Security Vulnerability in ImportExportFavorites() Function in Internet Explorer 5.0 (241362)
The information in this article applies to:
- Microsoft Internet Explorer 5.0 for Windows NT 4.0
- Microsoft Internet Explorer 5.0 for Windows 98
- Microsoft Internet Explorer 5.0 for Windows 95
- Microsoft Internet Explorer 5.0 for Windows 98 Second Edition
This article was previously published under Q241362 SUMMARYInternet Explorer 5.0 includes a feature that allows you to
export a list of your favorite Web sites to a file, or to import a file
containing a list of favorite sites. The method that is used to perform this
function, ImportExportFavorites(), should only allow particular types of files to be written, and
only to specific locations on the drive. However, it is possible for a Web site
to invoke this method, bypass this restriction, and write files that may be
used to run system commands. As a result, a malicious Web site operator can
potentially take any action on the computer that a user is capable of
performing.MORE INFORMATIONThis vulnerability only affects Windows 95-based, Windows
98-based, Windows 98 Second Edition-based, and Windows NT 4.0-based computers
that are connected to the Internet and that are using Internet Explorer 5.0
with Active Scripting enabled. By default, Active Scripting is enabled in
Internet Explorer 5.0. This problem in resolved in Internet Explorer
5.01 and later. Microsoft recommends that you upgrade to the latest version of
Internet Explorer to resolve this problem.
For additional information about how
to determine which version of Internet Explorer you are using, click the
following article number to view the article in the Microsoft Knowledge Base: 164539
How to Determine Which Version of Internet Explorer Is Installed
For additional information about how to
obtain the latest version of Internet Explorer 5.5, click the following article
number to view the article in the Microsoft Knowledge Base: 267954
How to Obtain the Latest Internet Explorer 5.5 Service Pack
For additional information about how to
obtain the latest version of Internet Explorer 6, click the following article
number to view the article in the Microsoft Knowledge Base: 328548
How to Obtain the Latest Internet Explorer 6 Service Pack
On December 8, 1999, Microsoft released a
patch that eliminates this error and several other vulnerabilities in Internet
Explorer 5.0.
For additional information
about this patch, click the following article number to view the article in the
Microsoft Knowledge Base: 246094
Update Available for "Server-Side Page Reference Redirect" Vulnerability
For additional
information about the other vulnerabilities resolved with this patch, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
241361
Update Available for Vulnerabilities in ActiveX Controls Issue
231450 Update Available for the "Malformed Favorites Icon" Issue
The English version of this fix should
have the following file attributes or later:
File Name Size Date Time Version
-----------------------------------------------------------
Shdocvw.dll 946,448 Sep-14-1999 05:19p 5.00.2721.1400
For additional information about the ImportExportFavorites() issue, visit the following Microsoft Security Bulletin Web site: For additional security-related information about Microsoft
products, visit the following Microsoft Web site:
| Modification Type: | Major | Last Reviewed: | 9/18/2003 |
|---|
| Keywords: | kbenv kbinfo KB241362 |
|---|
|