Microsoft KB Archive/322924

= MS02-023: Patch Available for Local Information Disclosure Through HTML Element Vulnerability =

Article ID: 322924

Article Last Modified on 2/1/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0

-



This article was previously published under Q322924



SYMPTOMS
An information-disclosure vulnerability exists in Internet Explorer. An attacker who successfully exploits this vulnerability can view files on the user's local computer.

An attacker can try to exploit this vulnerability by building a Web page that contains a specific object. In constructing the page, the attacker must specify the name and location of the file to read. The attacker can then either send the page as an HTML e-mail message, or post it on a Web site. When the user views the Web page, either by opening the mail or by viewing it in a browser, the page can exploit the vulnerability.

This vulnerability is subject to a number of significant mitigating factors:  It can be used only to read information. It cannot add, change, or delete any information. The attacker must know the exact name and location of any file to read. Only files that contain a specific, individual ASCII character can be read. If this single character is not present, the attempt to read the file does not work. The vulnerability requires that scripting be turned on. If the Web page is viewed in the Restricted Sites zone, the vulnerability cannot be exploited. Viewing a Web page in the Restricted Sites zone, or reading mail in the Restricted Sites zone, prevents this vulnerability. By default, Microsoft Outlook Express 6, Microsoft Outlook 98, Microsoft Outlook 2000 with the Outlook E-Mail Security Update, and Microsoft Outlook 2002 all read mail in the Restricted Sites zone, and are immune from HTML e-mail attack. Customers who use Microsoft Office XP Service Pack 1 who have turned on the Read as Plain Text feature are immune from the HTML e-mail attack. For additional information about this feature, click the article number below to view the article in the Microsoft Knowledge Base:

307594 OL2002: Users Can Read Nonsecure E-mail As Plain Text



<div class="cause_section">

CAUSE
This vulnerability occurs because of incorrect handling when a particular HTML object calls a file on the local computer.

<div class="resolution_section">

Internet Explorer 6
To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Internet Explorer 6 Service Pack

The update for this problem is included in the &quot;May 15, 2002, Cumulative Patch for Internet Explorer.&quot; For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:

321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 2
The update for this problem is included in the &quot;May 15, 2002, Cumulative Patch for Internet Explorer.&quot; For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:

321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 1
The update for this problem is included in the &quot;May 15, 2002, Cumulative Patch for Internet Explorer.&quot; For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:

321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.01 Service Pack 2 (on Microsoft Windows 2000 and Microsoft Windows NT 4.0 only)
This update is only for customers running Internet Explorer 5.01 Service Pack 2 on Windows 2000 Service Pack 2 or Windows NT 4.0 Service Pack 6a. If you are running Internet Explorer 5.01 on any other version of Windows, upgrade to Internet Explorer 5.5 Service Pack 2 or later, and then apply this update.

The update for this problem is included in the &quot;May 15, 2002, Cumulative Patch for Internet Explorer.&quot; For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:

321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

<div class="status_section">

Internet Explorer 6
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.

Internet Explorer 5.5
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.

Internet Explorer 5.01
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.01.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx

Additional query words: security_patch patch27

Keywords: kbdownload kbbug kbfix kbie501presp3fix kbsecvulnerability kbie600presp1fix kbsecurity kbie600sp1fix kbie550presp3fix kbsecbulletin kbsechack KB322924

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.