SUMMARY
Microsoft has released a cumulative patch for Internet
Explorer. This patch includes updates for the issues that are described in the
following Microsoft Knowledge Base articles:
323759 MS02-047: August 22, 2002, Cumulative Patch for Internet Explorer
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer
316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer
319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer
This cumulative patch also prevents the following
security vulnerabilities:
- A buffer-overrun vulnerability that occurs because Internet
Explorer does not correctly check the parameters of Portable Network Graphics
(PNG) files when they are opened. To the best of Microsoft's knowledge, this
vulnerability can be used only to cause Internet Explorer to stop working. The
effect of exploiting this vulnerability against Internet Explorer is relatively
minor. You have only to restart Internet Explorer to restore typical operation.
However, a number of other Microsoft products (notably, most Microsoft Office
products and Microsoft Index Server) rely on Internet Explorer to render PNG
files. Exploiting this vulnerability against such a program causes them to stop
working also. Because of this, Microsoft recommends that customers install this
patch whether or not they are using Internet Explorer as the primary Web
browser.
- An information-disclosure vulnerability that is related to
the way in which Internet Explorer handles encoded characters in a Web address
(URL). This vulnerability might permit an attacker to craft a URL that contains
some encoded characters. The encoded characters might redirect you to a second
Web site. If you follow the URL, the attacker can gain the same access as you
on the second Web site. This might permit the attacker to access any
information that you share with the second Web site.
- A vulnerability that occurs because Internet Explorer does
not, under some conditions, correctly check the component that the OBJECT tag
calls. This might permit an attacker to obtain the name of the Temporary
Internet Files folder on your local computer. This vulnerability does not
permit an attacker to read or modify any files on your local computer because
the Temporary Internet Files folder is located in the Internet security zone.
Knowing the name of the Temporary Internet Files folder might permit an
attacker to identify the user name of the logged-on user, and to read other
information in the Temporary Internet Files folder (such as cookies).
- Three vulnerabilities that, although they have different
root causes, have the same effects. All three vulnerabilities occur because
incomplete security checks occur out when particular programming techniques are
used in Web pages. These vulnerabilities might permit one Web site to access
information from another domain, including your local computer. This might
permit the Web site operator to read, but not to change, any file that can be
viewed in a browser window on your local computer . These vulnerabilities might
also permit an attacker to start a program file that is already present on your
local computer.
This cumulative patch also sets the "kill" bit on the MSN Chat
ActiveX control that is described in the following Microsoft Security Bulletin:
For additional information, click
the following article numbers to view the articles in the Microsoft Knowledge
Base:
240797
How to Stop an ActiveX Control from Running in Internet Explorer
810202 Security Vulnerability in DirectX Files Viewer ActiveX Control
This process makes sure that a vulnerable control
cannot be added to your computer.
For additional information about
known issues that can occur when you install this update, click the following
article number to view the article in the Microsoft Knowledge Base:
325192
Issues After You Install Updates to Internet Explorer or
Windows
To resolve this problem, obtain the latest
service pack for Microsoft Windows 2000. For additional information, click the
following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
MORE INFORMATION
For more information about this patch, visit the following
Microsoft Web site:
Download Information
The following
file is available for download from the Microsoft Download
Center:
Release Date:
November 20, 2002
For additional information about how to download
Microsoft Support files, click the following article number to view the article
in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
Installation Information
You can install the Internet Explorer 6 version of this update on
Internet Explorer 6 or on Internet Explorer 6 Service Pack 1 (SP1).
For additional information, click the
following article number to view the article in the Microsoft Knowledge Base:
328548
How to Obtain the Latest Service Pack for Internet Explorer 6
The Internet Explorer 5.5 version of this update
requires Internet Explorer 5.5 Service Pack 2 (SP2).
For additional information, click
the following article number to view the article in the Microsoft Knowledge
Base:
276369
How to Obtain the Latest Service Pack for Internet Explorer 5.5
The Internet Explorer 5.01 for Windows 2000 version
of this update requires Windows 2000 Service Pack 3 (SP3).
For additional information, click the following
article number to view the article in the Microsoft Knowledge Base:
260910
How to Obtain the Latest Windows 2000 Service Pack
You must restart your computer after you apply this
update.
This package supports the following switches:
- /q Specifies Quiet mode, or suppresses prompts, when files are being
extracted.
- /q:u Specifies User-Quiet mode, which presents some dialog boxes to
the user.
- /q:a Specifies Administrator-Quiet mode, which does not present any
dialog boxes to the user.
- /t:path Specifies the target folder for extracting files.
- /c Extracts the files without installing them.
- /c:path Specifies the path and name of the Setup .inf or .exe file.
- /r:n Never restarts the computer after installation.
- /r:i Restart if a restart is required--automatically restarts the
computer if the computer must be restarted to complete installation.
- /r:a Always restarts the computer after installation.
- /r:s Restarts the computer after installation without prompting the
user.
- /n:v No version checking--installs the program over any previous
version.
For example, the
file
name /q:a /r:n command installs the update without any user intervention, and
does not force the computer to restart.
WARNING: Your computer is vulnerable until you restart it and log on as
an administrator to complete the installation.
NOTE: You cannot successfully install this update on Microsoft Windows
XP-based computers in non-interactive mode (for example, by using Windows Task
Scheduler, Microsoft Systems Management Server, or the IBM Tivoli software).
Microsoft is
researching this problem and will post more information in this article when
the information becomes available.
File Information
The English version of this fix has the file attributes (or
later) that are listed in the following table. The dates and times for these
files are listed in coordinated universal time (UTC). When you view the file
information, it is converted to local time. To find the difference between UTC
and local time, use the
Time Zone tab in the Date and Time
tool in Control Panel.
The following files are installed in the
%Windir%\System32 folder.
Internet Explorer 6 with SP1 (32-bit)
Date Time Version Size File name
---------------------------------------------------------
29-Aug-2002 09:23 6.0.2800.1106 91,136 Advpack.dll
10-Oct-2002 22:17 6.0.2800.1126 2,787,840 Mshtml.dll
10-Oct-2002 22:18 6.0.2800.1126 483,328 Urlmon.dll
Internet Explorer 6 with SP1 (64-bit)
Date Time Version Size File name
--------------------------------------------------------
15-Oct-2002 17:21 6.0.2800.1126 9,064,448 Mshtml.dll
15-Oct-2002 17:26 6.0.2800.1126 1,410,560 Urlmon.dll
Internet Explorer 6
Date Time Version Size File name
--------------------------------------------------------
15-Oct-2002 18:37 6.0.2722.900 2,764,288 Mshtml.dll
16-Oct-2002 22:38 6.0.2722.900 34,304 Pngfilt.dll
05-Mar-2002 01:09 6.0.2715.400 548,864 Shdoclc.dll
11-Oct-2002 17:53 6.0.2722.900 1,336,832 Shdocvw.dll
16-Oct-2002 22:38 6.0.2715.400 109,568 Url.dll
11-Oct-2002 17:53 6.0.2722.900 481,280 Urlmon.dll
06-Jun-2002 18:38 6.0.2718.400 583,168 Wininet.dll
Internet Explorer 5.5 with SP2
Date Time Version Size File name
---------------------------------------------------------
06-Jun-2000 21:43 5.50.4134.600 92,432 Advpack.dll
17-Oct-2002 00:36 5.50.4922.900 2,757,392 Mshtml.dll
17-Oct-2002 01:01 5.50.4922.900 48,912 Pngfilt.dll
15-Oct-2002 22:40 5.50.4922.900 1,149,200 Shdocvw.dll
05-Mar-2002 02:53 5.50.4915.500 84,240 Url.dll
15-Oct-2002 22:41 5.50.4922.900 451,344 Urlmon.dll
06-Jun-2002 22:27 5.50.4918.600 481,552 Wininet.dll
Internet Explorer 5.01 on Windows 2000 SP3
Date Time Version Size File name
---------------------------------------------------------
15-Oct-2002 15:57 5.0.3510.1100 2,358,032 Mshtml.dll
14-Oct-2002 16:28 5.0.3510.1100 48,912 Pngfilt.dll
14-Oct-2002 17:02 5.0.3510.1100 1,106,704 Shdocvw.dll
05-Mar-2002 02:53 5.50.4915.500 84,240 Url.dll
14-Oct-2002 17:02 5.0.3510.1100 455,952 Urlmon.dll
08-Jun-2002 00:56 5.0.3506.1000 461,584 Wininet.dll
NOTE: Because of file dependencies, these updates may also contain
additional files.
