Microsoft KB Archive/321309

= MS02-019: Security Vulnerabilities in Internet Explorer and Office for Mac Can Cause Code to Run =

Article ID: 321309

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0 for Macintosh
 * Microsoft Outlook Express 4.0 for Macintosh
 * Microsoft Word 2001 for Mac
 * Microsoft Excel X for Mac
 * Microsoft Excel 2001 for Mac
 * Microsoft PowerPoint 2001 for Mac
 * Microsoft PowerPoint 98 for Macintosh
 * Microsoft Windows CE Platform Builder 3.0
 * Microsoft Entourage X for Mac
 * Microsoft Outlook Express 5.02 for Macintosh
 * Microsoft Exchange Update for Entourage X (Office v. X 10.1.4 Update)

-



This article was previously published under Q321309



SYMPTOMS
Microsoft has released a patch to address two new security vulnerabilities in Internet Explorer for Macintosh.

The first vulnerability is an unchecked buffer that is associated with the handling of a particular HTML element. A security vulnerability results because an attacker can run a buffer-overrun attack that tries to exploit this flaw. A successful attack would have the result of causing the program to fail, or to cause code of the attacker's choice to run as if it were run under the user's permissions.

The second vulnerability is a flaw in how Internet Explorer for Macintosh handles certain HTML elements that run AppleScripts that are stored on the local computer. This flaw makes it possible for locally-stored AppleScripts to be started outside the typical security restrictions. A vulnerability results because it is possible for a malicious user to exploit this and cause AppleScripts to run without the user's consent. The AppleScripts would run as if they had been started by the user, and might take the same actions as any AppleScript that is legitimately started by the user.



Macintosh OS X
To resolve this problem, use the Software Update feature in Macintosh OS X version 10.1 to install the Internet Explorer 5.1 Security Update. Additional information about the Software Update feature is available at the following Apple Computer Web site:

http://www.apple.com/macosx/upgrade/softwareupdates.html

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

All Other Products
Download the update from the following Microsoft Web site:

http://www.microsoft.com/mac/download

NOTE: As of April 2002, an update is under development for Microsoft PowerPoint 98 for Macintosh. When this update is available, this article will be updated.



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
http://www.microsoft.com/technet/security/bulletin/ms02-019.mspx

Additional query words: security_patch

Keywords: kbbug kbenv kbfix kbsecurity KB321309

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.