SYMPTOMS
Because HTML e-mail messages are Web pages, Internet
Explorer can render them and open binary attachments in a way that is
appropriate to their MIME type. However, there is a flaw in the type of
processing that is specified for certain unusual MIME types. If a malicious
user creates an HTML e-mail message that contains an attachment that can be run
and then modifies the MIME header information to specify that the attachment is
one of the unusual MIME types that Internet Explorer handles incorrectly,
Internet Explorer may run the attachment automatically when it renders the
e-mail message.
A malicious user could use this vulnerability in
either of two scenarios:
- The malicious user could host an affected HTML e-mail
message on a Web site and try to persuade other users to visit the site, at
which point script on a Web page could open the mail and run the attachment.
- The malicious user could send the HTML e-mail message
directly to a user.
In either case, the attachment, if it ran, would be limited
only by the user's permissions on the computer.
This vulnerability
cannot be exploited if file downloads have been disabled in the security zone
in which the e-mail message is rendered. However, this is not a default setting
in any security zone.
RESOLUTION
You can install the patches that are listed below only on
systems that run Internet Explorer 5.01 Service Pack 1 (SP1) or Internet
Explorer 5.5 Service Pack 1 (SP1). This fix is already included in Internet
Explorer 5.01 Service Pack 2.
For additional information about Internet
Explorer 5.01 Service Pack 2, click the article number below to view the
article in the Microsoft Knowledge Base:
267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack
: If you try to install one of the patches that are listed below
on an unsupported version of Internet Explorer, you receive the following error
message:
Microsoft Internet Explorer Update
This
update does not need to be installed on this system.
The text of the error message is incorrect and does not
necessarily mean that your version of Internet Explorer is unaffected by this
problem. If you receive this error message when you try to install one of the
patches, use the appropriate resolution for your version of Internet Explorer:
- Internet Explorer versions 4.x through 5.01
Upgrade to either Internet Explorer 5.01 SP2 (which includes this fix) or
Internet Explorer 5.5 SP1 and then install the patch for this version of
Internet Explorer.For additional information about Internet
Explorer 5.5 Service Pack 1, click the article number below to view the article
in the Microsoft Knowledge Base: 276369 How to Obtain the Latest Internet Explorer 5.5 Service Pack
- Internet Explorer 5.5
Upgrade to Internet
Explorer 5.5 SP1 and then install the patch for this version of Internet
Explorer or upgrade to Internet Explorer 5.5 SP2 (which includes this fix).
For additional
information about the latest service pack for Internet Explorer 5.5, click the
article number below to view the article in the Microsoft Knowledge Base: 267954 How to Obtain the Latest Internet Explorer 5.5 Service Pack
- Internet Explorer 5.5 Advanced Security Privacy Beta or
Internet Explorer 6 Public Preview
Uninstall Internet Explorer 5.5
Advanced Security Privacy Beta or Internet Explorer 6 Public Preview and then
apply the approproate patch or Internet Explorer upgrade as noted
above.
For additional information about how
to determine which version of Internet Explorer you are using, click the
article number below to view the article in the Microsoft Knowledge Base:
164539 How to Determine Which Version of Internet Explorer Is Installed
Patch for Internet Explorer 5.5
To resolve this problem, obtain the latest
service pack for Internet Explorer version 5.5. For additional information,
click the following article number to view the article in the Microsoft
Knowledge Base:
267954 How to Obtain the Latest Internet Explorer 5.5 Service Pack
For your convenience, the individual update is also
available:
The
following file is available for download from the Microsoft Download
Center:
For
additional information about how to download Microsoft Support files, click the
following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
The English version of this update should have the
following file attributes or later:
Date Time Version Size File name
----------------------------------------------------------
02/20/2001 04:36p 5.50.4614.2000 1,147,152 Shdocvw.dll
NOTE: Because of file dependencies, this update requires Internet
Explorer 5.5 with Service Pack 1.
Patch for Internet Explorer 5.01
To resolve this problem, obtain the
latest service pack for Internet Explorer version 5.01. For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base:
267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack
For your convenience, the individual update is also
available for downloading.
The following file
is available for download from the Microsoft Download
Center:
NOTE: If you have already installed Internet Explorer 5.01 Service
Pack 2, you do not need to install this individual
update.
For
additional information about how to download Microsoft Support files, click the
following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
The English version of this update should have the
following file attributes or later:
Date Time Version Size File name
---------------------------------------------------------
02/20/2001 02:52p 5.0.3214.2000 1,103,632 Shdocvw.dll
NOTE: Because of file dependencies, this update requires Internet
Explorer 5.01 with Service Pack 1.
