Preventing Internet Explorer and Outlook Express Cross-Site Scripting Security Issues

ID: Q253117

The information in this article applies to:
  • Microsoft Internet Explorer versions 4, 5 for Windows 98
  • Microsoft Internet Explorer versions 3.02, 4.0, 5 for Windows 95
  • Microsoft Outlook Express, version 4.0
  • Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer versions 3.02, 4.0, 5 for Windows NT 4.0
  • Microsoft Windows 2000 Professional

SUMMARY

Microsoft has identified a serious security vulnerability that could potentially affect many Web sites and Web site users. The vulnerability, known as "Cross-Site Scripting", is possible on all programs that allow scripting, but is not a result of a defect in those programs. Instead, this vulnerability is a result of certain common Web coding practices. For additional information on this issue, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/crsstFAQ.asp
This article describes steps to ensure that during the period when Web site owners are reviewing their code and making any necessary changes, you can continue to browse the Web safely. Any programs that use scripting can be affected by this vulnerability; we have provided instructions to secure Microsoft programs in this article. If you are using another manufacturer's program, we recommend you contact them for instructions about how to configure that program.


MORE INFORMATION

There are several precautionary steps you can take to minimize the affects of this issue. We recommend that all customers take these steps.

How to Prevent Cross-Site Scripting in E-Mail Messages

To prevent Cross-Site Scripting from occurring in e-mail messages, turn off Active Scripting in the Restricted Zone and make all e-mail messages you receive run in the Restricted Zone. For additional information about how to do this, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q192846 How to Disable JScript and VBScript in Outlook Express
Q215774 OL2000: Scripts Embedded in HTML Messages Run without Warning.

Turn Off Active Scripting in the Restricted Zone

If you use Internet Explorer 5 or later, follow these steps:
  1. On the Tools menu, click Internet Options, and then click the Security tab.


  2. Click Restricted Sites, and then click Custom Level.


  3. Under Scripting, click Disable for the Active scripting feature. If you are asked to confirm the change, click Yes.


  4. Click OK to return to Internet Explorer.


If you use Internet Explorer 4.x, follow these steps:
  1. On the View menu, click Internet Options, and then click the Security tab.


  2. In the Zone box, click Restricted Sites.


  3. Click Custom (for expert users), and then click Settings.


  4. Under Scripting, click Disable for the Active Scripting feature, and then click OK.


  5. Click OK to return to Internet Explorer.


Configure All E-Mail to Run in the Restricted Zone

If you use Outlook Express 5 or later, follow these steps:
  1. On the Tools menu, click Options, and then click the Security tab.


  2. Under Security Zones, click Restricted sites zone (More secure), and then click OK.


If you use Outlook Express 4.x, follow these steps:
  1. On the Tools menu, click Options, and then click the Security tab.


  2. Under Security Zones, click Restricted sites zone, and then click OK.


Take Precautions to Avoid Attacks When You Browse the Web or Read E-Mail Messages

  • Browse to Web sites that you trust are not using malicious code.


  • Be careful about how you initially visit a Web site. The safest way to connect to a Web site is to type the Web address directly into the browser or use a securely-stored local bookmark or favorite. If you do this, you can significantly reduce exposure while maintaining functionality.


  • Do not click hyperlinks in an e-mail message, even if the message appears to be from someone you trust. A malicious user can cause a false name to appear on the From: line of an e-mail message.


Recovering from a Cross-Site Scripting Attack

NOTE: You should only take the following steps if you have credible evidence that you have visited a Web site that uses cross-site scripting. After you perform these steps, you need to re-register and re-customize any Web sites that you visit again.

To stop cross-site scripting:
  1. Close Internet Explorer.


  2. Start Internet Explorer again and visit a safe Web site, such as:


    3. http://www.microsoft.com
  3. Delete all the Cookie files on your computer. To do this, follow the appropriate steps for your version of Internet Explorer.


    4. If you use Internet Explorer 5 or later, follow these steps:
    1. On the Tools menu, click Internet Options, and then click the General tab.


    2. Under Temporary Internet Files, click Settings.


    3. Click View Files.


    4. On the View menu, click to select the Details command.


    5. Click the Internet Address column label, and then scroll to find the Cookie files Internet addresses. For example, a Cookie Internet address may be named something similar to the following name:


      6. Cookie:jsmith@websitename.com
    6. Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.


    Internet Explorer 4.x

    If you use Internet Explorer 4.x, follow these steps:
    1. On the View menu, click Internet Options, and then click the General tab.


    2. Under Temporary Internet Files, click Settings.


    3. Click View Files


    4. On the View menu, click to select the Details command.


    5. Click the Internet Address column label, and then scroll to find the Cookie files Internet addresses. For example, a Cookie Internet address may be named something similar to the following name:


      6. Cookie:jsmith@websitename.com
    6. Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.


    Internet Explorer 3.x

    If you use Internet Explorer 3.x, follow these steps:
    1. On the View menu, click Options, and then click the Advanced tab.


    2. Under Temporary Internet Files, click View Files.


    3. Click the Name column label, and then scroll to find the Cookie files. For example, a Cookie file may be named something similar to the following name:


      4. Cookie:jsmith@websitename.com
    4. Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.


For additional information about Cookies, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q154360 "You Have Received a Cookie" Message in Internet Explorer
Q223799 Description of Persistent and Per-Session Cookies
Q153417 Location of Cookies File in Internet Explorer
Q224304 Per-Session Cookies Are Not Cleared Until You Close Browser

Additional query words: kbcssi spoof

Keywords :
Version : WINDOWS:2000,3.02,4,4.0,5; :4.0
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: February 3, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.