Update Available for "Server-Side Page Reference Redirect" Vulnerability (246094)



The information in this article applies to:

  • Microsoft Internet Explorer 5.01 for Windows NT 4.0
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition
  • Microsoft Internet Explorer 5.01 for Windows 98
  • Microsoft Internet Explorer 5.01 for Windows 95
  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for Windows 98 Second Edition
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 5.0 for Windows 95
  • Microsoft Internet Explorer 4.01 for Windows NT 4.0
  • Microsoft Internet Explorer 4.01 for Windows 95
  • Microsoft Internet Explorer 4.0 for Windows NT 4.0
  • Microsoft Internet Explorer 4.0 for Windows 95

This article was previously published under Q246094

SUMMARY

Microsoft has released a patch that eliminates a vulnerability in Microsoft Internet Explorer 4 and 5 that may allow a malicious Web site operator to view a file on the computer of a visiting user, provided that the Web site operator knows the name of the file and folder.

Additional information about this vulnerability is available at: Updates are available for the following products:
  • Internet Explorer 4.01 SP2 for Microsoft Windows 95 and Microsoft Windows NT 4.0 (x86 and Alpha)
  • Microsoft Windows 98
  • Internet Explorer 5 and 5.01 for Windows 95, Windows 98, and Windows NT 4.0 (x86 and Alpha)
This update also includes fixes for the following previous security issues.

NOTE: You do not need to install these fixes after installing the update mentioned above. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

231450 Update Available for the 'Malformed Favorites Icon' Issue

241362 Update Available for the ImportExportFavorites Issue

MORE INFORMATION

This problem is resolved in Internet Explorer 5.01 for Windows 2000 and Internet Explorer 5.01 SP1 and later for other platforms. We recommend that you upgrade to the latest version of Internet Explorer to resolve this problem.

For additional information about how to determine which version of Internet Explorer you are using, click the following article number to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

For additional information about how to obtain the latest version of Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.5 Service Pack

For additional information about how to obtain the latest version of Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Internet Explorer 6 Service Pack

Update Information by Product

Internet Explorer 4.01 SP2 for Windows 95 and Windows NT 4.0

   File name    Size       Date        Version         Platform
   ------------------------------------------------------------
   Shdocvw.dll  2,174,736  11/30/1999  4.72.3711.2900  9x
   Shdocvw.dll  2,174,736  11/30/1999  4.72.3711.2900  NT (x86)
   Shdocvw.dll  3,154,704  11/29/1999  4.72.3711.2900  NT (Alpha)
				

Though the Windows 95 and Windows NT 4.0 x86 files are the same size, they are different binaries and are not interchangeable. These files are named Shdo95.dll and Shdont.dll inside the package. When they are extracted, the files are named appropriately as they are installed on your computer.

Internet Explorer 5.0 for Windows 95, Windows 98, and Windows NT 4.0

   File name    Size       Date        Version         Platform
   ------------------------------------------------------------
   Shdocvw.dll  950,544    11/29/1999  5.0.2723.2900   (x86)
   Shdocvw.dll  1,617,680  11/29/1999  5.0.2723.2900   (Alpha)
				

Internet Explorer 5.01 for Windows 95, Windows 98, and Windows NT 4.0

   File name    Size       Date        Version         Platform
   ------------------------------------------------------------
   Shdocvw.dll  1,102,608  11/29/1999  5.0.2919.6400   (x86)
				


NOTE: If you are using Internet Explorer 4.0 or 4.01 Service Pack 1, you must install Internet Explorer 4.01 Service Pack 2 in order to apply this update. You can install Internet Explorer 4.01 Service Pack 2 from the following Microsoft Web site: When a Web server performs a server-side redirect, the Internet Explorer security model verifies the server's permissions on the new page. However, under certain timing conditions, it is possible for a Web server to create a reference to a client window that the server is permitted to view. Then the Web server could use a server-side redirect to a client-local file, and bypass the security restrictions. The result is that it may be possible for a malicious Web site operator to view, but not change, create or delete, files on the computer of a visiting user. The Web site operator would need to know (or guess) the name and location of the file.

Modification Type:MajorLast Reviewed:8/12/2005
Keywords:kbbug kbfix kbpolicy KB246094