[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Patches for IE 4 and 4.01



PureBytes Links

Trading Reference Links

Security patches for Internet Explorer 4 and 4.01....




Microsoft Security Bulletin (MS98-011)
------------------------------------------------------------------------
Update available for "Window.External" JScript Vulnerability
in Microsoft Internet Explorer 4


Originally Posted: August 17, 1998
Last Revised: August 17, 1998

Summary
=======
Recently Microsoft was notified by Georgi Guninski and NTBugTraq
(http://ntbugtraq.ntadvice.com) of a security issue affecting the way
Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 handles JScript scripts
downloaded from web sites.

Microsoft has produced a patch for this issue, which customers should
download and apply as soon as possible.

Issue
=====
Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting
Engine version 3.1 to process scripts on a web page. When Internet Explorer
encounters a web page that uses JScript script to invoke the Window.External
function with a very long string, Internet Explorer could terminate.

Long strings do not normally occur in scripts and must be intentionally
created by someone with malicious intent. A skilled hacker could use this
malicious script message to run arbitrary computer code contained in the
long string.

In order for users to be affected by this problem, they must visit a web
site that was intentionally designed to include a malicious script. See the
"Administrative Workaround" section below for more information.

There have not been any reports of customers being affected by this problem.


Affected Software Versions
==========================
The following software is affected by this vulnerability:
- Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95
   and Windows NT 4.0
- Microsoft Windows 98

Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX
(Solaris) are not affected by this problem. Internet Explorer 3.x is not
affected by this problem.

What Microsoft is Doing
=======================
On August 17th Microsoft released a patch that fixes the problem as
reported. This patch is available for download from the Microsoft Scripting
Technologies web site,
http://www.microsoft.com/msdownload/vbscript/scripting.asp.

Microsoft has also made this patch available as a "Critical Update" for
Windows 98 customers through the Windows Update.

Microsoft has sent this security bulletin to customers subscribing to the
Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/bulletin.htm for more information about
this free customer service).

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q191200, Update Available
   for JScript Security Issue,
   http://support.microsoft.com/support/kb/articles/q191/2/00.asp

In addition, Microsoft has notified CERT (http://www.cert.org), an industry
security organization, which redistributes security-related information to
corporate, government and end-users.

What customers should do
========================
Microsoft highly recommends that users of affected software versions, listed
in the "Affected Software Versions" section above, should install the
updated version of the Microsoft Scripting Engine 3.1, which contains a fix
for this problem. This update can be downloaded from
http://www.microsoft.com/msdownload/vbscript/scripting.asp.

Windows 98 Users
----------------
Windows 98 customers can also get the updated patch using the Windows
Update. To obtain this patch using Windows Update, launch Windows Update
from the Windows Start Menu and click "Product Updates." When prompted,
select 'Yes' to allow Windows Update to determine whether this patch and
other updates are needed by your computer. If your computer does need this
patch, you will find it listed under the "Critical Updates" section of the
page.

Localized versions of the patch are available from the Microsoft Scripting
Technologies web site,
http://www.microsoft.com/msdownload/vbscript/scripting.asp.

Administrative workaround
=========================
We strongly encourage customers to apply the patch. However, users who
cannot apply the patch can use the Zones security feature in Internet
Explorer to provide additional protection against this issue by disabling
Active Scripting in the "Internet" and "Restricted Sites" Zones. This would
still allow JScript to be run from trusted Internet sites, and on the user's
local intranet.

To turn off Active Scripting for the "Internet" Zone:
1. From Internet Explorer, choose "Internet Options" from the "View" menu.
2. Click on the tab labeled "Security".
3. Click on "Internet Zone", then click "Customize Settings".
4. Scroll to the bottom of the list and click on "Disable" under the
    "Active Scripting" setting.

These same procedures can be followed for the "Restricted Sites" Zone.

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS98-011, Update available for
   "Window.External" JScript Vulnerability in Microsoft Internet
   Explorer 4,(the Web posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-011.htm
- Microsoft Knowledge Base (KB) article Q191200, Update for
   "Window.External" JScript Issue,
   http://support.microsoft.com/support/kb/articles/q191/2/00.asp
- Microsoft Internet Explorer Security Bulletin, Update available for
   "Window.External" JScript security issue,
   http://www.microsoft.com/ie/security/jscript.htm
- Windows Update Site, http://windowsupdate.microsoft.com
- Microsoft Scripting Technologies web site,
   http://msdn.microsoft.com/scripting

Revisions
=========
- Aug 17, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

------------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.