Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
This article was previously published under Q290108 On This PageSYMPTOMS Because HTML e-mail messages are Web pages, Internet
Explorer can render them and open binary attachments in a way that is
appropriate to their MIME type. However, there is a flaw in the type of
processing that is specified for certain unusual MIME types. If a malicious
user creates an HTML e-mail message that contains an attachment that can be run
and then modifies the MIME header information to specify that the attachment is
one of the unusual MIME types that Internet Explorer handles incorrectly,
Internet Explorer may run the attachment automatically when it renders the
e-mail message. A malicious user could use this vulnerability in either of two scenarios:
This vulnerability cannot be exploited if file downloads have been disabled in the security zone in which the e-mail message is rendered. However, this is not a default setting in any security zone. RESOLUTION You can install the patches that are listed below only on
systems that run Internet Explorer 5.01 Service Pack 1 (SP1) or Internet
Explorer 5.5 Service Pack 1 (SP1). This fix is already included in Internet
Explorer 5.01 Service Pack 2.
For additional information about Internet
Explorer 5.01 Service Pack 2, click the article number below to view the
article in the Microsoft Knowledge Base: 267954 (http://support.microsoft.com/kb/267954/EN-US/) How to Obtain the Latest Internet Explorer 5.01 Service Pack
NOTE: If you try to install one of the patches that are listed below
on an unsupported version of Internet Explorer, you receive the following error
message: Microsoft Internet Explorer Update The text of the error message is incorrect and does not
necessarily mean that your version of Internet Explorer is unaffected by this
problem. If you receive this error message when you try to install one of the
patches, use the appropriate resolution for your version of Internet Explorer:
This update does not need to be installed on this system.
164539 (http://support.microsoft.com/kb/164539/EN-US/) How to Determine Which Version of Internet Explorer Is Installed
Patch for Internet Explorer 5.5To resolve this problem, obtain the latest service pack for Internet Explorer version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:267954 (http://support.microsoft.com/kb/267954/EN-US/) How to Obtain the Latest Internet Explorer 5.5 Service Pack
For your convenience, the individual update is also
available: The following file is available for download from the Microsoft Download Center:  Download the individual patch now (http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp)-or- Download the IE 5.5 Security Rollup now (http://www.microsoft.com/windows/ie/download/critical/Q299618/default.asp)119591 (http://support.microsoft.com/kb/119591/EN-US/) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
The English version of this update should have the
following file attributes or later: Date Time Version Size File name ---------------------------------------------------------- 02/20/2001 04:36p 5.50.4614.2000 1,147,152 Shdocvw.dllNOTE: Because of file dependencies, this update requires Internet Explorer 5.5 with Service Pack 1. Patch for Internet Explorer 5.01To resolve this problem, obtain the latest service pack for Internet Explorer version 5.01. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:267954 (http://support.microsoft.com/kb/267954/EN-US/) How to Obtain the Latest Internet Explorer 5.01 Service Pack
For your convenience, the individual update is also
available for downloading.
The following file
is available for download from the Microsoft Download
Center:Download the individual patch now (http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp)-or- Download the IE 5.01 Security Rollup now (http://www.microsoft.com/windows/ie/download/critical/Q295106/default.asp)For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: 119591 (http://support.microsoft.com/kb/119591/EN-US/) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
The English version of this update should have the
following file attributes or later: Date Time Version Size File name --------------------------------------------------------- 02/20/2001 02:52p 5.0.3214.2000 1,103,632 Shdocvw.dllNOTE: Because of file dependencies, this update requires Internet Explorer 5.01 with Service Pack 1. STATUSInternet Explorer 5.5Microsoft has confirmed that this is a problem in Internet Explorer 5.5. This problem was first corrected in Internet Explorer version 5.5 Service Pack 2.Internet Explorer 5.01Microsoft has confirmed that this is a problem in Internet Explorer 5.01. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.MORE INFORMATION For more information, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx (http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx) APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
