JavaScript Redirect Vulnerability in Internet Explorer

ID: Q244233

The information in this article applies to:
  • Microsoft Internet Explorer versions 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows 95
  • Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 98
  • Microsoft Internet Explorer versions 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows NT 4.0
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98

SYMPTOMS

Under certain circumstances, a malicious Web site operator could use a JavaScript redirect command to read files on a computer if the browser is redirected to a malicious Web site. Files can be read only if the name of the file, and the name of the folder in which the file is located, is known by the malicious operator. This vulnerability does not allow the malicious operator to list the contents of folders; create, modify, or delete files; or to gain administrative control of the computer.


RESOLUTION

For information about obtaining an update that corrects this issue, please see the following article in the Microsoft Knowledge Base:

Q244357 Update for 'Javascript Redirect' in Internet Explorer 5


WORKAROUND

To temporarily work around this issue, add trusted sites to the Trusted Sites zone and disable Active Scripting in the Internet zone.

Adding Sites to the Trusted Sites Zone

You can add Web sites that you explicitly trust not to take malicious action on your computer to the Trusted Sites zone. To add Web sites to the Trusted Sites zone:
  1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.

    If you are using Internet Explorer 4.x, double-click Internet in Control Panel.


  2. Click the Security tab, click Trusted Sites, click Sites, and then type the name of a Web site that you know can be trusted. For example, type: https://www.microsoft.com. Repeat this step for each Web site you want to add.

    NOTE: When you add sites to the Local Intranet or Trusted Sites zone, you can require that server verification be used by clicking to select the Require server verification (https:) for all sites in this zone check box.


  3. Click OK.


  4. Click OK.


For additional information about the security zones, click the article number below to view the article in the Microsoft Knowledge Base:
Q174360 How to Use Security Zones in Internet Explorer

Disable Active Scripting

To disable Active Scripting:
  1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.

    If you are using Internet Explorer 4.x, double-click Internet in Control Panel.


  2. Click the Security tab.


  3. Click the Internet zone, and then click Custom Level.

    If you are using Internet Explorer 4.x, click Internet Zone.


  4. In the Settings box, locate the Scripting section, and then click Disable under Active Scripting.


  5. Click OK.


  6. Click OK.


Additional query words:

Keywords : kbenv msiew95 msient win98 msiew98 win98se
Version : WINDOWS:4.01,4.01 Service Pack 1,4.01 Service Pack 2,5
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: January 17, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.