Article ID: 269368 - Last Review: March 29, 2007 - Revision: 4.2

Patch Available for Vulnerabilities in Internet Explorer

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
This article was previously published under Q269368

On This Page

Expand all | Collapse all

SYMPTOMS

Microsoft has released an Internet Explorer security update that eliminates the following security vulnerabilities in Internet Explorer versions 5, 5.01, and 5.5:
  • The "Scriptlet Rendering" vulnerability. The ActiveX control that is used to invoked scriptlets is also a rendering engine for Hypertext Markup Language (HTML) and other file types such as .txt and .doc files. Because of this functionality, a malicious Web site operator can provide incorrect information that consists of script for the purpose of introducing it into an Internet Explorer system file with a known name, and then using the Scriptlet control to render the file. This action would make the script run in the Local Computer Zone, at which point it could obtain access to files on the local computer. For information about this vulnerability, view the following Microsoft Web site:
    http://www.microsoft.com/technet/security/bulletin/ms00-055.mspx (http://www.microsoft.com/technet/security/bulletin/ms00-055.mspx)
    For a list of frequently asked questions about this vulnerability, view the following Microsoft Web site:
    http://www.microsoft.com/technet/security/bulletin/fq00-055.mspx (http://www.microsoft.com/technet/security/bulletin/fq00-055.mspx)
  • A new variant of the "Frame Domain Verification" vulnerability that was fixed in Internet Explorer 5.01. For information about this vulnerability, view the following Microsoft Web site:
    http://www.microsoft.com/technet/security/bulletin/ms00-033.mspx (http://www.microsoft.com/technet/security/bulletin/ms00-033.mspx)
    To exploit the first two vulnerabilities, a malicious Web site operator would need to know, or guess, the exact name and path of each file the malicious Web site operator wants to view. Even then, the malicious Web site operator could only view file types that can be opened in a browser window such as .txt or .doc files, but not .exe or .dat files. If the Web site were in a zone where active scripting is disabled, neither vulnerability could be exploited.
  • A patch for the "IE Script" Vulnerability that is documented at the following Microsoft Web site is also included:
    http://www.microsoft.com/technet/security/bulletin/MS00-049.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-049.mspx)
In addition to eliminating the preceding vulnerabilities, this patch also protects against several other vulnerabilities that are listed in the "More Information" section.
Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Internet Explorer version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
To resolve this problem, obtain the latest service pack for Internet Explorer version 5.01. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
Back to the top

Patch Availability

While this patch is part of Internet Explorer 5.5 Service Pack 1, you can also obtain the individual patch by viewing the following Microsoft Web site:
http://www.microsoft.com/windows/ie/download/critical/patch11.htm (http://www.microsoft.com/windows/ie/download/critical/patch11.htm)
NOTE: This update may not appear on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft.com Web site:
This update does not need to be installed on this system.
Updates are available only for Internet Explorer 4.01 SP2, 5.01, 5.01 SP1, and 5.5. Internet Explorer versions 4.0, 4.01 SP1, and 5.0 are also vulnerable to this behavior. If your browser is a version of Internet Explorer (4.0 or later) other than 4.01 SP2, 5.01, 5.01 SP1, or 5.5, your computer is still vulnerable. Microsoft recommends that you upgrade to the latest version of Internet Explorer and then install this patch.

If you are running Internet Explorer 5.5, you can install Internet Explorer 5.5 Service Pack 1 to resolve this behavior. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:
164539  (http://support.microsoft.com/kb/164539/EN-US/ ) How to Determine Which Version of Internet Explorer Is Installed
The English version of this fix should have the following file attributes or later:
Internet Explorer 5.5
File name    Size            Date           Time         Version
-----------------------------------------------------------------------
Asctrls.ocx  110,864         07/28/2000     2:16:40 PM   5.50.4207.2600
Mshtml.dll   2,744,592       07/28/2000     3:25:48 PM   5.50.4207.2601

Internet Explorer 5.01
File name      Size          Date           Time          Version

-----------------------------------------------------------------------
Mshtml.dll     2,353,424     07/26/2000     3:11:00 PM    5.0.3019.2500
Shdocvw.dll    1,095,952     06/22/2000     2:42:46 PM    5.0.3018.2200
Urlmon.dll     449,808       05/03/2000     2:12:56 PM    5.0.3017.300
Wininet.dll    460,560       05/12/2000     12:23:28 PM   5.0.3017.1200

Internet Explorer 5.01 SP1
File name     Size        Date           Time          Version
---------------------------------------------------------------------------
Mshtml.dll    2,353,424   07/27/2000     8:25:38 AM    5.0.3207.2500
Shdocvw.dll   1,095,952   07/27/2000     10:44:12 AM   5.0.3207.2200

Internet Explorer 4.01 SP2 (Windows 95/98)
File name    Size       Date      Time             Version
---------------------------------------------------------------------------
Mshtml.dll   2,424,592  8/04/00   2:31:38 PM       4.72.3720.4000
Wininet.dll  373,008    2/23/00   5:11:40 PM       4.72.3714.2300

Internet Explorer 4.01 SP2 (Windows NT 4.0)
File name    Size        Date      Time             Version
---------------------------------------------------------------------------

Mshtml.dll   2,424,080   8/04/00   3:30:08 PM       4.72.3720.4000
Wininet.dll  373,008     2/23/00   5:33:18 PM       4.72.3714.2300
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.5 Service Pack 1. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.
Back to the top

MORE INFORMATION

For information about previous updates that are included in this patch, please view the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms00-039.mspx (http://www.microsoft.com/technet/security/bulletin/ms00-039.mspx)
Also, for computers that are running Internet Explorer 5.5 only, this patch also eliminates the vulnerability described in Microsoft Security Bulletin MS00-042.
http://www.microsoft.com/technet/security/Bulletin/MS00-042.mspx (http://www.microsoft.com/technet/security/Bulletin/MS00-042.mspx)
For additional security-related information about Microsoft products, please view the following Microsoft Web site:
http://www.microsoft.com/security/ (http://www.microsoft.com/security/)
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 4.0 128-Bit Edition
Back to the top
Keywords: 
kbbug kbfix kbie501presp2fix kbie550presp1fix kbie550sp1fix KB269368
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers