Update Available for "IFRAME ExecCommand" Vulnerability in Internet Explorer 5

ID: Q243638

The information in this article applies to:
  • Microsoft Internet Explorer version 5 for Windows 98
  • Microsoft Internet Explorer version 5 for Windows 95
  • Microsoft Internet Explorer version 5 for Windows NT 4.0

SUMMARY

Microsoft has made an update available that addresses a potential security issue relating to the use of the Document.ExecCommand() method when invoked on an IFrame. When you visit a Web site, this issue may enable a malicious Web site operator to read files on your computer, although the name and location of the file would have to be known to exploit this issue.

NOTE: Microsoft has not received any reports of adverse effects as a result of this issue.

Additional information about this issue is available at the following Microsoft Web sites:

http://www.microsoft.com/windows/ie/security/default.asp
http://www.microsoft.com/security/bulletins/ms99-042.asp
Updates are available for the following products:
  • Microsoft Internet Explorer 5 for Windows 95


  • Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86)


  • Microsoft Windows 98


An updated version of the "IFRAME ExecCommand" Vulnerability update was posted on November 4, 1999. This update also fixes the MSHTML issues in Microsoft Internet Explorer 5 previously documented in the following articles in the Microsoft Knowledge Base:
Q226325 Update Available for MSHTML Security Issues in Internet Explorer
Q242542 Download Behavior Vulnerability in Internet Explorer 5
For additional information about these issues, please see the following Microsoft Web sites:
http://www.microsoft.com/security/bulletins/MS99-012.asp
http://www.microsoft.com/security/bulletins/ms99-040.asp
Note that this issue does not occur in Internet Explorer 5.01.


MORE INFORMATION

This fix blocks the execCommand only in cases where it is being used cross-domain and from script.

To obtain this update, download and install the appropriate Q243638.exe file for your computer from the following Microsoft site:

http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm
October 15 version of Q243638.exe: 

   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Mshtml.dll  2,355,472  10/13/1999  5.00.2722.1300  x86
   Mshtml.dll  4,983,056  10/13/1999  5.00.2722.1300  Alpha
IMPORTANT: On October 29, 1999, Microsoft learned that this patch had caused a regression error. While this patch did correct the "IFRAME ExecCommand" vulnerability, it caused an older vulnerability to be re-exposed for Internet Explorer 5 users. The October 15 version of this patch does not include fixes for the issues documented in the following Microsoft Knowledge Base article:
Q242542 Download Behavior Vulnerability in Internet Explorer 5
For additional information about these issues, please see the following Microsoft Web site:
http://www.microsoft.com/security/bulletins/MS99-012.asp
Microsoft has corrected this regression error and re-released the patch. If you previously applied the fix for this vulnerability, you need to apply the updated fix.

November 4 version of Q243638.exe: 

   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Mshtml.dll  2,355,472  10/29/1999  5.00.2722.2800  x86
   Mshtml.dll  4,983,056  10/29/1999  5.00.2722.2800  Alpha
After you install this update "Q243638" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.

Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent this behavior from operating by disabling Active Scripting in Internet Explorer 5:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.


  2. Click the Internet zone, and then click Custom Level.


  3. In the Settings box, locate the Active Scripting item under Scripting, and then click Disable.


  4. Click OK, and then click OK.


NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.


  2. Click the Trusted Sites zone, and then click Sites.


  3. Type the Web address (URL) of the site, and then click Add.


  4. Click OK, and then click OK.


Additional query words:

Keywords : kbenv msiew95 msient msiew98
Version : WINDOWS:5
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: November 26, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.