INTRODUCTION
Cumulative security update for Internet Explorer 974455 (described in MS09-054) introduced additional "Type" safety checks into various methods to address identified security vulnerabilities. Under certain scenarios, these new type safety checks can result in "Type Mismatch" script errors in Web pages that use VBScript or in Web pages that use a mixture of VBScript and JavaScript. For more information about MS09-054, click the following article number to view the article in the Microsoft Knowledge Base:
974455MS09-054: Cumulative security update for Internet Explorer
Symptoms
Web pages that use VBScript as the client-side scripting language and that use the showModalDialog() or the showModelessDialog() methods may encounter a "Type Mismatch" script error. Microsoft has identified the following three scenarios in which a "Type Mismatch" script error could be generated:
-
showModalDialog()
The first scenario involves passing an Array() value as a parameter to the showModalDialog() method in VBScript. The showModalDialog() method supports one required argument (sURL) and two optional arguments (vArguments and sFeatures). The vArguments parameter is a VARIANT Type parameter that specifies the arguments to use when displaying the document. If a developer decides to pass an Array() directly to the optional vArguments parameter, a "Type Mismatch" script error will occur. For more information about the showModalDialog method, visit the following Microsoft MSDN Web page:http://msdn.microsoft.com/en-us/library/ms536759(VS.85).aspx
-
showModelessDialog()
The second scenario involves passing an Array() value as a parameter to the showModelessDialog() method in VBScript. The showModelessDialog() method supports one required argument (sURL) and two optional arguments (vArguments and sFeatures). The vArguments parameter is a VARIANT Type parameter that specifies the arguments to use when displaying the document. If a developer decides to pass an Array() directly to the optional vArguments parameter, a "Type Mismatch" script error will occur. For more information about the showModelessDialog method, visit the following Microsoft MSDN Web page:http://msdn.microsoft.com/en-us/library/ms536761(VS.85).aspx/PathLink>
-
returnValue
The third scenario involves the explicit setting of the returnValue property of a Modal Dialog window. The returnValue property is a read/write property that has no default value. According to documentation on MSDN, the returnValue property applies only to those windows created with the showModalDialog() method. If a developer decides to explicitly set the returnValue property of a Modal Dialog window to an Array() value in VBScript, a "Type Mismatch" script error will occur. For more information about the return Value property, visit the following Microsoft MSDN Web page:http://msdn.microsoft.com/en-us/library/ms534371(VS.85).aspx
Currently, Microsoft has not observed "Type Mismatch" script errors arising from cumulative security update 974455 in Web pages that use JavaScript as their sole client-side scripting language. Only Web pages that use the showModalDialog() method, the showModelessDialog() method, or the returnValue property within VBScript seem to be affected. If the Web page contains a mixture of both VBScript and JavaScript, it may be affected if the Web page uses the methods or properties that were discussed earlier within VBScript or if the Web page uses the VBArray object. Use of the VBArray object is uncommon, and scenarios that involve VBArray will not be covered by this Knowledge Base article.
Cause
Cumulative security update for Internet Explorer MS09-054 was released to address identified security vulnerabilities in Internet Explorer. As part of the cumulative security update, Internet Explorer introduced new checks against unintended casting of VARIANT Type parameters into dangerous data types. The additional security checks impose additional security restraints on VARIANT Type parameters that are being passed as part of user-controlled variables in order to protect the user from certain kinds of attacks. These additional checks may affect legitimate browsing scenarios that use VARIANT data types.
Resolution
To resolve this problem, install update 976749 after you install security update 974455. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
976749An update is available for Internet Explorer that resolves issues that occur after you apply security update 974455 (MS09-054) Important Do not install update 976749 if you have not installed security update 974455. If you install update 976749 without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall update 976749, install security update 974455, and then reinstall update 976749.
Workaround
We recommend that you continue to apply cumulative security update 974455 and that you install update 976749 if you experience the symptoms that are described in this article. Customers who decide to remove the cumulative security update will put their systems at risk.
For the first and second scenarios that are discussed in the "Symptoms" section, you can implement a workaround if you do not want to install security update 974455. To work around the issue, explicitly declare the Array() variable into a VBScript variable. Arrays can be passed to the showModalDialog() or the showModelessDialog() methods without a "Type Mismatch" script error. For example, the following VBScript will cause a "Type Mismatch" script error.// TYPE MISMATCH
vReturn = window.showModalDialog("http://www.contoso.com", Array(1,2,3,4,5,6,7))
The following VBScript will pass an array to the showModialDialog() or showModelessDialog() methods without a "Type Mismatch" script error.
// NO TYPE MISMATCH ERROR
Dim myArray myArray=Array(1,2,3,4,5,6,7) vReturn = window.showModalDialog("http://www.contoso.com", myArray)
For the third scenario that was discussed earlier, you can implement a workaround if you do not want to install security update 974455. To work around the issue in scenarios where a single dimension Array() value is passed to the returnValue property, use the Join and Split VBScript functions. This lets you pass Array() values to the returnValue property.
For example, the following VBScript generates a "Type Mismatch" script error.// TYPE MISMATCH
Dim arrayItems arrayItems(0) = 1 arrayItems(1) = 2 arrayItems(2) = 3 Window.returnvalue = arrayItems
When you use the Join and Split VBScript functions, you can set the returnValue property without generating a "Type Mismatch" script error.
// NO TYPE MISMATCH ERROR
Dim arrayItems arrayItems(0) = 1 arrayItems(1) = 2 arrayItems(2) = 3 Dim arrString = Join(arrayItems, ";") Window.returnvalue = arrString Dim strTemp = window.showModalDialog(……) Dim arrayItems = Split(strTemp, ";")
For the third scenario that was discussed earlier, where multidimensional Array() values or Array() values that have objects are passed to the returnValue property, you can implement a workaround if you do not want to install security update 974455. To work around the issue in this scenario, you can use a JavaScript function to set the returnValue property. This JavaScript function is available to VBScript subroutines and functions. Any returnValue property value that is set by a JavaScript function will be available to VBScript.
For example, the following VBScript generates a "Type Mismatch" script error.// TYPE MISMATCH
<script LANGUAGE=vbscript> Option Explicit Sub Window_OnLoad Dim abc(1,2,3) Window.ReturnValue = abc End Sub </script>
Using a JavaScript function together with an existing VBScript lets you set the returnValue property without generating a "Type Mismatch" script error.
// NO TYPE MISMATCH ERROR
<script Language=JavaScript> function setReturnValue(){ var returnValueArray= new Array(); returnValueArray[0] = 1; returnValueArray[1] = 2; returnValueArray[2] = 3; window.returnValue = returnValueArray; } </script> <script LANGUAGE=vbscript?? Option Explicit Sub Window_OnLoad setReturnValue() msgbox window.returnValue End Sub </script>
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.