MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications

After the release of the Microsoft Security Bulletin MS02-009 patch on February 21, 2002, Microsoft became aware of a compatibility problem with several third-party applications that use an unforeseen behavior in Microsoft Visual Basic Scripting Edition (VBScript). This article explains the compatibility problem, as well as the changes that Microsoft made in the updated version of the MS02-009 patch.

For additional information about this patch and how to obtain it, click the article number below to view the article in the Microsoft Knowledge Base:

VBScript can create an instance of Component Object Model (COM) objects that implement the IDispatch interface. Late-bound calls to functions on COM objects are made through a "dispatch" interface (that is, an interface that takes the name of a method at run time and then "dispatches" the call to the correct method).

Some COM objects implement more than one dispatch interface. Some languages (such as Visual Basic) can call an object on any dispatch interface. Some languages (such as JScript) can only call on the default dispatch interface. If you call the CreateObject method in VBScript, the default dispatch interface is returned, regardless how many secondary interfaces an object supports. However, VBScript does not check if the interface of an object that is returned by the call to a method or a property is the default interface.

Previous versions of Internet Explorer had a security problem in which they could sometimes return an insecure secondary interface to the VBScript engine, which could then use that object in an insecure manner. To fix this problem, Microsoft modified VBScript to always retrieve the default interface. Although this modification mitigated the security vulnerability, it introduced compatibility problems with some legitimate objects.

The updated version of For additional information about this patch and how to obtain it, click the article number below to view the article in the Microsoft Knowledge Base: narrows down this restriction to cover only the Internet Explorer objects that are potentially insecure. This patch now allows third-party objects to use non-default dispatch interfaces in VBScript.

For more information about this vulnerability, refer to the following Microsoft Web site: