Microsoft KB Archive/273868

= Patch Available for the Cached Web Credentials Vulnerability =

Article ID: 273868

Article Last Modified on 1/29/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Windows 2000 Standard Edition

-



This article was previously published under Q273868



SYMPTOMS
Microsoft has released a patch that eliminates a vulnerability that may enable a malicious user to obtain your user ID and password for a Web site.



RESOLUTION
To resolve this problem, obtain the latest service pack for Internet Explorer version 5.01. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

For your convenience, the individual update is also available for download. The following file is available for download from the Microsoft Download Center:

Download Q273868.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. NOTE: This patch requires that you have Internet Explorer 5.01 Service Pack 1 (SP1). If you install this patch and you are using a version of Internet Explorer other than Internet Explorer 5.01 SP1, the update is not installed and you may receive the following error message:

This update does not need to be installed on this system.

This message is correct if you are running Internet Explorer 5.5, which is not affected by this vulnerability. If you are running a version of Internet Explorer earlier than version 5.01 SP1, Microsoft recommends that you upgrade to Internet Explorer 5.01 SP1 and then install this patch, or upgrade to Internet Explorer 5.5.

The English-language version of this patch should have the following file attributes or later:   Date        Time     Size     File name -

06/09/2000 10:34AM   89,360  Advpack.dll 09/25/2000 04:57PM  459,536  Wininet.dll For additional information about how to determine which version of Internet Explorer that is installed, click the article number below to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.



MORE INFORMATION
If you log on to a secure Web page by using basic authentication, and then visit a non-secure page on the same site, Internet Explorer automatically sends the cached credentials (typically your user ID and password) to the non-secure page. If a malicious user can control your network communications, the user can read your credentials and use them. However, the malicious user cannot force you to log on to a secure page; the user can use this vulnerability only to reveal credentials that are cached during the current Internet Explorer session.

For additional information about this issue, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-076.asp

Additional query words: current determine hack advpack w95inf16 w95inf32 wininet dll security_patch

Keywords: kberrmsg kbfix kbgraphxlinkcritical kbqfe kbnetwork kbprb kbbrowse kbie501presp2fix KB273868

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.