Update Available For "Frame Spoof" Security Issue (167614)


The information in this article applies to:

  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 4.0 for Windows NT 4.0
  • Microsoft Internet Explorer 3.02 for Windows NT 4.0
  • Microsoft Internet Explorer 3.01 for Windows NT 4.0
  • Microsoft Internet Explorer 3.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for Windows 95
  • Microsoft Internet Explorer 4.01 for Windows 95 SP 1
  • Microsoft Internet Explorer 4.0 for Windows 95
  • Microsoft Internet Explorer 3.02 for Windows 95
  • Microsoft Internet Explorer 3.01 for Windows 95
  • Microsoft Internet Explorer 3.0 for Windows 95
  • Microsoft Internet Explorer 4.0 for Windows 98
  • Microsoft Internet Explorer 4.01 for Windows 98
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 5.01 for Windows 98
  • Microsoft Internet Explorer 2.0 for Windows 3.1
  • Microsoft Internet Explorer 2.01 for Windows 3.1
  • Microsoft Internet Explorer 2.1 for Windows 3.1
  • Microsoft Internet Explorer 3.0 for Windows 3.1
  • Microsoft Internet Explorer 3.01 for Windows 3.1
  • Microsoft Internet Explorer 3.03 for Windows 3.1
  • Microsoft Internet Explorer 4.0 for Windows 3.1
  • Microsoft Internet Explorer 4.01 for Windows 3.1
  • Microsoft Internet Explorer 4.5 for Windows 3.1
  • Microsoft Internet Explorer 5.0 for Windows 3.1
  • Microsoft Internet Explorer 3.02a for Windows 3.1
  • Microsoft Internet Explorer 1.5 for Windows NT 3.51
  • Microsoft Internet Explorer 2.0 for Windows NT 3.51
  • Microsoft Internet Explorer 3.0 for Windows NT 3.51
  • Microsoft Internet Explorer 3.01 for Windows NT 3.51
  • Microsoft Internet Explorer 3.03 for Windows NT 3.51
  • Microsoft Internet Explorer 4.0 for Windows NT 3.51
  • Microsoft Internet Explorer 4.01 for Windows NT 3.51
  • Microsoft Internet Explorer 4.5 for Windows NT 3.51
  • Microsoft Internet Explorer 5.0 for Windows NT 3.51
  • Microsoft Internet Explorer 3.02a for Windows NT 3.51
  • Microsoft Internet Explorer 4.01 for UNIX on HPUX
  • Microsoft Internet Explorer 5.0 for UNIX on HPUX
  • Microsoft Internet Explorer 4.01 for UNIX on Sun Solaris
  • Microsoft Internet Explorer 5.0 for UNIX on Sun Solaris
  • Microsoft Internet Explorer 2.0 for Macintosh
  • Microsoft Internet Explorer 2.1 for Macintosh
  • Microsoft Internet Explorer 3.0 for Macintosh
  • Microsoft Internet Explorer 4.0 for Macintosh
  • Microsoft Internet Explorer 4.01 for Macintosh
  • Microsoft Internet Explorer 4.5 for Macintosh
  • Microsoft Internet Explorer 5.0 for Macintosh
  • Microsoft Internet Explorer 3.01a for Macintosh
  • Microsoft Internet Explorer 3.0a for Macintosh
This article was previously published under Q167614

SUMMARY

Microsoft has made an update available that addresses a potential security issue with regard to the use of frames in Internet Explorer. Additional information about this issue is available from the following Microsoft Web site:

http://www.microsoft.com/technet/security/Bulletin/MS98-020.asp

Updates are available for the following products:
  • Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows 95
  • Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows NT 4.0 (Alpha and x86)
  • Microsoft Windows 98
  • Microsoft Internet Explorer 4.01 for Windows 3.1
  • Microsoft Internet Explorer 4.01 for Windows NT 3.51
This issue may enable a malicious Web site operator to mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window. Microsoft has not received any reports of adverse effects as a result of this issue.

This update also fixes the "Untrusted Scripted Paste" and "Cross Frame Navigate" issues in Microsoft Internet Explorer 4.01 and 4.01 Service Pack 1 running on Windows operating systems. Additional information is available at the following Microsoft Web site:

http://www.microsoft.com/windows/ie/security/default.asp

After installing this update, "3214" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.

Note Internet Explorer 5 automatically includes protection against the "Frame Spoof" vulnerability at High security. To enable this protection in Internet Explorer 5 without using a High security setting, use the following steps:
  1. Click Start, point to Settings, click Control Panel, and then double-click Internet.
  2. Click the Security tab.
  3. Under Select a Web content zone to specify its security settings, click Internet.
  4. Click Custom Level.
  5. Under Navigate sub-frames across different domains, click Disable.
  6. Click OK.

MORE INFORMATION

Update Information by Product:

Warning This Frame Spoof patch may affect programs that host WebBroswer controls. Microsoft recommends you not install this patch if your program is affected.

Note If you are using Internet Explorer 3.x or 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/default.mspx

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95:

Update File Name: 3214.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2422032        12/19/98   4.72.3612.1700
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 x86:

Update File Name: 3214.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2421520        12/19/98   4.72.3612.1700
Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 Alpha:

Update File Name: 3214a.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           3948304        12/19/98   4.72.3612.1700
Windows 98:

Update File Name: 3214.exe
Availability: Microsoft Windows Update 

   Updated File Name    Size (bytes)   Date       Version
   -------------------------------------------------------------
   Mshtml.dll           2422832        12/19/98   4.72.3612.1700
Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:

Update File Name: 3214.exe
Availability: http://www.microsoft.com/windows/ie/security

   Updated File Name    Size (bytes)   Date       Version
   ------------------------------------------------------------
   Mshtml16.dll         3086400        12/21/98   4.1.2512.2100
Note After applying this update, cross-frame navigation will be permitted only in the following cases:
  1. You own the frame (ownership is defined as being the direct parent).
  2. You are in the same domain as the owner of the frame.

    -or-
  3. The frame is a top-level window (applies to "target=" cases).
Also, after applying this update, you may receive the following error message when loading a Web page that contains the potential security issue:
Internet Explorer Script Error
An error has occurred in the script on this page.

Line: <line number>
Char: <character number>
Error: Permission denied
Code: <code number>

Do you want to continue running scripts on this page?
Modification Type:MajorLast Reviewed:7/26/2006
Keywords:kbinfo KB167614
©2004 Microsoft Corporation. All rights reserved.