Update Available for "IFRAME ExecCommand" Vulnerability in Internet Explorer 5 (243638)


The information in this article applies to:

  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 5.0 for Windows 95
This article was previously published under Q243638

SUMMARY

Microsoft has made an update available that addresses a potential security issue relating to the use of the Document.ExecCommand() method when invoked on an IFrame. When you visit a Web site, this issue may enable a malicious Web site operator to read files on your computer, although the name and location of the file would have to be known to exploit this issue.

NOTE: Microsoft has not received any reports of adverse effects as a result of this issue.

Additional information about this issue is available at the following Microsoft Web sites:

http://www.microsoft.com/windows/ie/security/default.asp

http://www.microsoft.com/security/bulletins/ms99-042.asp

Updates are available for the following products:
  • Microsoft Internet Explorer 5 for Windows 95
  • Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86)
  • Microsoft Windows 98
An updated version of the "IFRAME ExecCommand" Vulnerability update was posted on November 4, 1999. This update also fixes the MSHTML issues in Microsoft Internet Explorer 5 previously documented in the following articles in the Microsoft Knowledge Base:

226325 Update Available for MSHTML Security Issues in Internet Explorer

242542 Download Behavior Vulnerability in Internet Explorer 5

For additional information about these issues, please see the following Microsoft Web sites:

http://www.microsoft.com/security/bulletins/MS99-012.asp

http://www.microsoft.com/security/bulletins/ms99-040.asp

Note that this issue does not occur in Internet Explorer 5.01.

MORE INFORMATION

This fix blocks the execCommand only in cases where it is being used cross-domain and from script.

To obtain this update, download and install the appropriate Q243638.exe file for your computer from the following Microsoft site:

http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm

October 15 version of Q243638.exe: 
   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Mshtml.dll  2,355,472  10/13/1999  5.00.2722.1300  x86
   Mshtml.dll  4,983,056  10/13/1999  5.00.2722.1300  Alpha
IMPORTANT: On October 29, 1999, Microsoft learned that this patch had caused a regression error. While this patch did correct the "IFRAME ExecCommand" vulnerability, it caused an older vulnerability to be re-exposed for Internet Explorer 5 users. The October 15 version of this patch does not include fixes for the issues documented in the following Microsoft Knowledge Base article:

242542 Download Behavior Vulnerability in Internet Explorer 5

For additional information about these issues, please see the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/MS99-012.asp

Microsoft has corrected this regression error and re-released the patch. If you previously applied the fix for this vulnerability, you need to apply the updated fix.

November 4 version of Q243638.exe: 
   File name   Size       Date        Version         Platform
   -----------------------------------------------------------
   Mshtml.dll  2,355,472  10/29/1999  5.00.2722.2800  x86
   Mshtml.dll  4,983,056  10/29/1999  5.00.2722.2800  Alpha
After you install this update "Q243638" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.

Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent this behavior from operating by disabling Active Scripting in Internet Explorer 5:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
  2. Click the Internet zone, and then click Custom Level.
  3. In the Settings box, locate the Active Scripting item under Scripting, and then click Disable.
  4. Click OK, and then click OK.
NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone:
  1. In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
  2. Click the Trusted Sites zone, and then click Sites.
  3. Type the Web address (URL) of the site, and then click Add.
  4. Click OK, and then click OK.
Modification Type:MinorLast Reviewed:2/18/2004
Keywords:kbenv kbinfo KB243638
©2004 Microsoft Corporation. All rights reserved.