Microsoft KB Archive/167614

= Update Available For "Frame Spoof" Security Issue =

Article ID: 167614

Article Last Modified on 8/23/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 3.02
 * Microsoft Internet Explorer 3.01
 * Microsoft Internet Explorer 3.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 3.02
 * Microsoft Internet Explorer 3.01
 * Microsoft Internet Explorer 3.0
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 2.0
 * Microsoft Internet Explorer 2.01
 * Microsoft Internet Explorer 2.1
 * Microsoft Internet Explorer 3.0
 * Microsoft Internet Explorer 3.01
 * Microsoft Internet Explorer 3.1
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 4.5 128-Bit Edition
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 3.02
 * Microsoft Internet Explorer 1.5
 * Microsoft Internet Explorer 2.0
 * Microsoft Internet Explorer 3.0
 * Microsoft Internet Explorer 3.01
 * Microsoft Internet Explorer 3.03 for Windows NT 3.51
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 4.01 128-Bit Edition
 * Microsoft Internet Explorer 4.5 128-Bit Edition
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 3.02
 * Microsoft Internet Explorer 4.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.0 for UNIX
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 2.0 for Macintosh
 * Microsoft Internet Explorer 2.1 for Macintosh
 * Microsoft Internet Explorer 3.0 for Macintosh
 * Microsoft Internet Explorer 4.0 for Macintosh
 * Microsoft Internet Explorer 4.01 for Macintosh
 * Microsoft Internet Explorer 4.5 for Macintosh
 * Microsoft Internet Explorer 5.0 for Macintosh
 * Microsoft Internet Explorer 3.0 for Macintosh
 * Microsoft Internet Explorer 3.01

-



This article was previously published under Q167614



SUMMARY
Microsoft has made an update available that addresses a potential security issue with regard to the use of frames in Internet Explorer. Additional information about this issue is available from the following Microsoft Web site:

http://www.microsoft.com/technet/security/Bulletin/MS98-020.mspx

Updates are available for the following products:
 * Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows 95
 * Microsoft Internet Explorer 4.01 and 4.01 SP1 for Windows NT 4.0 (Alpha and x86)
 * Microsoft Windows 98
 * Microsoft Internet Explorer 4.01 for Windows 3.1
 * Microsoft Internet Explorer 4.01 for Windows NT 3.51

This issue may enable a malicious Web site operator to mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window. Microsoft has not received any reports of adverse effects as a result of this issue.

This update also fixes the "Untrusted Scripted Paste" and "Cross Frame Navigate" issues in Microsoft Internet Explorer 4.01 and 4.01 Service Pack 1 running on Windows operating systems. Additional information is available at the following Microsoft Web site:

http://www.microsoft.com/windows/ie/community/columns/securityupgrade.mspx

After installing this update, "3214" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.

Note Internet Explorer 5 automatically includes protection against the "Frame Spoof" vulnerability at High security. To enable this protection in Internet Explorer 5 without using a High security setting, use the following steps:
 * 1) Click Start, point to Settings, click Control Panel, and then double-click Internet.
 * 2) Click the Security tab.
 * 3) Under Select a Web content zone to specify its security settings, click Internet.
 * 4) Click Custom Level.
 * 5) Under Navigate sub-frames across different domains, click Disable.
 * 6) Click OK.



MORE INFORMATION
Update Information by Product:

Warning This Frame Spoof patch may affect programs that host WebBroswer controls. Microsoft recommends you not install this patch if your program is affected.

Note If you are using Internet Explorer 3. or 4.0, you must install Internet Explorer 4.01 in order to apply this update. You can install Internet Explorer 4.01 with Service Pack 1 from the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/default.mspx

Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows 95:

Update File Name: 3214.exe

Availability: http://www.microsoft.com/windows/ie/security

  Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           2422032        12/19/98   4.72.3612.1700 Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 x86:

Update File Name: 3214.exe

Availability: http://www.microsoft.com/windows/ie/security

  Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           2421520        12/19/98   4.72.3612.1700 Microsoft Internet Explorer 4.01 and 4.01 with Service Pack 1 for Windows NT 4.0 Alpha:

Update File Name: 3214a.exe

Availability: http://www.microsoft.com/windows/ie/security

  Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           3948304        12/19/98   4.72.3612.1700 Windows 98:

Update File Name: 3214.exe

Availability: Microsoft Windows Update

  Updated File Name    Size (bytes)   Date       Version -  Mshtml.dll           2422832        12/19/98   4.72.3612.1700 Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51:

Update File Name: 3214.exe

Availability: http://www.microsoft.com/windows/ie/security

  Updated File Name    Size (bytes)   Date       Version Mshtml16.dll        3086400        12/21/98   4.1.2512.2100 Note After applying this update, cross-frame navigation will be permitted only in the following cases:
 * 1) You own the frame (ownership is defined as being the direct parent).
 * 2) You are in the same domain as the owner of the frame.

-or-
 * 1) The frame is a top-level window (applies to "target=" cases).

Also, after applying this update, you may receive the following error message when loading a Web page that contains the potential security issue:

Internet Explorer Script Error

An error has occurred in the script on this page.

Line:

Char:

Error: Permission denied

Code:

Do you want to continue running scripts on this page?

Keywords: kbinfo KB167614

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.