Patch Available for "Active Setup Download" Vulnerability in Internet Explorer (265258)



The information in this article applies to:

  • Microsoft Internet Explorer 5.5 for Windows NT 4.0
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 4.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98
  • Microsoft Internet Explorer 5.01 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 4.01 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 95
  • Microsoft Internet Explorer 5.01 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.0 for Windows 95
  • Microsoft Internet Explorer 4.01 for Windows 95 SP 1
  • Microsoft Internet Explorer 4.01 for Windows 95 SP 2
  • Microsoft Internet Explorer 4.0 for Windows 95
  • Microsoft Internet Explorer 5.5 for Windows 2000
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 1
  • Microsoft Windows 95 OEM Service Release 2.5

This article was previously published under Q265258

SUMMARY

On June 29, 2000 Microsoft released a patch that eliminates a security vulnerability in an ActiveX control that is included with Internet Explorer 4.01 SP2 and 5.01. This vulnerability could be used to overwrite files on the computer of a user who visited a malicious Web site operator's site.

You can find additional information regarding this vulnerability and the patch at the following Microsoft Web site: On August 9, 2000 Microsoft released a patch that eliminates this vulnerability for Internet Explorer 5.5. For additional information, please see the following Microsoft Web site:

MORE INFORMATION

The Active Setup Control enables .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has the following two flaws:
  • All Microsoft-signed .cab files are treated as trusted, which enables them to be installed without asking the user's approval.
  • Provides a method by which the caller can specify a download location on the user's hard disk.
In combination, these two flaws could enable a malicious Web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on a user's computer. By overwriting system files, this could enable the malicious user to make the computer unusable.

NOTE: There is no capability through this vulnerability to actually install the software that has been downloaded; the vulnerability only enables files to be overwritten in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.

Patch Availability

This patch is currently available for Internet Explorer 4.01 SP2 and 5.01, and 5.01 SP1 at the following Microsoft Web site: This patch is currently available for Internet Explorer 5.5 at the following Microsoft Web site: NOTE: This update may not appear on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft.com Web site:
This update does not need to be installed on this system.
Updates are currently available only for Internet Explorer 4.01 SP2, 5.01, 5.01 SP1, and 5.5.

For additional information about how to determine which version of Internet Explorer is installed, click the article number below to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

Update Information by Product

To update information by product, follow these steps:
  1. Install the patch from the following link:
  2. On the Help menu, click About Internet Explorer, and then the Q-article Q265258 is displayed on the Update Versions line.
  3. Install the patch from the following link:
  4. On the Help menu, click About Internet Explorer, and then the Q-article Q269368 is displayed on the Update Versions line.

Internet Explorer 5.01 SP1 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
   File name    Size     Date         Time       Version

   ------------------------------------------------------------
   Asctrls.ocx  109,328  08/01/2000  04:56:04pm  5.00.3207.2800
				

Internet Explorer 4.01 SP2 for Windows 95, Windows 98, and Windows NT 4.0 (Intel)

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx   91,536  06/14/2000   2:29:12pm  4.72.3718.1400
				

Windows 2000 (all versions) and Internet Explorer 5.01 for Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0

Update File Name: Q265258.exe

Description: Internet Explorer Security Update, June 19, 2000

Availability:
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx  109,328  06/09/2000  11:13:26am  5.0.3018.900
				

Internet Explorer 5.5 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000

Update File Name: Q269368.exe

Description: Security Update, August 9, 2000

Availability:
   File name    Size     Date         Time       Version
   ------------------------------------------------------------
   Asctrls.ocx  110,864  07/28/2000  02:16:40pm  5.50.4207.2600 
   Mshtml.dll 2,744,592  07/28/2000  03:25:48pm  5.50.4207.2601 
				
NOTE: In addition to the vulnerability discussed in this article, the Internet Explorer 5.5 version of this patch also eliminates the vulnerability discussed at the following Microsoft Web site:

Modification Type:MajorLast Reviewed:6/15/2004
Keywords:kbprb KB265258