Update Available for Scriptlet.Typelib and Eyedog Security Vulnerability

ID: Q240308

The information in this article applies to:
  • Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 98
  • Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows NT 4.0
  • Microsoft Internet Explorer version 5 for Windows 95

SUMMARY

Microsoft has released an update that eliminates security vulnerabilities in the following two ActiveX controls:

NOTE: This problem is resolved in Microsoft Internet Explorer 5.01.

  • Object for constructing type libraries for scriptlets (Scriptlet.Typelib)


  • Eyedog


Additional information about these controls is available at the following Microsoft Web site:
http://www.microsoft.com/security/bulletins/ms99-032.asp
The update eliminates a vulnerability that could allow a malicious Web site operator to take inappropriate actions on your computer and is posted to the following Microsoft Web site:
ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/


MORE INFORMATION

The Scriptlet.Typelib and Eyedog controls are not related to each other, but both are incorrectly marked as "safe for scripting" and can therefore be called from Internet Explorer.

Developers use the Scriptlet.Typelib control to generate Type Libraries for Windows Scripting Components. It should not be marked "safe for scripting" because it allows local files to be created or modified. The update removes the "safe for scripting" setting, which causes Internet Explorer to prompt you for confirmation before loading the control.

The Eyedog control is used by diagnostic software in Windows. It should not be marked "safe for scripting" because it allows registry information to be queried and computer characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The update prevents the control from loading within Internet Explorer.

Microsoft recently became aware of a new virus called "The BubbleBoy Virus," which is an Internet worm virus that requires Internet Explorer 5, and Microsoft Outlook 2000, Outlook 98 or Outlook Express. This virus can be embedded within e-mail messages in HTML format and does not contain any attachments. Microsoft released a patch for Internet Explorer that eliminates security vulnerabilities in two ActiveX controls; this patch prevents the BubbleBoy virus from spreading.

For additional security-related information about Microsoft products, please visit the following Microsoft Web site:

http://www.microsoft.com/security

Additional query words: ie bubbleboy

Keywords : msiew95 msient msiew98
Version : WINDOWS:4.0,4.01,4.01 Service Pack 1,4.01 Service Pack 2,5
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.