Microsoft KB Archive/251109

= Local Files May Be Accessed By Using JavaScript Linked to Image Tag =

PSS ID Number: 251109

Article Last Modified on 8/9/2004

-

The information in this article applies to:


 * Microsoft Internet Explorer 5.01 for Windows NT 4.0
 * Microsoft Internet Explorer 5.0 for Windows NT 4.0
 * Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 1
 * Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 2
 * Microsoft Internet Explorer 4.0 for Windows NT 4.0
 * Microsoft Internet Explorer 5.01 for Windows 98 Second Edition
 * Microsoft Internet Explorer 5.01 for Windows 98
 * Microsoft Internet Explorer 5.0 for Windows 98
 * Microsoft Internet Explorer 4.01 for Windows 98 SP 2
 * Microsoft Internet Explorer 5.01 for Windows 95
 * Microsoft Internet Explorer 5.0 for Windows 95
 * Microsoft Internet Explorer 4.01 for Windows 95 SP 1
 * Microsoft Internet Explorer 4.01 for Windows 95 SP 2
 * Microsoft Internet Explorer 4.0 for Windows 95

-



This article was previously published under Q251109



SYMPTOMS
When you visit a Web page that contains a JavaScript URL in an IMG (image) tag, a malicious Web site operator could view files on your computer under certain circumstances. The Web site operator does have to know (or guess) the name and the location of the file, and can only view file types that can be opened in a browser window. If the malicious site is in a security zone that does not allow active scripting, the vulnerability can not be exploited.

For additional information about this issue, visit the following Microsoft Web site:

http://www.microsoft.com/technet/Security/Bulletin/ms00-009.asp

Note All versions of Internet Explorer for Microsoft Windows 3.1, Microsoft Windows NT 3.51, Macintosh, Unix (Solaris), and Unix (HP-UX) are not affected by this vulnerability.



Service Pack Information
To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Service Pack for Internet Explorer 6

Important The versions of Internet Explorer that are listed in the "Applies to" section of this article are no longer supported. Although you can install the update packages that are described in this article to address this vulnerability, Microsoft recommends that you upgrade to a supported version of Windows and of Internet Explorer.

Microsoft released security patches for Internet Explorer 4.01 Service Pack 2 (SP2) and Internet Explorer 5.01 to address this vulnerability.

Note If you apply one of these patches to Internet Explorer 4.01 Service Pack 1 (SP1) or earlier, or to Internet Explorer 5.0, you may receive a message that states the fix is not needed. This message is incorrect, and the vulnerability does exist on these versions of Internet Explorer. If you are using Internet Explorer 4.01 SP1 or any earlier release, or Internet Explorer 5.0, upgrade to the latest version of Internet Explorer, and then install the appropriate patch. To upgrade to the latest version of Internet Explorer, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/default.asp

The following files are available for download from the Microsoft Download Center:

Internet Explorer 5.01 for Windows 95, Windows NT 4.0 (x86), Windows 98, and Windows 98 Second Edition

Download the Q251109.exe package now.

Internet Explorer 4.01 SP2 for Windows NT 4.0 (Alpha)

Download the Q251109.exe package now.Note To install this patch on computers that are running Windows 95, Windows 98, or Windows NT 4.0, click Internet Explorer Security Update, February 9, 2000 under the Critical Updates section of the following Windows Update Web site:

http://windowsupdate.microsoft.com

Microsoft Internet Explorer 5.01 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0 (x86), and Windows 2000
Update File Name: Q251109.exe   Updated File Name   Size (bytes)   Date       Version Mshtml.dll         2,352,912      01/26/00   5.00.3013.2600

Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 95 and Windows 98
Update File Name: Q251109.exe   Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           2,423,056      01/28/00   4.72.3713.2800

Microsoft Internet Explorer 4.01 Service Pack 2 for Windows NT 4.0 (x86)
Update File Name: Q251109.exe   Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           2,422,544      01/28/00   4.72.3713.2800

Microsoft Internet Explorer 4.01 Service Pack 2 for Windows NT 4.0 AXP
Update File Name: Q251109.exe   Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           3,952,400      01/20/00   4.72.3713.2800 After you install this update, Q251109 is added to the Update versions line when you click About Internet Explorer on the Help menu.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Internet Explorer version 5.01 Service Pack 1.



MORE INFORMATION
To work around this issue until you can install the patch, add trusted sites to the Trusted Sites zone and disable active scripting in the Internet zone.

Adding Sites to the Trusted Sites Zone
You can add Web sites that you explicitly trust not to take malicious action on your computer to the Trusted Sites zone. To add Web sites to the Trusted Sites zone:  Click Start, point to Settings, click Control Panel, and then double-click Internet Options (Internet in Internet Explorer 4. ). On the Security tab, click Trusted Sites, click Sites, and then type the name of a Web site that you trust. For example, type:

https://www.microsoft.com

Repeat this step for each Web site that you want to add.

Note When you add sites to the Local Intranet or Trusted Sites zones, you can require that server verification is used. To do so, click to select the Require server verification (https:) for all sites in this zone check box. Click OK, and then click OK.</ol>

For additional information about the security zones, click the following article number to view the article in the Microsoft Knowledge Base:

174360 How to Use Security Zones in Internet Explorer

Disable Active Scripting
To disable active scripting:
 * 1) Click Start, point to Settings, click Control Panel, and then double-click Internet Options (Internet in Internet Explorer 4. ).
 * 2) On the Security tab, click the Internet zone, and then click Custom Level (or click Internet Zone in Internet Explorer 4. ).
 * 3) In the Settings box, locate the Scripting section, and then click Disable under Active Scripting.
 * 4) Click OK, and then click OK.

Additional query words: security upgrade

Keywords: kbdownload kbbug kbfix kbie501sp1Fix KB251109

Technology: kbIE400Win95 kbIE400WinNT400 kbIE401Win95 kbIE401Win98 kbIE401Win98SP2 kbIE401WinNT400 kbIE401WinNT400SP1 kbIE401WinNT400SP2 kbIE500Search kbIE500Win95 kbIE500Win98 kbIE500WinNT400 kbIE501Win95 kbIE501Win98SE kbIE501WinNT400 kbIE95Search kbIE98Search kbIE98SESearch kbIENT400Search kbIEsearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.