MS02-015: Update Available for Local File Execution Vulnerability in Internet Explorer

Article translations Article translations
Article ID: 319235 - View products that this article applies to.
This article was previously published under Q319235
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

A vulnerability exists in Internet Explorer that could allow an attacker to run local programs on a user's computer. The attacker could send a specially formatted HTML e-mail message or could create a Web page that, when it was opened, could run a program on the user's local computer. It is important to note that no parameters can be sent. The extent to which an attacker could exploit this vulnerability is limited to running a local program, or to logging the user off from the user's own local computer.

CAUSE

This vulnerability results from the way in which Internet Explorer handles ActiveX objects, specifically with the codeBase property. If you set the CODEBASE property of an object or program to the file path of a local program file, that program file can be invoked without prompting the user. This occurs because when the HTML is processed, it tries to bind to the source. This results in the program file being run because the CODEBASE tag and the OBJECT tag run in the same zone (for example, the My Computer zone). In this case, they should be running in the Internet zone, which would prevent local programs from being run on the user's computer.

RESOLUTION

Internet Explorer 6

To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Internet Explorer 6 Service Pack
The update for this problem is included in the "March 28, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 2

The update for this problem is included in the "March 28, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 1

The update for this problem is included in the "March 28, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.01 Service Pack 2 (on Windows 2000 and Windows NT 4.0 only)

This update is only for customers running Internet Explorer 5.01 Service Pack 2 on Windows 2000 Service Pack 2 or Windows NT 4.0 Service Pack 6a. If you are running Internet Explorer 5.01 on any other version of Windows, upgrade to Internet Explorer 5.5 Service Pack 2 or later, and then apply this update.

The update for this problem is included in the "March 28, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer

STATUS

Internet Explorer 6

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.

Internet Explorer 5.5

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.

Internet Explorer 5.01

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.01. This problem was first corrected in Internet Explorer 5.01 for Windows 2000 Service Pack 3.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms02-015.mspx

Properties

Article ID: 319235 - Last Review: February 27, 2014 - Revision: 3.12
APPLIES TO
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Tablet PC Edition
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
    • Microsoft Windows NT Server 4.0 Standard Edition
    • Microsoft Windows NT Server 4.0, Terminal Server Edition
    • Microsoft Windows NT Workstation 4.0 Developer Edition
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Keywords: 
kbnosurvey kbarchive kbbug kbfix kbie501presp3fix kbie550presp3fix kbie600presp1fix kbsecbulletin kbsechack kbsecurity kbsecvulnerability kbwin2000sp3fix kbie600sp1fix KB319235

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com