Taskpads Let Web Sites Invoke Executables on a User's Computer (218619)
The information in this article applies to:
- Microsoft Windows 98
- Microsoft BackOffice Server 4.0
This article was previously published under Q218619 SYMPTOMS
Taskpads is a feature that allows users to view and run Windows management tools through an HTML page rather than the Windows control. A vulnerability has been discovered in Taskpads that lets Web sites invoke executables on a user's workstation.
CAUSE
This vulnerability results because certain methods provided by Taskpads are incorrectly marked as "safe for scripting."
RESOLUTION
A patch is available for this issue that removes the Taskpads functionality, which is rarely used.
A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends you apply this fix.
To resolve this problem immediately, obtain the fix as described below. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: Windows 98 Resource Kit and Windows 98 Resource Kit Sampler
This patch has been posted to the following Internet location: BackOffice Resource Kit, Second Edition
This patch has been posted to the following Internet locations: STATUS
Microsoft has confirmed that this problem may result in some degree of
security vulnerability in Taskpads included with the Windows 98 Resource Kit, the Windows 98 Resource Kit Sampler, and the BackOffice Resource Kit, second edition.
| Modification Type: | Minor | Last Reviewed: | 12/20/2004 |
|---|
| Keywords: | kbbug kbfix kbQFE KB218619 kbAudDeveloper |
|---|
|