Microsoft KB Archive/241362

= Security Vulnerability in ImportExportFavorites Function in Internet Explorer 5.0 =

Article ID: 241362

Article Last Modified on 1/25/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0

-



This article was previously published under Q241362





SUMMARY
Internet Explorer 5.0 includes a feature that allows you to export a list of your favorite Web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites, should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a Web site to invoke this method, bypass this restriction, and write files that may be used to run system commands. As a result, a malicious Web site operator can potentially take any action on the computer that a user is capable of performing.



MORE INFORMATION
This vulnerability only affects Windows 95-based, Windows 98-based, Windows 98 Second Edition-based, and Windows NT 4.0-based computers that are connected to the Internet and that are using Internet Explorer 5.0 with Active Scripting enabled. By default, Active Scripting is enabled in Internet Explorer 5.0.

This problem in resolved in Internet Explorer 5.01 and later. Microsoft recommends that you upgrade to the latest version of Internet Explorer to resolve this problem. For additional information about how to determine which version of Internet Explorer you are using, click the following article number to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

For additional information about how to obtain the latest version of Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.5 Service Pack

For additional information about how to obtain the latest version of Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Internet Explorer 6 Service Pack

On December 8, 1999, Microsoft released a patch that eliminates this error and several other vulnerabilities in Internet Explorer 5.0. For additional information about this patch, click the following article number to view the article in the Microsoft Knowledge Base:

246094 Update Available for "Server-Side Page Reference Redirect" Vulnerability

For additional information about the other vulnerabilities resolved with this patch, click the following article numbers to view the articles in the Microsoft Knowledge Base:

241361 Update Available for Vulnerabilities in ActiveX Controls Issue

231450 Update Available for the "Malformed Favorites Icon" Issue

The English version of this fix should have the following file attributes or later:   File Name        Size     Date      Time     Version ---  Shdocvw.dll    946,448    Sep-14-1999  05:19p   5.00.2721.1400 For additional information about the ImportExportFavorites issue, visit the following Microsoft Security Bulletin Web site:

http://www.microsoft.com/TechNet/security/bulletin/ms99-037.asp

For additional security-related information about Microsoft products, visit the following Microsoft Web site:

http://www.microsoft.com/security/

Keywords: kbinfo kbenv KB241362

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.