Update Available for "Active Setup Control" Vulnerability

ID: Q244540

The information in this article applies to:
  • Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 95
  • Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows NT 4.0
  • Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 98
  • Microsoft Windows 98 Second Edition

SUMMARY

Microsoft has released an update that eliminates a vulnerability that could permit a malicious user to embed an unsafe executable (.exe) file within an e-mail message and disguise it as a safe type of attachment. Through a complicated series of steps, the unsafe executable could be made to execute under certain conditions, if the user opens the attachment.

Additional information about this issue is available from the following Microsoft Web sites:

http://www.microsoft.com/security/bulletins/MS99-048.asp
http://www.microsoft.com/security/bulletins/ms99-048faq.asp
Updates are available for the following products:
  • Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 95


  • Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 98


  • Microsoft Internet Explorer 4.01 Service Pack 2 for Windows NT 4.0 (Alphas and X86)


  • Microsoft Internet Explorer 5 for Windows 95


  • Microsoft Internet Explorer 5 for Windows 98


  • Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86)


  • Microsoft Windows 98 Second Edition


Microsoft Internet Explorer 4.x and 5 for Windows 3.1, Windows NT 3.51, UNIX on Sun Solaris, and Internet Explorer 4.x for Macintosh are not affected by this problem. Internet Explorer version 3.x for Windows 95 and Windows NT 4.0 are also not affected.


MORE INFORMATION

The Inseng.dll Active Setup Install Engine permits cabinet files to be launched and executed. A HyperText Markup Language (HTML) e-mail message could use this capability to launch a malicious cabinet file renamed as a normal file. If a user attempted to open this file, the operation would not work as a user would expect, but it could copy a file to an expected location without any notice to the user. The ActiveX control could then be used by a script embedded in the e-mail to start the copied file, causing the malicious code to be run.

The vulnerability could only be exploited in cases where an e-mail program is used that permits scripts in HTML e-mail and stores temporary copies of previously run programs in known locations (for example, Microsoft Outlook or Outlook Express).

This patch restricts the ability of the control to start unsigned cabinet files that have been downloaded from the local computer.

After installing this update, "Q244540" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.

This patch is available from the following Microsoft Web site:

http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm

Internet Explorer 5

   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Inseng.dll     76,048  10/26/1999  5.00.2722.2600  x86
   Inseng.dll    144,144  10/26/1999  5.00.2722.2600  Alpha 


Internet Explorer 4.01 SP2

   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Inseng.dll     59,568  10/26/1999  4.72.3710.2600  x86
   Inseng.dll    110,864  10/26/1999  4.72.3710.2600  Alpha
NOTE: Microsoft Internet Explorer 4.0, 4.01, 4.01 Service Pack 1 for Windows 95 and Windows NT 4.0, and Microsoft Windows 98 are also vulnerable to this problem, but running the patch on a version of Internet Explorer prior to 4.01 SP2 will result in the same message that results from running the patch on an unaffected system (for example, Internet Explorer 3.02 for Windows 95 or Windows NT 4.0):
This update does not need to be installed on this system.
Patches are only available for Internet Explorer 4.01 SP2 and later. Microsoft recommends that users update to Internet Explorer 4.01 SP2 or 5 and then install this patch.

NOTE: To work around this vulnerability if you cannot install this patch, disable Active Scripting in your e-mail program. To do this in Microsoft Outlook or Outlook Express, please see the appropriate Microsoft Knowledge Base article:
Q192846 How to Disable JScript and VBScript in Outlook Express
Q215774 OL2000: Scripts Embedded in HTML Messages Run without Warning

Additional query words: asctrls.ocx

Keywords : kbenv msiew95 msient msiew98 win98se
Version : WINDOWS:4.01 Service Pack 2,5
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: November 9, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.