Help and Support

Article ID: 246094 - Last Review: January 25, 2007 - Revision: 6.2

Update Available for "Server-Side Page Reference Redirect" Vulnerability

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
This article was previously published under Q246094

On This Page

Expand all | Collapse all

SUMMARY

Microsoft has released a patch that eliminates a vulnerability in Microsoft Internet Explorer 4 and 5 that may allow a malicious Web site operator to view a file on the computer of a visiting user, provided that the Web site operator knows the name of the file and folder.

Additional information about this vulnerability is available at: Updates are available for the following products:
  • Internet Explorer 4.01 SP2 for Microsoft Windows 95 and Microsoft Windows NT 4.0 (x86 and Alpha)
  • Microsoft Windows 98
  • Internet Explorer 5 and 5.01 for Windows 95, Windows 98, and Windows NT 4.0 (x86 and Alpha)
This update also includes fixes for the following previous security issues.

NOTE: You do not need to install these fixes after installing the update mentioned above. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
231450  (http://support.microsoft.com/kb/231450/EN-US/ ) Update Available for the 'Malformed Favorites Icon' Issue
241362  (http://support.microsoft.com/kb/241362/EN-US/ ) Update Available for the ImportExportFavorites Issue
Back to the top

MORE INFORMATION

This problem is resolved in Internet Explorer 5.01 for Windows 2000 and Internet Explorer 5.01 SP1 and later for other platforms. We recommend that you upgrade to the latest version of Internet Explorer to resolve this problem.

For additional information about how to determine which version of Internet Explorer you are using, click the following article number to view the article in the Microsoft Knowledge Base:
164539  (http://support.microsoft.com/kb/164539/EN-US/ ) How to Determine Which Version of Internet Explorer Is Installed
For additional information about how to obtain the latest version of Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:
267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.5 Service Pack
For additional information about how to obtain the latest version of Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:
328548  (http://support.microsoft.com/kb/328548/EN-US/ ) How to Obtain the Latest Internet Explorer 6 Service Pack
Back to the top

Update Information by Product

Internet Explorer 4.01 SP2 for Windows 95 and Windows NT 4.0

   File name    Size       Date        Version         Platform
   ------------------------------------------------------------
   Shdocvw.dll  2,174,736  11/30/1999  4.72.3711.2900  9x
   Shdocvw.dll  2,174,736  11/30/1999  4.72.3711.2900  NT (x86)
   Shdocvw.dll  3,154,704  11/29/1999  4.72.3711.2900  NT (Alpha)

Though the Windows 95 and Windows NT 4.0 x86 files are the same size, they are different binaries and are not interchangeable. These files are named Shdo95.dll and Shdont.dll inside the package. When they are extracted, the files are named appropriately as they are installed on your computer.

Internet Explorer 5.0 for Windows 95, Windows 98, and Windows NT 4.0

   File name    Size       Date        Version         Platform
   ------------------------------------------------------------
   Shdocvw.dll  950,544    11/29/1999  5.0.2723.2900   (x86)
   Shdocvw.dll  1,617,680  11/29/1999  5.0.2723.2900   (Alpha)

Internet Explorer 5.01 for Windows 95, Windows 98, and Windows NT 4.0

   File name    Size       Date        Version         Platform
   ------------------------------------------------------------
   Shdocvw.dll  1,102,608  11/29/1999  5.0.2919.6400   (x86)


NOTE: If you are using Internet Explorer 4.0 or 4.01 Service Pack 1, you must install Internet Explorer 4.01 Service Pack 2 in order to apply this update. You can install Internet Explorer 4.01 Service Pack 2 from the following Microsoft Web site:
http://www.microsoft.com/windows/ie/downloads/default.mspx (http://www.microsoft.com/windows/ie/downloads/default.mspx)
When a Web server performs a server-side redirect, the Internet Explorer security model verifies the server's permissions on the new page. However, under certain timing conditions, it is possible for a Web server to create a reference to a client window that the server is permitted to view. Then the Web server could use a server-side redirect to a client-local file, and bypass the security restrictions. The result is that it may be possible for a malicious Web site operator to view, but not change, create or delete, files on the computer of a visiting user. The Web site operator would need to know (or guess) the name and location of the file.
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 4.01 128-Bit Edition
  • Microsoft Internet Explorer 4.0 128-Bit Edition
Back to the top
Keywords: 
kbbug kbfix kbpolicy KB246094
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers