SUMMARY
Microsoft has released a patch that eliminates a
vulnerability in Microsoft Internet Explorer 4 and 5 that may allow a malicious
Web site operator to view a file on the computer of a visiting user, provided
that the Web site operator knows the name of the file and folder.
Additional information about this vulnerability is available at:
Updates are available for the following products:
- Internet Explorer 4.01 SP2 for Microsoft Windows 95 and
Microsoft Windows NT 4.0 (x86 and Alpha)
- Microsoft Windows 98
- Internet Explorer 5 and 5.01 for Windows 95, Windows 98,
and Windows NT 4.0 (x86 and Alpha)
This update also includes fixes for the following previous
security issues.
NOTE: You do not need to install these fixes after installing the
update mentioned above.
For additional information, click the article numbers below to
view the articles in the Microsoft Knowledge Base:
231450 Update Available for the 'Malformed Favorites Icon' Issue
241362 Update Available for the ImportExportFavorites Issue
MORE INFORMATION
This problem is resolved in Internet Explorer 5.01 for
Windows 2000 and Internet Explorer 5.01 SP1 and later for other platforms. We
recommend that you upgrade to the latest version of Internet Explorer to
resolve this problem.
For
additional information about how to determine which version of Internet
Explorer you are using, click the following article number to view the article
in the Microsoft Knowledge Base:
164539
How to Determine Which Version of Internet Explorer Is Installed
For additional information about how to
obtain the latest version of Internet Explorer 5.5, click the following article
number to view the article in the Microsoft Knowledge Base:
267954
How to Obtain the Latest Internet Explorer 5.5 Service Pack
For additional information about how to
obtain the latest version of Internet Explorer 6, click the following article
number to view the article in the Microsoft Knowledge Base:
328548
How to Obtain the Latest Internet Explorer 6 Service Pack
Update Information by Product
Internet Explorer 4.01 SP2 for Windows 95 and Windows NT 4.0
File name Size Date Version Platform
------------------------------------------------------------
Shdocvw.dll 2,174,736 11/30/1999 4.72.3711.2900 9x
Shdocvw.dll 2,174,736 11/30/1999 4.72.3711.2900 NT (x86)
Shdocvw.dll 3,154,704 11/29/1999 4.72.3711.2900 NT (Alpha)
Though the Windows 95 and Windows NT 4.0 x86 files are the
same size, they are different binaries and are not interchangeable. These files
are named Shdo95.dll and Shdont.dll inside the package. When they are
extracted, the files are named appropriately as they are installed on your
computer.
Internet Explorer 5.0 for Windows 95, Windows 98, and Windows NT 4.0
File name Size Date Version Platform
------------------------------------------------------------
Shdocvw.dll 950,544 11/29/1999 5.0.2723.2900 (x86)
Shdocvw.dll 1,617,680 11/29/1999 5.0.2723.2900 (Alpha)
Internet Explorer 5.01 for Windows 95, Windows 98, and Windows NT 4.0
File name Size Date Version Platform
------------------------------------------------------------
Shdocvw.dll 1,102,608 11/29/1999 5.0.2919.6400 (x86)
NOTE: If you are using Internet Explorer 4.0 or 4.01 Service Pack 1,
you must install Internet Explorer 4.01 Service Pack 2 in order to apply this
update. You can install Internet Explorer 4.01 Service Pack 2 from the
following Microsoft Web site:
When a Web server performs a server-side redirect, the Internet
Explorer security model verifies the server's permissions on the new page.
However, under certain timing conditions, it is possible for a Web server to
create a reference to a client window that the server is permitted to view.
Then the Web server could use a server-side redirect to a client-local file,
and bypass the security restrictions. The result is that it may be possible for
a malicious Web site operator to view, but not change, create or delete, files
on the computer of a visiting user. The Web site operator would need to know
(or guess) the name and location of the file.