Preventing Internet Explorer and Outlook Express Cross-Site Scripting Security Issues (253117)


The information in this article applies to:

  • Microsoft Outlook Express 5.01 for Windows NT 4.0 SP 1
  • Microsoft Outlook Express 5.0 for Windows NT 4.0
  • Microsoft Outlook Express 4.01 for Windows NT 4.0 SP 1
  • Microsoft Outlook Express 4.01 for Windows NT 4.0 SP 2
  • Microsoft Outlook Express 4.0 for Windows NT 3.51
  • Microsoft Outlook Express 5.5 for Windows 98 Second Edition SP 1
  • Microsoft Outlook Express 5.01 for Windows 98 Second Edition SP 1
  • Microsoft Outlook Express 5.5 for Windows 98 SP 1
  • Microsoft Outlook Express 5.01 for Windows 98 SP 1
  • Microsoft Outlook Express 5.0 for Windows 98
  • Microsoft Outlook Express 4.01 for Windows 98 SP 1
  • Microsoft Outlook Express 4.01 for Windows 98 SP 2
  • Microsoft Outlook Express 4.01 for Windows 3.1 SP 1
  • Microsoft Outlook Express 4.01 for Windows 3.1 SP 2
  • Microsoft Outlook Express 4.0 for Windows 3.1
  • Microsoft Outlook Express 4.01 for UNIX on Sun Solaris
  • Microsoft Outlook Express 4.01 for UNIX on HP-UX
  • Microsoft Outlook Express 5.0 for Macintosh
  • Microsoft Outlook Express 4.0c for Macintosh
  • Microsoft Outlook Express 4.5 for Macintosh
  • Microsoft Outlook Express 4.02 for Macintosh
  • Microsoft Outlook Express 4.01 for Macintosh
  • Microsoft Outlook Express 4.0 for Macintosh
  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 4.0 for Windows NT 4.0
  • Microsoft Internet Explorer 3.02 for Windows NT 4.0
  • Microsoft Internet Explorer 3.01 for Windows NT 4.0
  • Microsoft Internet Explorer 3.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for Windows NT 3.51
  • Microsoft Internet Explorer 4.01 for Windows NT 3.51 SP 1
  • Microsoft Internet Explorer 4.0 for Windows NT 3.51
  • Microsoft Internet Explorer 3.03 for Windows NT 3.51 SP 1
  • Microsoft Internet Explorer 3.01 for Windows NT 3.51
  • Microsoft Internet Explorer 3.0 for Windows NT 3.51
  • Microsoft Internet Explorer 2.0 for Windows NT 3.51
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 4.01 for Windows 98 SP 1
  • Microsoft Internet Explorer 4.01 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 95 SP 2
  • Microsoft Internet Explorer 5.0 for Windows 95
  • Microsoft Internet Explorer 4.01 for Windows 95 SP 1
  • Microsoft Internet Explorer 4.01 for Windows 95 SP 2
  • Microsoft Internet Explorer 4.0 for Windows 95
  • Microsoft Internet Explorer 3.02 for Windows 95
  • Microsoft Internet Explorer 3.01 for Windows 95
  • Microsoft Internet Explorer 3.0 for Windows 95
  • Microsoft Internet Explorer 5.0 for Windows 3.1
  • Microsoft Internet Explorer 4.01 for Windows 3.1 SP 1
  • Microsoft Internet Explorer 4.01 for Windows 3.1 SP 2
  • Microsoft Internet Explorer 4.0 for Windows 3.1
  • Microsoft Internet Explorer 3.03 for Windows 3.1
  • Microsoft Internet Explorer 3.02a for Windows 3.1
  • Microsoft Internet Explorer 3.01 for Windows 3.1
  • Microsoft Internet Explorer 3.0 for Windows 3.1
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 2
  • Microsoft Internet Explorer 4.01 for UNIX on Sun Solaris
  • Microsoft Internet Explorer 4.01 for UNIX on HPUX
  • Microsoft Internet Explorer 5.0 for Macintosh
  • Microsoft Internet Explorer 4.5 for Macintosh
  • Microsoft Internet Explorer 4.01 for Macintosh
  • Microsoft Internet Explorer 4.0 for Macintosh
  • Microsoft Internet Explorer 3.0a for Macintosh
  • Microsoft Internet Explorer 3.01a for Macintosh
  • Microsoft Internet Explorer 3.0 for Macintosh
  • Microsoft Internet Explorer 2.1 for Macintosh
  • Microsoft Internet Explorer 2.0 for Macintosh
  • Microsoft Outlook Express Version 6 for Windows 98 Second Edition
  • Microsoft Outlook Express 6 Public Preview for Windows 98
  • Microsoft Outlook Express Version 6 for Windows NT 4.0
  • Microsoft Outlook Express 5.0 for Windows NT 3.51
  • Microsoft Outlook Express 5.0 for Windows 3.1
  • Microsoft Outlook Express 5.0 for UNIX on HP-UX
  • Microsoft Outlook Express 5.0 for UNIX on Sun Solaris
  • Microsoft Internet Explorer version 6 for Windows XP
  • Microsoft Internet Explorer version 6 for Windows 2000
  • Microsoft Internet Explorer version 6 for Windows Millennium Edition
  • Microsoft Internet Explorer version 6 for Windows 98 Second Edition
  • Microsoft Internet Explorer version 6 for Windows 98
  • Microsoft Internet Explorer version 6 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for UNIX on HPUX
  • Microsoft Internet Explorer 5.0 for UNIX on Sun Solaris
This article was previously published under Q253117

SUMMARY

Microsoft has identified a serious security vulnerability that could potentially affect many Web sites and Web site users. The vulnerability, known as "Cross-Site Scripting", is possible on all programs that allow scripting, but is not a result of a defect in those programs. Instead, this vulnerability is a result of certain common Web coding practices. For additional information on this issue, please see the following Microsoft Web site:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/crssite.mspx

This article describes steps to ensure that during the period when Web site owners are reviewing their code and making any necessary changes, you can continue to browse the Web safely. Any programs that use scripting can be affected by this vulnerability; we have provided instructions to minimize the effects of this issue when you are using the Microsoft programs listed at the beginning of this article. If you are using another manufacturer's program, we recommend you contact them for instructions about how to configure that program.

MORE INFORMATION

There are several precautionary steps you can take to minimize the effects of this issue. We recommend that all customers take these steps.

IMPORTANT: Precautionary steps are provided below for both supported and unsupported versions of Microsoft Internet Explorer, Outlook, and Outlook Express. If you are running an unsupported version of one of these products, Microsoft strongly recommends that, in addition to using the steps below, you also upgrade to a supported version and then apply the latest security patches from the following Microsoft Windows Update Web site:

http://windowsupdate.microsoft.com

For additional information on supported versions of Microsoft Internet Explorer, Outlook, and Outlook Express, see the following Microsoft Web sites:

Microsoft Internet Explorer and Outlook Express
http://support.microsoft.com/gp/lifeselectintmsn
Microsoft Outlook
http://support.microsoft.com/gp/lifeselectoff

How to Prevent Cross-Site Scripting in E-Mail Messages

To prevent Cross-Site Scripting from occurring in e-mail messages, turn off Active Scripting in the Restricted zone and make all e-mail messages you receive run in the Restricted zone.

NOTE: Active Scripting is disabled by default in Outlook Express 6 and Outlook 2002.

For additional information about how to turn off Active Scripting in the Restricted zone and configure all e-mail to run in the Restricted zone, click the article numbers below to view the articles in the Microsoft Knowledge Base:

192846 How to Disable Active Scripting in Outlook Express

215774 OL2000: Scripts Embedded in HTML Messages Run without Warning

For additional information about virus protection features in Outlook Express 6, click the following article number to view the article in the Microsoft Knowledge Base:

291387 OLEXP: Using Virus Protection Features in Outlook Express 6

Take Precautions to Avoid Attacks When You Browse the Web or Read E-Mail Messages

  • Browse to Web sites that you trust are not using malicious code.
  • Be careful about how you initially visit a Web site. The safest way to connect to a Web site is to type the Web address directly into the browser or use a securely-stored local bookmark or favorite. If you do this, you can significantly reduce exposure while maintaining functionality.
  • Do not click hyperlinks in an e-mail message, even if the message appears to be from someone you trust. A malicious user can cause a false name to appear on the From: line of an e-mail message.

Recovering from a Cross-Site Scripting Attack

NOTE: You should only take the following steps if you have credible evidence that you have visited a Web site that uses cross-site scripting. After you perform these steps, you need to re-register and re-customize any Web sites that you visit again.

To stop cross-site scripting:
  1. Close Internet Explorer.
  2. Start Internet Explorer again and visit a safe Web site, such as:

    http://www.microsoft.com

  3. Delete all the Cookie files on your computer. To do this, follow the appropriate steps for your version of Internet Explorer.

    Internet Explorer 6 for Windows 98, Windows NT 4.0, Windows 98 Second Edition, Windows Millennium Edition, Windows XP, or Windows 2000

    1. On the Tools menu, click Internet Options, and then click the General tab.
    2. In the Temporary Internet Files section, click Delete Cookies, click OK, and then click OK again.

    Internet Explorer 5.x for Windows 95, Windows 98, Windows NT 4.0, Windows 98 Second Edition, or Windows 2000

    1. On the Tools menu, click Internet Options, and then click the General tab.
    2. Under Temporary Internet Files, click Settings.
    3. Click View Files.
    4. On the View menu, click to select the Details command.
    5. Click the Internet Address column label, and then scroll to find the Cookie files Internet addresses. For example, a Cookie Internet address may be named something similar to the following name:

      Cookie:jsmith@websitename.com

    6. Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.

    Internet Explorer 4.x for Windows 95, Windows 98, or Windows NT 4.0

    1. On the View menu, click Internet Options, and then click the General tab.
    2. Under Temporary Internet Files, click Settings.
    3. Click View Files
    4. On the View menu, click to select the Details command.
    5. Click the Internet Address column label, and then scroll to find the Cookie files Internet addresses. For example, a Cookie Internet address may be named something similar to the following name:

      Cookie:jsmith@websitename.com

    6. Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.

    Internet Explorer 3.x for Windows 95 or Windows NT 4.0

    1. On the View menu, click Options, and then click the Advanced tab.
    2. Under Temporary Internet Files, click View Files.
    3. Click the Name column label, and then scroll to find the Cookie files. For example, a Cookie file may be named something similar to the following name:

      Cookie:jsmith@websitename.com

    4. Click a Cookie file, and then press the Delete key. If you are prompted to confirm the deletion, click Yes. Repeat this step for each Cookie file.

    Internet Explorer 3.x, 4.x, or 5 for Windows 3.1x and Windows NT 3.51

    1. In File Manager, click Search on the File menu.
    2. In the Search For box, type emcookie.dat.
    3. In the Start From box, type the drive letter where Internet Explorer is installed, followed by a colon (:) and backslash (\). For example, C:\.
    4. Click to select the Search All Subdirectories box, and then click OK.
    5. In the Search Results window, click the Emcookie.dat file, and then click Delete on the File menu.
    6. Click OK, click Yes if you are prompted to confirm the deletion, and then click Yes to update the Search Results window.

    Internet Explorer 4.x for Macintosh

    1. On the Edit menu, click Preferences.
    2. Under Receiving Files, click Cookies.
    3. Click one of the displayed cookies.
    4. On the Edit menu, click Select All, and then click Delete.

    Internet Explorer 4 or 5 for UNIX on HP-UX or Sun Solaris

    1. Change to the .microsoft directory in the user's home directory.
    2. Change to the Cookies directory inside of the .microsoft directory.
    3. Delete all .txt files located in this directory. For example, user@www.example.com.txt.
For additional information about cookies, click the following article number to view the article in the Microsoft Knowledge Base:

260971 Description of Cookies

Modification Type:MajorLast Reviewed:5/4/2006
Keywords:kbCSSI kbhowto KB253117
©2004 Microsoft Corporation. All rights reserved.