (also known as the "Cuartango" vulnerability). The updated patch fixes the original vulnerability as well as a newly-discovered variant.

Microsoft highly recommends that all affected customers - including anyone who downloaded the original patch before November 18 - download and install the updated patch to protect their computers.

"Dotless IP Address" Issue (22 Oct 98)

By:

Microsoft has released a patch that fixes a vulnerability in the way Internet Explorer 4 determines what security zone a target server is in. By exploiting this vulnerability, a malicious hacker could misrepresent the URL of their website, causing the site to be treated as it if were located on an intranet by Internet Explorer's Security Zones feature.

The "Dotless IP Address" issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious web site operator to misrepresent the URL of an Internet web site and make it appear as if the machine is in the user's "Local Intranet Zone". Internet Explorer has the ability to set security settings differently between different zones. By exploiting this vulnerability, a malicious site could potentially perform actions that had been disabled in the Internet Zone or Restricted Sites Zone, but which are permitted in the Local Intranet Zone.

Affected Software Versions

  • Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95
  • Microsoft Windows 98, with integrated Internet Explorer
  • Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and Windows NT 3.51
  • Microsoft Internet Explorer 4.01 for UNIX

This vulnerability does not affect Internet Explorer 3.
This vulnerability does not affect Internet Explorer 4 for the Macintosh.

The Fix

Windows 98 users:

Windows 98 customers can obtain the patch using Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click Product Updates. When prompted, select Yes to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the Critical Updates section of the page.

For more information on the other versions, see the Security Patches document on the Windows 95 site.

More information can be found in this Microsoft Knowledge Base Article No. 168617

Internet Explorer Cross Frame Navigate Vulnerability (4 Sep. 98)

By:

Microsoft has released a patch that fixes a recently discovered issue with the implementation of cross frame security in Microsoft Internet Explorer.

The Cross Frame Navigate issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of files on your computer.

Affected Software Versions

  • Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95
  • Microsoft Windows 98, with integrated Internet Explorer (version 4.01 SP1)
  • Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and Windows NT 3.51
  • Microsoft Internet Explorer 4.0 and 4.01 for Macintosh
  • Microsoft Internet Explorer 3.x

This vulnerability could also affect software that uses HTML functionality provided by Internet Explorer. Anyone using such programs should download the patch even if they do not run Internet Explorer as their default browser.

More information is available in this Microsoft Security Bulletin.

The Fix

Windows 98

Windows 98 customers can get the updated patch using the Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click Product Updates. When prompted, select Yes to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the Critical Updates section of the page.

For more information on the other versions, see the Security Patches document on the Windows 95 site.

"Window.External" JScript Vulnerability (17 Aug. 98)

By:

For more Information see Microsoft's Knowledge Base Article No. 191200.

Affected Software Versions

  • Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95 and Windows NT 4.0
  • Microsoft Windows 98

Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem.

Microsoft has made this patch available as a "Critical Update" for Windows 98 customers through the Windows Update (Select Start > Windows Update).


Although not a direct IE4 security issue, we'll report it here anyway:

Patch Available for "File Access URL" Vulnerability

By:

Summary

Microsoft has released a patch that eliminates a vulnerability in Microsoft Windows 95 or Windows 98. The vulnerability could allow a malicious web site or e-mail message to cause the Windows machine to crash, or to run arbitrary code.

Frequently asked questions regarding this vulnerability can be found on the Microsoft security Web site

Issue

There is a buffer overflow in the Windows 95 and Windows 98 networking software that processes file name strings. If the networking software were provided with a very long random string as input, it could crash the machine. If provided with a specially-malformed argument, it could be used to run arbitrary code on the machine via a classic buffer overrun attack.

The vulnerability could be exploited remotely in cases where a file:// URL or a Universal Naming Convention (UNC) string on a remote web site included a long file name or where a long file name was included in an e-mail message.

Affected Software Versions

  • The buffer overrun is present in the networking software in all versions of Windows 95 and Windows 98.

Patch Availability

More Information

Please see the following references for more information related to this issue.

Updates available for Security Vulnerabilities in Microsoft PPTP.

Microsoft has released a set of patches that fix several security issues with implementations of the Point-to-Point Tunneling Protocol (PPTP) used in Microsoft Virtual Private Networking (VPN) products.

Customers using affected software listed below to secure communications over a public network (i.e. the Internet) should download and apply these patches as soon as possible.

Customers who are not using PPTP for network security are not affected by this issue.

Affected Software Versions:

The following software is affected by this vulnerability:

  • Microsoft Dialup Networking 1.2x and earlier on Windows 95
  • Microsoft Remote Access Services on Windows NT 4.0 (both client and server)
  • Microsoft Routing and Remote Access Services on Windows NT Server 4.0
  • Microsoft Windows 98 Dialup Networking

Fixes:

Windows NT 4.0 RAS Users:

Download the patch from: ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/pptp3-fix/

Windows NT 4.0 RRAS Users:

Download the patch from: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/rras30-fix/

Windows 95 Users:

Download the patch from: ftp://ftp.microsoft.com/softlib/mslfiles/msdun13.exe

Windows 98 Users

Download the patch from: ftp://ftp.microsoft.com/softlib/mslfiles/dun40.exe

Strong Encryption Versions (128-bit):

Customers in the United States and Canada can download the strong encryption versions of these updates from: http://mssecure.www.conxion.com/cgi-bin/ntitar.pl

Microsoft has published the following Knowledge Base (KB) articles on this issue:

  1. Microsoft Knowledge Base (KB) article 154091, Windows 95 Dial-Up Networking 1.3 Upgrade Release Notes
  2. Microsoft Knowledge Base (KB) article 189594, RRAS Hotfix 3.0
  3. Microsoft Knowledge Base (KB) article 189595, Windows NT 4.0 PPTP Security Update
  4. Microsoft Knowledge Base (KB) article 189771, Windows 98 PPTP Security Update

Last Updated: October 13, 2000