Update Available For "Frame Spoof" Security Issue

ID: Q167614

The information in this article applies to:
  • Microsoft Internet Explorer versions 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 Service Pack 1, 5 for Windows 95
  • Microsoft Internet Explorer versions 3.0, 3.01, 3.02, 4.0, 4.01, 4.01 Service Pack 1, 5 for Windows NT 4.0
  • Microsoft Internet Explorer for Windows 98
  • Microsoft Windows 98
  • Microsoft Internet Explorer for Windows 3.1
  • Microsoft Internet Explorer for Windows NT 3.51
  • Microsoft Internet Explorer for UNIX on HPUX
  • Microsoft Internet Explorer for UNIX on Sun Solaris
  • Microsoft Internet Explorer for Macintosh

SUMMARY

Microsoft has made an update available that addresses a potential security issue with regard to the use of frames in Internet Explorer. Additional information about this issue is available from the following Microsoft Web sites:

Updates are available for the following products:

  • Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows 95


  • Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows NT 4.0 (Alpha and x86)


  • Microsoft Windows 98


  • Microsoft Internet Explorer 4.01 for Windows 3.1


  • Microsoft Internet Explorer 4.01 for Windows NT 3.51


This issue may enable a malicious Web site operator to mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window. Microsoft has not received any reports of adverse effects as a result of this issue.

This update also fixes the "Untrusted Scripted Paste" and "Cross Frame Navigate" issues in Microsoft Internet Explorer 4.01 and 4.01 Service Pack 1 running on Windows operating systems. Additional information is available at the following Microsoft Web site:

After installing this update, "3214" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.

NOTE: Internet Explorer 5 automatically includes protection against the "Frame Spoof" vulnerability at High security. To enable this protection in Internet Explorer 5 without using a High security setting, use the following steps:

  1. Click Start, point to Settings, click Control Panel, and then double- click Internet.


  2. Click the Security tab.


  3. Under "Select a Web content zone to specify its security settings," click Internet.


  4. Click Custom Level.


  5. Under "Navigate sub-frames across different domains," click Disable.


  6. Click OK.



MORE INFORMATION

Update Information by Product:

WARNING: This Frame Spoof patch may affect programs that host WebBroswer controls. Microsoft recommends you not install this patch if your program is affected.

NOTE: If you are using Internet Explorer 3.x or 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site:

http://www.microsoft.com/windows/ie/download
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95:
Update File Name: 3214.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2422032        12/19/98   4.72.3612.1700
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 x86:
Update File Name: 3214.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2421520        12/19/98   4.72.3612.1700
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 Alpha:
Update File Name: 3214a.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           3948304        12/19/98   4.72.3612.1700
Windows 98:
Update File Name: 3214.exe
Availability: Microsoft Windows Update 

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2422832        12/19/98   4.72.3612.1700
Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:
Update File Name: 3214.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   ------------------------------------------------------------
   Mshtml16.dll         3086400        12/21/98   4.1.2512.2100
NOTE: After applying this update, cross-frame navigation will be permitted only in the following cases:
  1. You own the frame (ownership is defined as being the direct parent).


  2. You are in the same domain as the owner of the frame.

    -or-


  3. The frame is a top-level window (applies to "target=" cases).


Also, after applying this update, you may receive the following error message when loading a Web page that contains the potential security issue:
Internet Explorer Script Error
An error has occurred in the script on this page.
Line: <line number>
Char: <character number>
Error: Permission denied
Code: <code number>
Do you want to continue running scripts on this page?

Additional query words:

Keywords : msiew95 msient msiew31 msiemac msieunix win98 ie4sp1 msiew98
Version : MACINTOSH:; UNIX:; WINDOWS:3.0,3.01,3.02,4.0,4.01,4.01 Service Pack 1,5
Platform : MACINTOSH UNIX WINDOWS
Issue type : kbinfo


Last Reviewed: August 12, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.