Article ID: 241362 - Last Review: January 25, 2007 - Revision: 3.1 Security Vulnerability in ImportExportFavorites() Function in Internet Explorer 5.0This article was previously published under Q241362 SUMMARYInternet Explorer 5.0 includes a feature that allows you to
export a list of your favorite Web sites to a file, or to import a file
containing a list of favorite sites. The method that is used to perform this
function, ImportExportFavorites(), should only allow particular types of files to be written, and
only to specific locations on the drive. However, it is possible for a Web site
to invoke this method, bypass this restriction, and write files that may be
used to run system commands. As a result, a malicious Web site operator can
potentially take any action on the computer that a user is capable of
performing. MORE INFORMATIONThis vulnerability only affects Windows 95-based, Windows
98-based, Windows 98 Second Edition-based, and Windows NT 4.0-based computers
that are connected to the Internet and that are using Internet Explorer 5.0
with Active Scripting enabled. By default, Active Scripting is enabled in
Internet Explorer 5.0. This problem in resolved in Internet Explorer 5.01 and later. Microsoft recommends that you upgrade to the latest version of Internet Explorer to resolve this problem. For additional information about how to determine which version of Internet Explorer you are using, click the following article number to view the article in the Microsoft Knowledge Base: 164539
(http://support.microsoft.com/kb/164539/EN-US/
)
How to Determine Which Version of Internet Explorer Is Installed
For additional information about how to
obtain the latest version of Internet Explorer 5.5, click the following article
number to view the article in the Microsoft Knowledge Base: 267954
(http://support.microsoft.com/kb/267954/EN-US/
)
How to Obtain the Latest Internet Explorer 5.5 Service Pack
For additional information about how to
obtain the latest version of Internet Explorer 6, click the following article
number to view the article in the Microsoft Knowledge Base: 328548
(http://support.microsoft.com/kb/328548/EN-US/
)
How to Obtain the Latest Internet Explorer 6 Service Pack
On December 8, 1999, Microsoft released a patch that eliminates this error and several other vulnerabilities in Internet Explorer 5.0. For additional information about this patch, click the following article number to view the article in the Microsoft Knowledge Base: 246094
(http://support.microsoft.com/kb/246094/EN-US/
)
Update Available for "Server-Side Page Reference Redirect" Vulnerability
For additional
information about the other vulnerabilities resolved with this patch, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
241361
(http://support.microsoft.com/kb/241361/EN-US/
)
Update Available for Vulnerabilities in ActiveX Controls Issue
231450
(http://support.microsoft.com/kb/231450/EN-US/
)
Update Available for the "Malformed Favorites Icon" Issue
The English version of this fix should have the following file attributes or later: File Name Size Date Time Version ----------------------------------------------------------- Shdocvw.dll 946,448 Sep-14-1999 05:19p 5.00.2721.1400 http://www.microsoft.com/TechNet/security/bulletin/ms99-037.asp
(http://www.microsoft.com/TechNet/security/bulletin/ms99-037.asp)
For additional security-related information about Microsoft
products, visit the following Microsoft Web site: http://www.microsoft.com/security/
(http://www.microsoft.com/security/)
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
