Microsoft has released a cumulative patch for Internet Explorer that includes updates for the issues that are described in the following Microsoft Knowledge Base articles:
MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer
MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer
MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer
This cumulative patch also prevents the following security vulnerabilities:
- A buffer overrun vulnerability that affects the Gopher protocol handler. This vulnerability was originally described in the following Microsoft Security Bulletin: This bulletin includes workaround instructions for use while this cumulative patch was being completed.
- A buffer overrun vulnerability that affects an ActiveX control that is used to display specially formatted text. The control contains a buffer overrun vulnerability that can make it possible for an attacker to run code on a user's computer in the context of the user.
- A vulnerability that involves how Internet Explorer handles an HTML directive that displays XML data. The directive is designed to only allow XML data from the Web site itself to be displayed. However, it does not correctly look for the case where a referenced XML data source is in fact redirected to a data source in a different domain. This flaw may make it possible for an attacker's Web page to open an XML-based file that resides on a remote computer in a browser window that the site can read. An attacker can then read contents from Web sites to which users had access but the attacker cannot view.
- A vulnerability that involves how Internet Explorer represents the origin of a file in the File Download dialog box. This flaw can make it possible for an attacker to misrepresent the source of a file that is offered for download in an attempt to trick users into accepting a file download from an untrusted source and believing it to be coming from a trusted source.
- A newly discovered variant of the "Frame Domain Verification" vulnerability that is described in the following Microsoft Security Bulletin: This variant occurs because of improper domain checking when frames are invoked in conjunction with the Object tag. Because of this behavior, this vulnerability can make it possible for a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on the user's local file. They can then pass system information from the latter to the former. This makes it possible for the Web site operator to read, but not change, any file on the user's local computer that can be opened in a browser window. Additionally, this particular variant can also make it possible for an attacker to start, but not pass parameters to, an executable file (.exe) on the local computer. This is much like the "Local Executable Invocation via Object tag" vulnerability that is described in the following Microsoft Security Bulletin:
- A newly reported variant of the "Cross-Site Scripting in Local HTML Resource" vulnerability that was originally described in the following Microsoft Security Bulletin: Like the original variant, this vulnerability makes it possible for an attacker to create a Web page that, when opened, would run in the Local Computer zone. This means that it can run with fewer restrictions than it would in the Internet zone.
In addition, the patch that is described in this article sets the "Kill Bit" on the MSN Chat ActiveX control that is described in Microsoft Security Bulletin MS02-022
as well as the TSAC ActiveX control that is described in Microsoft Security Bulletin MS02-046
.This has been done to make sure that vulnerable controls cannot be introduced onto users’ systems. Microsoft recommends that customers who use the MSN Chat control make sure that they have applied the updated version of the control discussed in MS02-022:
Microsoft recommends that customers who use the TSAC control make sure that they have applied the updated version of the control discussed in MS02-046:
For additional information about using the "kill bit" to stop an ActiveX control from running in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:
How to Stop an ActiveX Control from Running in Internet Explorer
For additional information about known issues that can occur when you install this update, click the article number below to view the article in the Microsoft Knowledge Base:
Issues After You Install Updates to Internet Explorer or Windows
For additional information about the latest service pack for Microsoft Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
For more information about this patch, visit the following Microsoft Web site:
The following file is available for download from the Microsoft Download Center:
Release Date: August 22, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The Internet Explorer 5.01 version of this update is for Windows 2000 only and is also available in Windows 2000 Service Pack 3 (SP3). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
The Internet Explorer 5.5 version of this update requires Internet Explorer 5.5 Service Pack 2 (SP2) or Service Pack 1 (SP1). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Service Pack for Internet Explorer 5.5
The Internet Explorer 5.01 version of this update is for Windows 2000 only and requires Windows 2000 Service Pack 2 (SP2). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
You must restart your computer after you apply this update. This package supports the following switches:
- /q Specifies quiet mode, or suppresses prompts, when files are being extracted.
- /q:u Specifies user-quiet mode, which presents some dialog boxes to the user.
- /q:a Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
- /t:<path> Specifies the target folder for extracting files.
- /c Extracts the files without installing them.
- /c:<path> Specifies the path and name of the Setup .inf or .exe file.
- /r:n Never restarts the computer after installation.
- /r:i Restart if a restart is required - Automatically restarts the computer if it is required to complete installation.
- /r:a Always restarts the computer after installation.
- /r:s Restarts the computer after installation without prompting the user.
- /n:v No version checking - Install the program over any previous version.
For example, the file name /q:a /r:n
command installs the update without any user intervention, and then it does not force the computer to restart.WARNING:
Your computer is vulnerable until you restart it and log on as an administrator to complete the installation. NOTE
: You cannot successfully install this update on Windows XP-based computers in non-interactive mode (for example, by using Windows Task Scheduler, Microsoft Systems Management Server, or Tivoli software from from IBM). Microsoft is researching this problem and will post more information in this article when the information becomes available.
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time tool in Control Panel.
The following files are installed to the %WINDIR%\System32 folder:
Date Time Version Size File name Internet Explorer Version ---------------------------------------------------------------------- 23-Jul-2002 15:49 6.0.2719.2200 2,759,680 Mshtml.dll 6 05-Mar-2002 03:09 6.0.2715.400 548,864 Shdoclc.dll 6 23-Jul-2002 15:51 6.0.2719.2200 1,336,320 Shdocvw.dll 6 23-Jul-2002 15:57 6.0.2715.400 109,568 Url.dll 6 23-Jul-2002 15:51 6.0.2719.2200 480,768 Urlmon.dll 6 06-Jun-2000 23:43 4.71.704.0 2,272 W95inf16.dll 6 06-Jun-2000 23:43 188.8.131.52 4,608 W95inf32.dll 6 06-Jun-2002 20:38 6.0.2718.400 583,168 Wininet.dll 6 06-Jun-2000 20:43 5.50.4134.600 92,432 Advpack.dll 5.5 SP2 22-Jul-2002 20:59 5.50.4919.2200 2,755,856 Mshtml.dll 5.5 SP2 22-Jul-2002 21:00 5.50.4919.2200 1,149,200 Shdocvw.dll 5.5 SP2 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 5.5 SP2 22-Jul-2002 21:01 5.50.4919.2200 451,344 Urlmon.dll 5.5 SP2 06-Jun-2000 20:43 4.71.704.0 2,272 W95inf16.dll 5.5 SP2 06-Jun-2000 20:43 184.108.40.206 4,608 W95inf32.dll 5.5 SP2 06-Jun-2002 21:27 5.50.4918.600 481,552 Wininet.dll 5.5 SP2 18-Dec-2001 15:48 5.50.4724.1700 79,120 Actxprxy.dll 5.5 SP1 06-Jun-2000 20:43 5.50.4134.600 92,432 Advpack.dll 5.5 SP1 18-Dec-2001 01:45 5.50.4724.1700 46,864 Digest.dll 5.5 SP1 22-Jul-2002 19:41 5.50.4731.2200 2,754,320 Mshtml.dll 5.5 SP1 18-Dec-2001 01:42 5.50.4724.1700 408,336 Mshtmled.dll 5.5 SP1 18-Dec-2001 01:43 5.50.4724.1700 71,952 Plugin.ocx 5.5 SP1 18-Dec-2001 15:48 5.50.4724.1700 494,352 Shdoc401.dll 5.5 SP1 24-Jul-2002 15:30 5.50.4731.2200 1,148,688 Shdocvw.dll 5.5 SP1 18-Dec-2001 14:52 5.50.4724.1700 23,312 Shfolder.dll 5.5 SP1 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 5.5 SP1 22-Jul-2002 19:43 5.50.4731.2200 450,832 Urlmon.dll 5.5 SP1 06-Jun-2000 20:43 4.71.704.0 2,272 W95inf16.dll 5.5 SP1 06-Jun-2000 20:43 220.127.116.11 4,608 W95inf32.dll 5.5 SP1 11-Jun-2002 19:33 5.50.4730.700 482,064 Wininet.dll 5.5 SP1 06-Jun-2000 20:43 5.50.4134.600 92,432 Advpack.dll 5.01 SP2 09-Sep-2001 22:31 11,264 Instcat.exe 5.01 SP2 23-Jul-2002 14:53 5.0.3504.2500 2,355,472 Mshtml.dll 5.01 SP2 23-Jul-2002 14:54 5.0.3504.2500 1,106,192 Shdocvw.dll 5.01 SP2 05-Mar-2002 01:53 5.50.4915.500 84,240 Url.dll 5.01 SP2 23-Jul-2002 14:55 5.0.3504.2500 451,344 Urlmon.dll 5.01 SP2 06-Jun-2000 20:43 4.71.704.0 2,272 W95inf16.dll 5.01 SP2 06-Jun-2000 20:43 18.104.22.168 4,608 W95inf32.dll 5.01 SP2 07-Jun-2002 23:56 5.0.3506.1000 461,584 Wininet.dll 5.01 SP2 NOTE
: Due to file dependencies, this update may contain additional files.