Update Available for "IFRAME ExecCommand" Vulnerability in Internet Explorer 5

Article translations Article translations
Article ID: 243638
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Summary

Microsoft has made an update available that addresses a potential security issue relating to the use of the Document.ExecCommand() method when invoked on an IFrame. When you visit a Web site, this issue may enable a malicious Web site operator to read files on your computer, although the name and location of the file would have to be known to exploit this issue.

NOTE: Microsoft has not received any reports of adverse effects as a result of this issue.

Additional information about this issue is available at the following Microsoft Web sites:
http://www.microsoft.com/windows/ie/community/columns/securityupgrade.mspx
http://www.microsoft.com/technet/security/bulletin/MS99-042.mspx
Updates are available for the following products:
  • Microsoft Internet Explorer 5 for Windows 95
  • Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86)
  • Microsoft Windows 98
An updated version of the "IFRAME ExecCommand" Vulnerability update was posted on November 4, 1999. This update also fixes the MSHTML issues in Microsoft Internet Explorer 5 previously documented in the following articles in the Microsoft Knowledge Base:
226325 Update Available for MSHTML Security Issues in Internet Explorer
242542 Download Behavior Vulnerability in Internet Explorer 5
For additional information about these issues, please see the following Microsoft Web sites:
http://www.microsoft.com/technet/security/bulletin/MS99-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS99-040.mspx
Note that this issue does not occur in Internet Explorer 5.01.

More information

This fix blocks the execCommand only in cases where it is being used cross-domain and from script.

To obtain this update, download and install the appropriate Q243638.exe file for your computer from the following Microsoft site:
http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm
October 15 version of Q243638.exe:
   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Mshtml.dll  2,355,472  10/13/1999  5.00.2722.1300  x86
   Mshtml.dll  4,983,056  10/13/1999  5.00.2722.1300  Alpha
				
IMPORTANT: On October 29, 1999, Microsoft learned that this patch had caused a regression error. While this patch did correct the "IFRAME ExecCommand" vulnerability, it caused an older vulnerability to be re-exposed for Internet Explorer 5 users. The October 15 version of this patch does not include fixes for the issues documented in the following Microsoft Knowledge Base article:
242542 Download Behavior Vulnerability in Internet Explorer 5
For additional information about these issues, please see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS99-012.mspx
Microsoft has corrected this regression error and re-released the patch. If you previously applied the fix for this vulnerability, you need to apply the updated fix.

November 4 version of Q243638.exe:
   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Mshtml.dll  2,355,472  10/29/1999  5.00.2722.2800  x86
   Mshtml.dll  4,983,056  10/29/1999  5.00.2722.2800  Alpha
				
After you install this update "Q243638" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.

Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent this behavior from operating by disabling Active Scripting in Internet Explorer 5:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
  2. Click the Internet zone, and then click Custom Level.
  3. In the Settings box, locate the Active Scripting item under Scripting, and then click Disable.
  4. Click OK, and then click OK.
NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
  2. Click the Trusted Sites zone, and then click Sites.
  3. Type the Web address (URL) of the site, and then click Add.
  4. Click OK, and then click OK.

Properties

Article ID: 243638 - Last Review: June 19, 2014 - Revision: 4.0
Keywords: 
kbnosurvey kbarchive kbenv kbinfo KB243638

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com