Microsoft KB Archive/262509

= Patch available for &quot;Frame Domain Verification,&quot; &quot;Unauthorized Cookie Access,&quot; &quot;Malformed Component Attribute,&quot; and &quot;WPAD Spoofing&quot; vulnerabilities =

Article ID: 262509

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 5.5

-



This article was previously published under Q262509



SUMMARY
Microsoft released an Internet Explorer security update on May 18, 2000, that eliminates four security vulnerabilities in Internet Explorer 4.01 Service Pack 2 (SP2) and 5.01:
 * The &quot;Frame Domain Verification&quot; vulnerability, which could allow a malicious Web site operator to read, but not change or add, files on the computer of a visiting user.
 * The &quot;Unauthorized Cookie Access&quot; vulnerability, which could allow a malicious Web site operator to access cookies belonging to a visiting user.
 * The &quot;Malformed Component Attribute&quot; vulnerability, which could allow a malicious Web site operator to run code on the computer of a visiting user.
 * A new variant of the &quot;WPAD Spoofing&quot; vulnerability that was fixed in Internet Explorer 5.01 (for information about this vulnerability, visit the http://www.microsoft.com/technet/security/bulletin/ms99-054.mspx Web site).



MORE INFORMATION
For additional information about these vulnerabilities and the availability of a comprehensive update to eliminate them, please see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-033.mspx

Note This update may not appear when you click Product Updates on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft Download Center:

This update does not need to be installed on this system.

Updates are available only for Internet Explorer 4.01 Service Pack 2 (SP2) and Internet Explorer 5.01. Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 5, and 5.5 Beta are also vulnerable to this problem, but running the patch on a version of Internet Explorer 4.x earlier than 4.01 SP2, a version of Internet Explorer 5 earlier than 5.01, or Internet Explorer 5.5 Beta results in the message listed above. This patch is not listed as a critical update on the Microsoft Windows Update Web site unless you are running Internet Explorer 4.01 SP2 or 5.01.

Microsoft recommends that you update to Internet Explorer 4.01 SP2 or 5.01 and then install this patch. If you are using Internet Explorer 5.5 Beta, Microsoft recommends that you uninstall Internet Explorer 5.5 Beta and then install this patch for Internet Explorer 4.01 SP2 or 5.01. The final released version of Internet Explorer 5.5 will include all of the updates in this patch.

For more information about how to determine which version of Internet Explorer is installed, click the following article number to view the article in the Microsoft Knowledge Base:

164539 How to determine which version of Internet Explorer is installed

Update information by product
After you install this patch, &quot;q262509&quot; is displayed on the Update Versions line when you click About Internet Explorer on the Help menu, and the following files are updated (depending on which version of Internet Explorer you are using).

Internet Explorer 4.01 SP2 for Windows 95 and Windows 98
Update File Name: Q262509.exe

Description: Internet Explorer Security Update, May 18th 2000

Availability:
 * http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp
 * http://windowsupdate.microsoft.com

  File name    Size     Date       Time        Version ---  Wininet.dll  373,520  5/15/2000  9:41:26 AM  4.72.3717.1500

Internet Explorer 4.01 SP2 for Windows NT 4.0 (Intel)
Update File Name: Q262509.exe

Description: Internet Explorer Security Update, May 18th 2000

Availability:
 * http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp
 * http://windowsupdate.microsoft.com

  File name    Size     Date       Time         Version Wininet.dll 373,008  5/15/2000  11:13:34 AM  4.72.3717.1500

Internet Explorer 4.01 SP2 for Windows NT 4.0 (AXP)
Update File Name: Q262509.exe

Description: Internet Explorer Security Update, May 18th 2000

Availability:
 * http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp

  File name    Size     Date       Time        Version ---  Wininet.dll  664,336  5/15/2000  7:40:10 AM  4.72.3717.1500

Windows 2000 (All Versions) and Internet Explorer 5.01 for Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0
Update File Name: Q262509.exe

Description: Security Update, August 9, 2000

Availability:
 * http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp
 * http://windowsupdate.microsoft.com

  File name    Size       Date       Time         Version --  Mshtml.dll   2,352,400  5/11/2000   4:14:40 PM  5.00.3017.1000 Shdocvw.dll 1,104,144  5/02/2000  12:24:36 PM  5.00.3015.2000 Urlmon.dll    449,808  5/03/2000   2:12:56 PM  5.00.3017.3000 Wininet.dll   460,560  5/12/2000  12:23:28 PM  5.00.3017.1200 Note This update has been revised since its original release to address a minor issue that causes Internet Explorer to display images incorrectly on some Web sites. Microsoft recommends that all users download this updated version.

