Microsoft KB Archive/318089

= MS02-009: Incorrect VBScript Handling in Internet Explorer Can Allow Web Pages to Read Local Files =

Article ID: 318089

Article Last Modified on 2/1/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0

-



This article was previously published under Q318089



After the release of this patch on February 21, 2002, Microsoft became aware of some third-party programs that depend on behavior in VBScript that this patch disables. A minor change has been made to the security patch to fix this bug and to ensure backwards compatibility. A revised patch was released on March 13, 2002. If you experience problems with third-party programs after you apply the original version of this patch, download the revised patch. If you downloaded the original patch and are not experiencing difficulties, you do not need to take any action. As a result, the revised patch is not offered to you when you visit the Windows Update site.

If you experience problems with third-party programs after you apply the original release of this patch, download the revised patch. If you downloaded the original patch and are not experiencing difficulties, you do not need to take any action. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

319847 MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications



SYMPTOMS
A vulnerability exists that could allow a malicious Web site operator to view files on the local computer of a visiting user. In addition, the vulnerability could allow a malicious Web site operator to collect information from a user's browsing session after the user had left the Web site. This information could then be passed back to the Web site, and could include personal information such as user names, passwords, or credit card information.

In both cases, the malicious user would have to entice the victim to visit a Web site that is under the malicious user's control. To read information from the user's local computer, the malicious Web site operator would have to know the exact name and location of the files on the user's computer. This vulnerability does not allow an attacker to add, change, or delete files on the user's computer.



CAUSE
This vulnerability occurs because of a flaw in the handling of scripts across domains within frames. The flaw allows scripts to violate Internet Explorer's cross-domain security model in a way that enables a Web site to read data in a frame that belongs to another domain.



RESOLUTION
To resolve this problem, install the latest service pack for Internet Explorer 6 or the February 14, 2002 Security Update from the following Microsoft Web site:

http://windowsupdate.microsoft.com

This update can also be download using the appropriate links below.
 * Internet Explorer 6
 * Internet Explorer 5.5
 * Internet Explorer 5.01

Internet Explorer 6
To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Internet Explorer 6 Service Pack

The following file is available for download from the Microsoft Download Center:

Internet Explorer 6 for Windows 2000 and Windows XP:

Download Vbs56nen.exe now

Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0:

Download Vbs56men.exe now

Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File Information for the Original Patch
The English version of the Internet Explorer 6 for Windows 2000 and Windows XP update should have the following file attributes or later:   GMT-UTC Date Time   Version         Size     File name --  02-Jan-2002  13:08  5.6.0.7302      467,002  Vbscript.dll The English version of the Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:   GMT-UTC Date Time   Version         Size     File name --  02-Jan-2002  13:08  5.6.0.7302      467,002  Vbscript.dll

File Information for Revised Patch
The English version of the Internet Explorer 6 for Windows 2000 and Windows XP update should have the following file attributes or later:   GMT-UTC Date Time   Version             Size   File name --  26-Feb-2002  19:58  5.6.0.7426        462,906  Vbscript.dll NOTE: Due to file dependencies, this update may contain additional files.

The English version of the Internet Explorer 6 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:   GMT-UTC Date Time   Version             Size   File name ---  26-Feb-2002  19:58  5.6.0.7426        462,906  Vbscript.dll NOTE: Due to file dependencies, this update may contain additional files.

Internet Explorer 5.5
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:

Internet Explorer 5.5 for Windows 2000:

Download Vbs55nen.exe now

Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0:

Download Vbs55men.exe now

Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File Information for the Original Patch
The English version of the Internet Explorer 5.5 for Windows 2000 update should have the following file attributes or later:   GMT-UTC Date Time   Version         Size     File name --  02-Jan-2002  17:01  5.5.0.7302      458,813  Vbscript.dll The English version of the Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:   GMT-UTC Date Time   Version         Size     File name --  02-Jan-2002  17:01  5.5.0.7302      458,813  Vbscript.dll

File Information for the Revised Patch
The English version of the Internet Explorer 5.5 for Windows 2000 update should have the following file attributes or later:   GMT-UTC Date Time   Version             Size   File name ---  28-Feb-2002  22:18  5.5.0.7426        450,621  Vbscript.dll NOTE: Due to file dependencies, this update may contain additional files.

The English version of the Internet Explorer 5.5 for Windows Me, Windows 98, and Windows NT 4.0 update should have the following file attributes or later:   GMT-UTC Date Time   Version             Size   File name ---  28-Feb-2002  22:18  5.5.0.7426        450,621  Vbscript.dll NOTE: Due to file dependencies, this update may contain additional files.

Internet Explorer 5.01
The following file is available for download from the Microsoft Download Center:

Internet Explorer 5.01 for Windows 2000:

Download Vbs51nen.exe now

This update is also available in Internet Explorer 5.01 Service Pack 3 for Windows 2000. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

Internet Explorer 5.01 for Windows 98 and Windows NT 4.0:

Download Vbs51men.exe now

Release Date: February 21, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

File Information for the Original Patch
The English version of the Internet Explorer 5.01 for Windows 2000 update should have the following file attributes or later:   GMT-UTC Date Time   Version         Size     File name --  02-Jan-2002  17:00  5.1.0.7302      438,330  Vbscript.dll The English version of the Internet Explorer 5.01 update for Windows 98 and Windows NT should have the following file attributes or later:   GMT-UTC Date Time   Version         Size     File name --  02-Jan-2002  17:00  5.1.0.7302      438,330  Vbscript.dll

File Information for the Revised Patch
The English version of the Internet Explorer 5.01 for Windows 2000 update should have the following file attributes or later:   GMT-UTC Date Time   Version             Size   File name ---  26-Feb-2002  22:14  5.1.0.7426        438,330  Vbscript.dll NOTE: Due to file dependencies, this update may contain additional files.

The English version of the Internet Explorer 5.01 update for Windows 98 and Windows NT should have the following file attributes or later: <pre class="fixed_text">  GMT-UTC Date Time   Version             Size   File name ---  26-Feb-2002  22:14  5.1.0.7426        438,330  Vbscript.dll NOTE: Due to file dependencies, this update may contain additional files.

<div class="status_section">

Internet Explorer 6
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.

Internet Explorer 5.5
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.

Internet Explorer 5.01
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.01. This problem was first corrected in Internet Explorer 5.01 for Windows 2000 Service Pack 3.

<div class="moreinformation_section">

MORE INFORMATION
The Vbscript.dll file is included with Internet Explorer and Microsoft Windows Script.
 * Internet Explorer 6: Any customer who is running Internet Explorer 6, regardless of Windows version, has Windows Script 5.6 installed by default. Internet Explorer 6 includes Windows Script 5.6.
 * Internet Explorer 5.5: Any customer who is running Internet Explorer 5.5, regardless of Windows version, has Windows Script 5.5 installed by default. Internet Explorer 5.5 includes Windows Script 5.5.
 * Internet Explorer 5.01: Any customer who is running Internet Explorer 5.01, regardless Windows version, has Windows Script 5.1 installed by default.

Customers who have not upgraded their version of Internet Explorer to version 5.5 or 6 are likely to be running the following versions of Windows Script:
 * Windows 2000: Windows Script 5.1
 * Windows Me: Windows Script 5.5

You can verify the version of Microsoft Visual Basic Scripting Edition (VBScript) that you are running by checking the version of the Vbscript.dll file in the Windows\System32 folder. To do so, right-click the file, and then click Properties.

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms02-009.asp

Additional query words: security_patch

Keywords: kbbug kbfix kbie501presp3fix kbsecvulnerability kbqfe kbie600presp1fix kbwin2000sp3fix kbsecurity kbie600sp1fix kbie550presp3fix kbsecbulletin kbsechack KB318089

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.