Microsoft KB Archive/244233

= JavaScript Redirect Vulnerability in Internet Explorer =

Article ID: 244233

Article Last Modified on 1/25/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2

-



This article was previously published under Q244233



SYMPTOMS
Under certain circumstances, a malicious Web site operator could use a JavaScript redirect command to read files on a computer if the browser is redirected to a malicious Web site. Files can be read only if the name of the file, and the name of the folder in which the file is located, is known by the malicious operator. This vulnerability does not allow the malicious operator to list the contents of folders; create, modify, or delete files; or to gain administrative control of the computer.



RESOLUTION
For information about obtaining an update that corrects this issue, please see the following article in the Microsoft Knowledge Base:

244357 Update for 'Javascript Redirect' in Internet Explorer 5



WORKAROUND
To temporarily work around this issue, add trusted sites to the Trusted Sites zone and disable Active Scripting in the Internet zone.

Adding Sites to the Trusted Sites Zone
You can add Web sites that you explicitly trust not to take malicious action on your computer to the Trusted Sites zone. To add Web sites to the Trusted Sites zone:
 * 1) Click Start, point to Settings, click Control Panel, and then double-click Internet Options.

If you are using Internet Explorer 4.x, double-click Internet in Control Panel.
 * 1) Click the Security tab, click Trusted Sites, click Sites, and then type the name of a Web site that you know can be trusted. For example, type: https://www.microsoft.com . Repeat this step for each Web site you want to add.

NOTE: When you add sites to the Local Intranet or Trusted Sites zone, you can require that server verification be used by clicking to select the Require server verification (https:) for all sites in this zone check box.
 * 1) Click OK.
 * 2) Click OK.

For additional information about the security zones, click the article number below to view the article in the Microsoft Knowledge Base:

174360 How to Use Security Zones in Internet Explorer

Disable Active Scripting
To disable Active Scripting:
 * 1) Click Start, point to Settings, click Control Panel, and then double-click Internet Options.

If you are using Internet Explorer 4.x, double-click Internet in Control Panel.
 * 1) Click the Security tab.
 * 2) Click the Internet zone, and then click Custom Level.

If you are using Internet Explorer 4.x, click Internet Zone.
 * 1) In the Settings box, locate the Scripting section, and then click Disable under Active Scripting.
 * 2) Click OK.
 * 3) Click OK.

Keywords: kbenv kbprb KB244233

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.