INFO: Update Available for "Cross-Domain File Reading Vulnerability" Issue (280768)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 4.0, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 4.01, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 4.01 SP1, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 4.01 SP2, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 5, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 5.01, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 5.01 SP1, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
  • Microsoft Internet Explorer (Programming) 5.5, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
This article was previously published under Q280768

SUMMARY

Microsoft has released an update to Internet Explorer that addresses a potential security issue in which a malicious Web site operator could use the GetObject function to read the files on your hard disk and upload them to the Web site.

On March 6, 2001 Microsoft released information regarding a new variant of this vulnerability. For information on the variant and where to download the patch, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-015.mspx

MORE INFORMATION

When a script tries to use GetObject to initiate an ActiveX object, it should:
  1. Determine whether the object is safe to create, based solely on its type.
  2. Determine whether the object is safe to run after it is created.
  3. Determine whether it is safe to load potentially untrusted content into the object after the object is run.
  4. Determine whether the data path to that content is legally accessible from the current page (in other words, it is not breaking cross-domain security) after it loads untrusted content.
However, Internet Explorer fails to check if the data is breaking cross-domain security.

If you are using Internet Explorer 5.01 and have a Jscript.dll version earlier than 5.1.0.5907, or if you are using Internet Explorer 5.5 and have a Jscript.dll earlier than version 5.5.0.5824, you must apply this patch.

For more information about this issue and to download the patch, see the following Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/MS01-015.mspx

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

251108 Update Available for the "Frame Domain Verification" Issue

Modification Type:MinorLast Reviewed:9/27/2004
Keywords:kbDHTML kbinfo kbScript KB280768
©2004 Microsoft Corporation. All rights reserved.