MS02-023: Patch Available for Cross-Site Scripting in Local HTML Resource Vulnerability

Article translations Article translations
Article ID: 322921 - View products that this article applies to.
This article was previously published under Q322921
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

A cross-site scripting vulnerability exists in Internet Explorer that can lead to an increase in permissions. An attacker who successfully exploits this vulnerability can cause HTML scripts to run as if they were run locally on the user's computer. This permits the scripts to run outside the security constraints that are typically imposed on them. Therefore, the scripts can take any action on the local computer that the user can take. Specifically, the script can add, change, or delete any data, or change any security settings that the user can change.

An attacker can try to exploit this vulnerability by crafting a malicious Web page with a specially formed URL link. The attacker can then either post the page on a Web site, or send it as an HTML e-mail message. The vulnerability is then exploited when the user views the malicious Web page, or opens or displays the e-mail message in a preview pane.

Any restrictions on the user's ability to take actions on the local computer also limit the actions that an attacker's script can take. For example, if a user lacks permissions to delete data or to change security settings in Internet Explorer, the script is also blocked from those actions. Also, customers who read mail in the Restricted Sites zone are immune from attempts to exploit this vulnerability by HTML e-mail messages. By default, Microsoft Outlook Express 6, Microsoft Outlook 98, Microsoft Outlook 2000 with the Outlook E-Mail Security Update, and Microsoft Outlook 2002 all read mail in the Restricted Sites zone. Customers who use Outlook 2002 Service Pack 1 (SP1) who have turned on the Read as Plain Text feature are also immune from the HTML e-mail attack. This is because this feature turns off all HTML elements, including scripting, in mail. For additional information about this feature, click the article number below to view the article in the Microsoft Knowledge Base:
307594 OL2002: Users Can Read Nonsecure E-mail As Plain Text

CAUSE

This vulnerability occurs because a local resource file that is included with Internet Explorer contains an HTML Web page that does not properly validate inputs.

RESOLUTION

Internet Explorer 6

To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Internet Explorer 6 Service Pack
The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 2

The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 1

The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.01 Service Pack 2 (on Microsoft Windows 2000 and Microsoft Windows NT 4.0 only)

This update is only for customers running Internet Explorer 5.01 Service Pack 2 on Windows 2000 Service Pack 2 or Windows NT 4.0 Service Pack 6a. If you are running Internet Explorer 5.01 on any other version of Windows, upgrade to Internet Explorer 5.5 Service Pack 2 or later, and then apply this update.

The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

STATUS

Internet Explorer 6

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.

Internet Explorer 5.5

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.

Internet Explorer 5.01

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.01.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms02-023.mspx

Properties

Article ID: 322921 - Last Review: February 27, 2014 - Revision: 4.12
APPLIES TO
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Tablet PC Edition
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
    • Microsoft Windows NT Server 4.0 Standard Edition
    • Microsoft Windows NT Server 4.0, Terminal Server Edition
    • Microsoft Windows NT Workstation 4.0 Developer Edition
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Keywords: 
kbnosurvey kbarchive kbdownload kbbug kbfix kbie501presp3fix kbie550presp3fix kbie600presp1fix kbsecbulletin kbsechack kbsecurity kbsecvulnerability kbie600sp1fix KB322921

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com