Patch Available for "Active Setup Download" Vulnerability in Internet Explorer

Article translations Article translations
Article ID: 265258
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

Summary

On June 29, 2000 Microsoft released a patch that eliminates a security vulnerability in an ActiveX control that is included with Internet Explorer 4.01 SP2 and 5.01. This vulnerability could be used to overwrite files on the computer of a user who visited a malicious Web site operator's site.

You can find additional information regarding this vulnerability and the patch at the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms00-042.mspx
On August 9, 2000 Microsoft released a patch that eliminates this vulnerability for Internet Explorer 5.5. For additional information, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS00-055.mspx

More information

The Active Setup Control enables .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has the following two flaws:
  • All Microsoft-signed .cab files are treated as trusted, which enables them to be installed without asking the user's approval.
  • Provides a method by which the caller can specify a download location on the user's hard disk.
In combination, these two flaws could enable a malicious Web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on a user's computer. By overwriting system files, this could enable the malicious user to make the computer unusable.

NOTE: There is no capability through this vulnerability to actually install the software that has been downloaded; the vulnerability only enables files to be overwritten in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.

Patch Availability

This patch is currently available for Internet Explorer 4.01 SP2 and 5.01, and 5.01 SP1 at the following Microsoft Web site:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm
This patch is currently available for Internet Explorer 5.5 at the following Microsoft Web site:
http://www.microsoft.com/windows/ie/download/critical/patch11.htm
NOTE: This update may not appear on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft.com Web site:
This update does not need to be installed on this system.
Updates are currently available only for Internet Explorer 4.01 SP2, 5.01, 5.01 SP1, and 5.5.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:
164539 How to Determine Which Version of Internet Explorer Is Installed

Update Information by Product

To update information by product, follow these steps:
  1. Install the patch from the following link:
    http://www.microsoft.com/windows/ie/download/critical/patch8.htm
  2. On the Help menu, click About Internet Explorer, and then the Q-article Q265258 is displayed on the Update Versions line.
  3. Install the patch from the following link:
    http://www.microsoft.com/windows/ie/download/critical/patch11.htm
  4. On the Help menu, click About Internet Explorer, and then the Q-article Q269368 is displayed on the Update Versions line.

Internet Explorer 5.01 SP1 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm
   File name    Size     Date         Time       Version

   ------------------------------------------------------------
   Asctrls.ocx  109,328  08/01/2000  04:56:04pm  5.00.3207.2800
				

Internet Explorer 4.01 SP2 for Windows 95, Windows 98, and Windows NT 4.0 (Intel)

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx   91,536  06/14/2000   2:29:12pm  4.72.3718.1400
				

Windows 2000 (all versions) and Internet Explorer 5.01 for Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx  109,328  06/09/2000  11:13:26am  5.0.3018.900
				

Internet Explorer 5.5 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000

Update File Name: Q269368.exe

Description: Security Update, August 9, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch11.htm
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx  110,864  07/28/2000  02:16:40pm  5.50.4207.2600 
   Mshtml.dll 2,744,592  07/28/2000  03:25:48pm  5.50.4207.2601 
				
NOTE: In addition to the vulnerability discussed in this article, the Internet Explorer 5.5 version of this patch also eliminates the vulnerability discussed at the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS00-055.mspx

Properties

Article ID: 265258 - Last Review: June 19, 2014 - Revision: 6.0
Keywords: 
kbnosurvey kbarchive kbprb KB265258

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com