Vulnerability in "ImportExportFavorites"

ID: Q241438

The information in this article applies to:
  • Microsoft Internet Explorer version 5 for Windows 95
  • Microsoft Internet Explorer version 5 for Windows 98
  • Microsoft Internet Explorer version 5 for Windows NT 4.0

SUMMARY

A vulnerability in Microsoft Internet Explorer 5 could allow a malicious Web site operator to potentially take inappropriate action on the computer of a person who visits the site.

Internet Explorer 5 includes a feature that allows users to export their list of favorite Web sites to a file or import a file containing a list of favorite Web sites. By design, the method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a Web site to invoke this method, bypass this restriction, and write files that could be used to run system commands.

The net result is that a malicious Web site operator could potentially cause any action to be taken on the computer that the user would be capable of taking.

NOTE: This vulnerability would chiefly affect workstations that have Active Scripting enabled in Internet Explorer 5 and are used to connect to the Internet. This issue does not apply to previous versions of Microsoft Internet Explorer, nor does it apply to Microsoft Internet Explorer version 5 for Windows 3.1. Users who are concerned about this vulnerability can prevent the ImportExportFavorites function from operating by disabling Active Scripting in Internet Explorer 5. To do so:

  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.


  2. Select the Internet Zone, and then click Custom Level.


  3. In the Settings list under Scripting, locate the entry labeled Active Scripting and set it to Disable.


  4. Click OK twice.


NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available while Active Scripting is disabled. If you find this to be a problem, you can enable Active Scripting, visit the sites you are interested in, and then disable it again. When the patch is delivered, you will be able to safely enable Active Scripting again for all sites.

For additional information about the fix for this problem, click the article number below to view the article in the Microsoft Knowledge Base:
Q241361 Update Available for Vulnerabilities in ActiveX Controls Issue


MORE INFORMATION

For more information, please see the following Microsoft Security Bulletin:

http://www.microsoft.com/security/bulletins/MS99-037.asp
For additional security-related information about Microsoft products, please go to:
http://www.microsoft.com/security/

Additional query words: ie cpa MS99-037

Keywords :
Version : WINDOWS:5
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: October 8, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.