"Download Behavior" Vulnerability in Internet Explorer 5

ID: Q242542

The information in this article applies to:
  • Microsoft Internet Explorer version 5 for Windows NT 4.0
  • Microsoft Internet Explorer version 5 for Windows 98
  • Microsoft Internet Explorer version 5 for Windows 95
  • Microsoft Internet Explorer version 5 for UNIX on Sun Solaris
  • Microsoft Internet Explorer version 5 for UNIX on HPUX
  • Microsoft Windows 98 Second Edition

SUMMARY

Microsoft has released an update to Internet Explorer 5 that addresses a potential security vulnerability with the download Dynamic HTML (DHTML) behavior. Additional information about this issue is available from the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-040.asp
Updates are available for the following products:
  • Microsoft Internet Explorer 5 for Windows 95, Windows 98, and Windows NT 4.0 (x86 and Alpha)


  • Microsoft Windows 98 Second Edition


This update also addresses the vulnerabilities in Internet Explorer 5 described in the following Microsoft Knowledge Base article:
Q226325 Update Available For MSHTML Security Issues In Internet Explorer


MORE INFORMATION

DHTML behaviors (a new feature introduced in Internet Explorer 5) are simple, lightweight components that encapsulate specific functionality or behavior on a page. The download behavior feature allows Web page authors to download files for use in client-side scripts. By design, a Web site should be able to download only files that reside in its domain; this prevents client-side code from exposing files on the your computer or local intranet to the Web site. However, a server-side redirect can be used to bypass this restriction. This vulnerability could allow a malicious Web site operator to potentially read (but not modify or erase) files on your computer or on other computers on your local intranet.

This vulnerability does not affect Internet Explorer 5 for Windows 3.1 and Windows NT 3.51 or Internet Explorer 5 for Macintosh. Internet Explorer 5 for UNIX is affected, and an update will be available soon (see the workaround described below). Internet Explorer 4.x (for all platforms) does not support the download DHTML behavior and is not affected by this vulnerability.

To obtain the update for the download behavior vulnerability, download and install the appropriate Q242542.exe file for your computer from the following Microsoft Web site:

http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm
NOTE: If you are running Internet Explorer 5 for Windows 95, Windows 98, or Windows NT 4.0 (x86), or you are running Windows 98 Second Edition, download the Update for "Download Behavior" Vulnerability (x86). If you are running Internet Explorer 5 for Windows NT 4.0 (Alpha), download the Update for "Download Behavior" Vulnerability (Compaq DIGITAL Alpha) 

   Updated file name   Size                Date      Version
   ----------------------------------------------------------------
   Mshtml.dll          2,359,296 (x86)     9-29-99   5.00.2721.2900
   Mshtml.dll          4,984,832 (Alpha)   9-29-99   5.00.2721.2900
After you install the update for the download behavior vulnerability, "Q242542" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.

Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent the download behavior feature from operating by disabling Active Scripting in Internet Explorer 5. To do so:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.


  2. Click the Internet zone, and then click Custom Level.


  3. In the Settings box, under Scripting, locate the Active Scripting item, and then click Disable.


  4. Click OK, and then click OK.


NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.


  2. Click the Trusted Sites, zone, and then click Sites.


  3. Type the Web address (URL) of the site, and then click Add.


  4. Click OK, and then click OK.


For additional security-related information about Microsoft products, please see the following Microsoft Web site:
http://www.microsoft.com/security/
For additional information about the download behavior, please see the following Microsoft Web site:
http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/download.asp
Note that this problem does not occur in Internet Explorer 5.01.

Additional query words:

Keywords : kbtool msiew95 msient msieunix msiew98 win98se
Version : UNIX:5; WINDOWS:5
Platform : UNIX WINDOWS
Issue type : kbprb


Last Reviewed: November 26, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.