"Download Behavior" Vulnerability in Internet Explorer 5

Article translations Article translations
Article ID: 242542
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Summary

Microsoft has released an update to Internet Explorer 5 that addresses a potential security vulnerability with the download Dynamic HTML (DHTML) behavior. Additional information about this issue is available from the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS99-040.mspx
Updates are available for the following products:
  • Internet Explorer 5 for Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows NT 4.0 (Intel and Alpha platforms)
  • Microsoft Windows 98 Second Edition
This update also addresses the vulnerabilities in Internet Explorer 5 that are described in the following Microsoft Knowledge Base article:
226325 Update Available for MSHTML Security Issues in Internet Explorer

More information

DHTML behaviors (a new feature introduced in Internet Explorer 5) are simple, lightweight components that encapsulate specific functionality or behavior on a page. The download behavior feature allows Web page authors to download files for use in client-side scripts. By design, a Web site should be able to download only files that reside in its domain; this prevents client-side code from exposing files on the your computer or local intranet to the Web site. However, a server-side redirect can be used to bypass this restriction. This vulnerability could allow a malicious Web site operator to potentially read (but not modify or erase) files on your computer or on other computers on your local intranet.

This vulnerability does not affect Internet Explorer 5 for Microsoft Windows 3.1 and Windows NT 3.51 or Internet Explorer 5 for Macintosh. Internet Explorer 5 for UNIX is affected, and an update will be available soon (see the workaround described below). Internet Explorer 4.x (for all platforms) does not support the download DHTML behavior and is not affected by this vulnerability.

To obtain the update for the download behavior vulnerability, download and install the appropriate Q242542.exe file for your computer from the following Microsoft Web site:
http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm
NOTE: If you are running Internet Explorer 5 for Windows 95, Windows 98, or Windows NT 4.0 (Intel), or you are running Windows 98 Second Edition, download the Update for "Download Behavior" Vulnerability (x86). If you are running Internet Explorer 5 for Windows NT 4.0 (Alpha), download the Update for "Download Behavior" Vulnerability (Compaq DIGITAL Alpha).
   Updated file name   Size                Date      Version
   ----------------------------------------------------------------
   Mshtml.dll          2,359,296 (x86)     9-29-99   5.00.2721.2900
   Mshtml.dll          4,984,832 (Alpha)   9-29-99   5.00.2721.2900
				
After you install the update, "Q242542" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.

Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent the download behavior feature from operating by disabling Active Scripting in Internet Explorer 5. To do so:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
  2. Click the Internet zone, and then click Custom Level.
  3. In the Settings box, under Scripting, locate and click the Active Scripting item, and then click Disable.
  4. Click OK, and then click OK.
NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
  2. Click the Trusted Sites, zone, and then click Sites.
  3. Type the Web address (URL) of the site, and then click Add.
  4. Click OK, and then click OK.
For additional security-related information about Microsoft products, please see the following Microsoft Web site:
http://www.microsoft.com/security/
For additional information about the download behavior, please see the following Microsoft Web site:
http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/download.asp
Note that this problem does not occur in Internet Explorer 5.01.

Properties

Article ID: 242542 - Last Review: June 19, 2014 - Revision: 4.0
Keywords: 
kbnosurvey kbarchive kbprb KB242542

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com