Article ID: 318089 - Last Review: February 1, 2007 - Revision: 5.11

MS02-009: Incorrect VBScript Handling in Internet Explorer Can Allow Web Pages to Read Local Files

View products that this article applies to.
This article was previously published under Q318089
After the release of this patch on February 21, 2002, Microsoft became aware of some third-party programs that depend on behavior in VBScript that this patch disables. A minor change has been made to the security patch to fix this bug and to ensure backwards compatibility. A revised patch was released on March 13, 2002. If you experience problems with third-party programs after you apply the original version of this patch, download the revised patch. If you downloaded the original patch and are not experiencing difficulties, you do not need to take any action. As a result, the revised patch is not offered to you when you visit the Windows Update site.

If you experience problems with third-party programs after you apply the original release of this patch, download the revised patch. If you downloaded the original patch and are not experiencing difficulties, you do not need to take any action. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
319847  (http://support.microsoft.com/kb/319847/EN-US/ ) MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications

On This Page

Expand all | Collapse all

SYMPTOMS

A vulnerability exists that could allow a malicious Web site operator to view files on the local computer of a visiting user. In addition, the vulnerability could allow a malicious Web site operator to collect information from a user's browsing session after the user had left the Web site. This information could then be passed back to the Web site, and could include personal information such as user names, passwords, or credit card information.

In both cases, the malicious user would have to entice the victim to visit a Web site that is under the malicious user's control. To read information from the user's local computer, the malicious Web site operator would have to know the exact name and location of the files on the user's computer. This vulnerability does not allow an attacker to add, change, or delete files on the user's computer.
Back to the top

CAUSE

This vulnerability occurs because of a flaw in the handling of scripts across domains within frames. The flaw allows scripts to violate Internet Explorer's cross-domain security model in a way that enables a Web site to read data in a frame that belongs to another domain.
Back to the top

RESOLUTION

To resolve this problem, install the latest service pack for Internet Explorer 6 or the February 14, 2002 Security Update from the following Microsoft Web site:
http://windowsupdate.microsoft.com (http://windowsupdate.microsoft.com)
This update can also be download using the appropriate links below.
Back to the top

Internet Explorer 6

To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
328548  (http://support.microsoft.com/kb/328548/EN-US/ ) How to Obtain the Latest Internet Explorer 6 Service Pack
The following file is available for download from the Microsoft Download Center:
Internet Explorer 6 for Windows 2000 and Windows XP:
Collapse this imageExpand this image
Download
Download Vbs56nen.exe now (http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=318089&DisplayLang=en)
Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0:
Collapse this imageExpand this image
Download
Download Vbs56men.exe now (http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=318089&DisplayLang=en)
Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File Information for the Original Patch

The English version of the Internet Explorer 6 for Windows 2000 and Windows XP update should have the following file attributes or later: 
   GMT-UTC Date Time   Version         Size     File name
   --------------------------------------------------------------
   02-Jan-2002  13:08  5.6.0.7302      467,002  Vbscript.dll
The English version of the Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version         Size     File name
   --------------------------------------------------------------
   02-Jan-2002  13:08  5.6.0.7302      467,002  Vbscript.dll

File Information for Revised Patch

The English version of the Internet Explorer 6 for Windows 2000 and Windows XP update should have the following file attributes or later: 
   GMT-UTC Date Time   Version             Size   File name
   --------------------------------------------------------------
   26-Feb-2002  19:58  5.6.0.7426        462,906  Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.

The English version of the Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version             Size   File name
   -----------------------------------------------------------
   26-Feb-2002  19:58  5.6.0.7426        462,906  Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
Back to the top

Internet Explorer 5.5

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin (http://www.microsoft.com/technet/security/bulletin/ms02-009.mspx) to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:
Internet Explorer 5.5 for Windows 2000:
Collapse this imageExpand this image
Download
Download Vbs55nen.exe now (http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=318089&DisplayLang=en)
Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0:
Collapse this imageExpand this image
Download
Download Vbs55men.exe now (http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=318089&DisplayLang=en)
Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File Information for the Original Patch

The English version of the Internet Explorer 5.5 for Windows 2000 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version         Size     File name
   --------------------------------------------------------------
   02-Jan-2002  17:01  5.5.0.7302      458,813  Vbscript.dll
The English version of the Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version         Size     File name
   --------------------------------------------------------------
   02-Jan-2002  17:01  5.5.0.7302      458,813  Vbscript.dll

File Information for the Revised Patch

The English version of the Internet Explorer 5.5 for Windows 2000 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version             Size   File name
   -----------------------------------------------------------
   28-Feb-2002  22:18  5.5.0.7426        450,621  Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.

The English version of the Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version             Size   File name
   -----------------------------------------------------------
   28-Feb-2002  22:18  5.5.0.7426        450,621  Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
Back to the top

Internet Explorer 5.01

The following file is available for download from the Microsoft Download Center:
Internet Explorer 5.01 for Windows 2000:
Collapse this imageExpand this image
Download
Download Vbs51nen.exe now (http://www.microsoft.com/downloads/results.aspx?pocId=freetext=318089&displaylang=en)

This update is also available in Internet Explorer 5.01 Service Pack 3 for Windows 2000. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
Internet Explorer 5.01 for Windows 98 and Windows NT 4.0:
Collapse this imageExpand this image
Download
Download Vbs51men.exe now (http://www.microsoft.com/downloads/results.aspx?pocId=freetext=318089&displaylang=en)
Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File Information for the Original Patch

The English version of the Internet Explorer 5.01 for Windows 2000 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version         Size     File name
   --------------------------------------------------------------
   02-Jan-2002  17:00  5.1.0.7302      438,330  Vbscript.dll
The English version of the Internet Explorer 5.01 update for Windows 98 and Windows NT should have the following file attributes or later: 
   GMT-UTC Date Time   Version         Size     File name
   --------------------------------------------------------------
   02-Jan-2002  17:00  5.1.0.7302      438,330  Vbscript.dll

File Information for the Revised Patch

The English version of the Internet Explorer 5.01 for Windows 2000 update should have the following file attributes or later: 
   GMT-UTC Date Time   Version             Size   File name
   -----------------------------------------------------------
   26-Feb-2002  22:14  5.1.0.7426        438,330  Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.

The English version of the Internet Explorer 5.01 update for Windows 98 and Windows NT should have the following file attributes or later: 
   GMT-UTC Date Time   Version             Size   File name
   -----------------------------------------------------------
   26-Feb-2002  22:14  5.1.0.7426        438,330  Vbscript.dll
NOTE: Due to file dependencies, this update may contain additional files.
Back to the top

STATUS

Internet Explorer 6

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.
Back to the top

Internet Explorer 5.5

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.
Back to the top

Internet Explorer 5.01

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.01. This problem was first corrected in Internet Explorer 5.01 for Windows 2000 Service Pack 3.
Back to the top

MORE INFORMATION

The Vbscript.dll file is included with Internet Explorer and Microsoft Windows Script.
  • Internet Explorer 6: Any customer who is running Internet Explorer 6, regardless of Windows version, has Windows Script 5.6 installed by default. Internet Explorer 6 includes Windows Script 5.6.
  • Internet Explorer 5.5: Any customer who is running Internet Explorer 5.5, regardless of Windows version, has Windows Script 5.5 installed by default. Internet Explorer 5.5 includes Windows Script 5.5.
  • Internet Explorer 5.01: Any customer who is running Internet Explorer 5.01, regardless Windows version, has Windows Script 5.1 installed by default.
Customers who have not upgraded their version of Internet Explorer to version 5.5 or 6 are likely to be running the following versions of Windows Script:
  • Windows 2000: Windows Script 5.1
  • Windows Me: Windows Script 5.5
You can verify the version of Microsoft Visual Basic Scripting Edition (VBScript) that you are running by checking the version of the Vbscript.dll file in the Windows\System32 folder. To do so, right-click the file, and then click Properties.

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms02-009.mspx (http://www.microsoft.com/technet/security/bulletin/ms02-009.mspx)
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Tablet PC Edition
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
    • Microsoft Windows NT Server 4.0 Standard Edition
    • Microsoft Windows NT Server 4.0, Terminal Server Edition
    • Microsoft Windows NT Workstation 4.0 Developer Edition
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Back to the top
Keywords: 
kbqfe kbbug kbfix kbie501presp3fix kbie550presp3fix kbie600presp1fix kbsecbulletin kbsechack kbsecurity kbsecvulnerability kbwin2000sp3fix kbie600sp1fix KB318089
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations