Patch Available for the Cached Web Credentials Vulnerability
This article was previously published under Q273868 SYMPTOMS Microsoft has released a patch that eliminates a
vulnerability that may enable a malicious user to obtain your user ID and
password for a Web site. RESOLUTIONTo resolve
this problem, obtain the latest service pack for Internet Explorer version
5.01. For additional information, click the following article number to view
the article in the Microsoft Knowledge Base: 267954 (http://support.microsoft.com/kb/267954/EN-US/) How to Obtain the Latest Internet Explorer 5.01 Service Pack
For your convenience, the individual update is also
available for download.
The following file
is available for download from the Microsoft Download
Center:For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: 119591 (http://support.microsoft.com/kb/119591/EN-US/) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
NOTE: This patch requires that you have Internet Explorer 5.01 Service
Pack 1 (SP1). If you install this patch and you are using a version of Internet
Explorer other than Internet Explorer 5.01 SP1, the update is not installed and
you may receive the following error message: This update
does not need to be installed on this system. This message is
correct if you are running Internet Explorer 5.5, which is not affected by this
vulnerability. If you are running a version of Internet Explorer earlier than
version 5.01 SP1, Microsoft recommends that you upgrade to Internet Explorer
5.01 SP1 and then install this patch, or upgrade to Internet Explorer
5.5.The English-language version of this patch should have the following file attributes or later: Date Time Size File name ----------------------------------------- 06/09/2000 10:34AM 89,360 Advpack.dll 09/25/2000 04:57PM 459,536 Wininet.dllFor additional information about how to determine which version of Internet Explorer that is installed, click the article number below to view the article in the Microsoft Knowledge Base: 164539 (http://support.microsoft.com/kb/164539/EN-US/) How to Determine Which Version of Internet Explorer Is Installed
STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
This problem was first
corrected in Internet Explorer version 5.01 Service Pack
2. MORE INFORMATION If you log on to a secure Web page by using basic
authentication, and then visit a non-secure page on the same site, Internet
Explorer automatically sends the cached credentials (typically your user ID and
password) to the non-secure page. If a malicious user can control your network
communications, the user can read your credentials and use them. However, the
malicious user cannot force you to log on to a secure page; the user can use
this vulnerability only to reveal credentials that are cached during the
current Internet Explorer session. For additional information about this issue, visit the following Microsoft Web site: http://www.microsoft.com/technet/security/bulletin/ms00-076.asp (http://www.microsoft.com/technet/security/bulletin/ms00-076.asp) APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
