FIX: Object Access Error from WebBrowser Control with "Frames Spoof" Fix (214554)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 4.0
  • Microsoft Internet Explorer (Programming) 4.01
  • Microsoft Internet Explorer (Programming) 4.01 SP1
This article was previously published under Q214554

SYMPTOMS

The following error message appears when a Visual Basic application or UserControl hosting a WebBrowser Control attempts to access frames inside a hosted HTML page:
ERROR 424 "Object Required"
This problem occurs only on computers that have had the Frames Spoof patch installed.

CAUSE

After you install the Frames Spoof fix, Internet Explorer prevents programs from scripting across frames, even within the same domain, when hosting the WebBrowser control.

RESOLUTION

Currently there is no recommended workaround for this bug. Developers should warn their users not to install this Frame Spoof fix if their applications are scripting across frames.

STATUS

Microsoft has confirmed that this is a bug in the Frames Spoof patch. This bug was corrected in Microsoft Internet Explorer 5. It was also corrected in Internet Explorer 4.01 Service Pack 2.

MORE INFORMATION

After you apply the Frames Spoof patch, code that worked previously and that refers to cross-frames elements with a WebBrowser Control will not work as expected.

In this Frames Spoof patch, an updated version of Mshtml.dll (version 4.72.3612.1700) is installed. This updated version of Mshtml.dll prevents programs from referencing cross-frames elements even within the same domain.

A program could access the length of the frame collections; however, if it tries to access the properties or methods of the individual frame, it returns empty instead of the object. The error message mentioned above occurs.

However, if the code does not involve any frames, accessing the DHTML document is not affected.

Also, this patch does not affect scripting inside HTML pages. If you reference an element in another frame using scripts in an Active Server Pages (.asp) or an HTML (.htm) file, your script should work as expected even with the Frame Spoof patch. Only hosts of the WebBrowser control are affected.

Other Information

Since the nature of this Frame Spoof vulnerability is applied to many software versions, this problem might occur in other software versions if this Frame Spoof fix is applied. However, except for the versions that are mentioned above, other platforms are not being tested to confirm with this problem.

The following software versions may be affected by this bug if the Frame Spoof fix is applied:
  • Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1 for Windows 95
  • Microsoft Internet Explorer versions 4.01 Service Pack 1 for Windows 98
  • Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1 for Windows NT 4.0
  • Microsoft Internet Explorer versions 4.0, 4.01 for Windows 3.1
  • Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 3.51
The following platforms should not be affected by this bug because the Frame Spoof fix is not currently available for these platforms:
  • Microsoft Internet Explorer versions 3.X, 4.X for Macintosh
  • Microsoft Internet Explorer version 4 for UNIX on HPUX
  • Microsoft Internet Explorer version 4 for UNIX on Sun Solaris

REFERENCES

For more information on where to obtain the Frame Spoof fix, please see the following Microsoft Web sites:

http://www.microsoft.com/technet/security/Bulletin/MS98-020.asp

167614 Update Available For "Frame Spoof" Security Issue

http://www.microsoft.com/security

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbBug kbDHTML kbfix kbie500fix kbInetDev KbSECBulletin kbSecurity kbWebBrowser KB214554
©2004 Microsoft Corporation. All rights reserved.