This article was previously published under Q253117
On This Page
SUMMARY
Microsoft has identified a serious security vulnerability
that could potentially affect many Web sites and Web site users. The
vulnerability, known as "Cross-Site Scripting", is possible on all programs
that allow scripting, but is not a result of a defect in those programs.
Instead, this vulnerability is a result of certain common Web coding practices.
For additional information on this issue, please see the following Microsoft
Web site:
This article describes steps to ensure that during the period
when Web site owners are reviewing their code and making any necessary changes,
you can continue to browse the Web safely. Any programs that use scripting can
be affected by this vulnerability; we have provided instructions to minimize
the effects of this issue when you are using the Microsoft programs listed at
the beginning of this article. If you are using another manufacturer's program,
we recommend you contact them for instructions about how to configure that
program.
There are several precautionary steps you can take to
minimize the effects of this issue. We recommend that all customers take these
steps.
IMPORTANT: Precautionary steps are provided below for both supported and
unsupported versions of Microsoft Internet Explorer, Outlook, and Outlook
Express. If you are running an unsupported version of one of these products,
Microsoft strongly recommends that, in addition to using the steps below, you
also upgrade to a supported version and then apply the latest security patches
from the following Microsoft Windows Update Web site:
How to Prevent Cross-Site Scripting in E-Mail Messages
To prevent Cross-Site Scripting from occurring in e-mail messages, turn off
Active Scripting in the Restricted zone and make all e-mail messages you
receive run in the Restricted zone.
NOTE: Active Scripting is disabled by default in Outlook Express 6 and
Outlook 2002.
For additional information about how to turn off
Active Scripting in the Restricted zone and configure all e-mail to run in the
Restricted zone, click the article numbers below to view the articles in the
Microsoft Knowledge Base:
192846 (http://support.microsoft.com/kb/192846/EN-US/) How to Disable Active Scripting in Outlook Express
215774 (http://support.microsoft.com/kb/215774/EN-US/) OL2000: Scripts Embedded in HTML Messages Run without Warning
For additional information about
virus protection features in Outlook Express 6, click the following article
number to view the article in the Microsoft Knowledge Base:
291387 (http://support.microsoft.com/kb/291387/EN-US/)
OLEXP: Using Virus Protection Features in Outlook Express 6
Take Precautions to Avoid Attacks When You Browse the Web or Read E-Mail Messages
•
Browse to Web sites that you trust are not using malicious
code.
•
Be careful about how you initially visit a Web site. The
safest way to connect to a Web site is to type the Web address directly into
the browser or use a securely-stored local bookmark or favorite. If you do
this, you can significantly reduce exposure while maintaining
functionality.
•
Do not click hyperlinks in an e-mail message, even if the
message appears to be from someone you trust. A malicious user can cause a
false name to appear on the From: line of an e-mail message.
NOTE: You should only take the following steps if you have credible
evidence that you have visited a Web site that uses cross-site scripting. After
you perform these steps, you need to re-register and re-customize any Web sites
that you visit again.
To stop cross-site scripting:
1.
Close Internet Explorer.
2.
Start Internet Explorer again and visit a safe Web site,
such as:
http://www.microsoft.com
3.
Delete all the Cookie files on your computer. To do this,
follow the appropriate steps for your version of Internet Explorer.
Internet Explorer 6 for Windows 98, Windows NT 4.0, Windows 98 Second Edition, Windows Millennium Edition, Windows XP, or Windows 2000
a.
On the Tools menu, click Internet Options, and then click the
General tab.
b.
In the Temporary Internet Files
section, click Delete Cookies, click OK, and then click OK again.
c.
Internet Explorer 5.x for Windows 95, Windows 98, Windows NT 4.0, Windows 98 Second
Edition, or Windows 2000
a.
On the Tools menu, click Internet Options, and then click the General tab.
b.
Under Temporary Internet Files, click Settings.
c.
Click View Files.
d.
On the View menu, click to select the Details command.
e.
Click the Internet Address column label, and then scroll to find the Cookie files Internet
addresses. For example, a Cookie Internet address may be named something
similar to the following name:
Cookie:jsmith@websitename.com
f.
Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.
Internet Explorer 4.x for Windows 95, Windows 98, or Windows NT 4.0
a.
On the View menu, click Internet Options, and then click the General tab.
b.
Under Temporary Internet Files, click Settings.
c.
Click View Files
d.
On the View menu, click to select the Details command.
e.
Click the Internet Address column label, and then scroll to find the Cookie files Internet
addresses. For example, a Cookie Internet address may be named something
similar to the following name:
Cookie:jsmith@websitename.com
f.
Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.
Internet Explorer 3.x for Windows 95 or Windows NT 4.0
a.
On the View menu, click Options, and then click the Advanced tab.
b.
Under Temporary Internet Files, click View Files.
c.
Click the Name column label, and then scroll to find the Cookie files. For
example, a Cookie file may be named something similar to the following name:
Cookie:jsmith@websitename.com
d.
Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.
Internet Explorer 3.x, 4.x, or 5 for Windows 3.1x and Windows NT 3.51
a.
In File Manager, click Search on the File menu.
b.
In the Search For box, type emcookie.dat.
c.
In the Start From box, type the drive letter where Internet Explorer is installed,
followed by a colon (:) and backslash (\). For example,
C:\.
d.
Click to select the Search All Subdirectories box, and then click OK.
e.
In the Search Results window, click the Emcookie.dat
file, and then click Delete on the File menu.
f.
Click OK, click Yes if you are prompted to confirm the deletion, and then click Yes to update the Search Results window.
Internet Explorer 4.x for Macintosh
a.
On the Edit menu, click Preferences.
b.
Under Receiving Files, click Cookies.
c.
Click one of the displayed cookies.
d.
On the Edit menu, click Select All, and then click Delete.
Internet Explorer 4 or 5 for UNIX on HP-UX or Sun Solaris
a.
Change to the .microsoft directory in the user's home
directory.
b.
Change to the Cookies directory inside of the
.microsoft directory.
c.
Delete all .txt files located in this directory. For
example, user@www.example.com.txt.
For additional information about
cookies, click the following article number to view the article in the
Microsoft Knowledge Base:
260971 (http://support.microsoft.com/kb/260971/EN-US/)
Description of Cookies
Need More Help? Contact a Support professional by Email, Online or Phone.
Customer Service For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
Newsgroups Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Back to the top
