Article ID: 265258 - Last Review: July 24, 2007 - Revision: 4.2

Patch Available for "Active Setup Download" Vulnerability in Internet Explorer

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
This article was previously published under Q265258

On This Page

Expand all | Collapse all

SUMMARY

On June 29, 2000 Microsoft released a patch that eliminates a security vulnerability in an ActiveX control that is included with Internet Explorer 4.01 SP2 and 5.01. This vulnerability could be used to overwrite files on the computer of a user who visited a malicious Web site operator's site.

You can find additional information regarding this vulnerability and the patch at the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms00-042.mspx (http://www.microsoft.com/technet/security/bulletin/ms00-042.mspx)
On August 9, 2000 Microsoft released a patch that eliminates this vulnerability for Internet Explorer 5.5. For additional information, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS00-055.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-055.mspx)
Back to the top

MORE INFORMATION

The Active Setup Control enables .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has the following two flaws:
  • All Microsoft-signed .cab files are treated as trusted, which enables them to be installed without asking the user's approval.
  • Provides a method by which the caller can specify a download location on the user's hard disk.
In combination, these two flaws could enable a malicious Web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on a user's computer. By overwriting system files, this could enable the malicious user to make the computer unusable.

NOTE: There is no capability through this vulnerability to actually install the software that has been downloaded; the vulnerability only enables files to be overwritten in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.
Back to the top

Patch Availability

This patch is currently available for Internet Explorer 4.01 SP2 and 5.01, and 5.01 SP1 at the following Microsoft Web site:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm (http://www.microsoft.com/windows/ie/download/critical/patch8.htm)
This patch is currently available for Internet Explorer 5.5 at the following Microsoft Web site:
http://www.microsoft.com/windows/ie/download/critical/patch11.htm (http://www.microsoft.com/windows/ie/download/critical/patch11.htm)
NOTE: This update may not appear on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft.com Web site:
This update does not need to be installed on this system.
Updates are currently available only for Internet Explorer 4.01 SP2, 5.01, 5.01 SP1, and 5.5.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:
164539  (http://support.microsoft.com/kb/164539/EN-US/ ) How to Determine Which Version of Internet Explorer Is Installed
Back to the top

Update Information by Product

To update information by product, follow these steps:
  1. Install the patch from the following link:
    http://www.microsoft.com/windows/ie/download/critical/patch8.htm (http://www.microsoft.com/windows/ie/download/critical/patch8.htm)
  2. On the Help menu, click About Internet Explorer, and then the Q-article Q265258 is displayed on the Update Versions line.
  3. Install the patch from the following link:
    http://www.microsoft.com/windows/ie/download/critical/patch11.htm (http://www.microsoft.com/windows/ie/download/critical/patch11.htm)
  4. On the Help menu, click About Internet Explorer, and then the Q-article Q269368 is displayed on the Update Versions line.
Back to the top

Internet Explorer 5.01 SP1 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm (http://www.microsoft.com/windows/ie/download/critical/patch8.htm) 
   File name    Size     Date         Time       Version

   ------------------------------------------------------------
   Asctrls.ocx  109,328  08/01/2000  04:56:04pm  5.00.3207.2800
Back to the top

Internet Explorer 4.01 SP2 for Windows 95, Windows 98, and Windows NT 4.0 (Intel)

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm (http://www.microsoft.com/windows/ie/download/critical/patch8.htm) 
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx   91,536  06/14/2000   2:29:12pm  4.72.3718.1400
Back to the top

Windows 2000 (all versions) and Internet Explorer 5.01 for Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch8.htm (http://www.microsoft.com/windows/ie/download/critical/patch8.htm) 
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx  109,328  06/09/2000  11:13:26am  5.0.3018.900
Back to the top

Internet Explorer 5.5 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000

Update File Name: Q269368.exe

Description: Security Update, August 9, 2000

Availability:
http://www.microsoft.com/windows/ie/download/critical/patch11.htm (http://www.microsoft.com/windows/ie/download/critical/patch11.htm) 
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx  110,864  07/28/2000  02:16:40pm  5.50.4207.2600 
   Mshtml.dll 2,744,592  07/28/2000  03:25:48pm  5.50.4207.2601
NOTE: In addition to the vulnerability discussed in this article, the Internet Explorer 5.5 version of this patch also eliminates the vulnerability discussed at the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS00-055.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-055.mspx)
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Windows 95
Back to the top
Keywords: 
kbprb KB265258
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers