Microsoft KB Archive/242542

= "Download Behavior" Vulnerability in Internet Explorer 5 =

Article ID: 242542

Article Last Modified on 8/23/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Windows 98 Second Edition

-



This article was previously published under Q242542



SUMMARY
Microsoft has released an update to Internet Explorer 5 that addresses a potential security vulnerability with the download Dynamic HTML (DHTML) behavior. Additional information about this issue is available from the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS99-040.mspx

Updates are available for the following products:
 * Internet Explorer 5 for Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows NT 4.0 (Intel and Alpha platforms)
 * Microsoft Windows 98 Second Edition

This update also addresses the vulnerabilities in Internet Explorer 5 that are described in the following Microsoft Knowledge Base article:

226325 Update Available for MSHTML Security Issues in Internet Explorer



MORE INFORMATION
DHTML behaviors (a new feature introduced in Internet Explorer 5) are simple, lightweight components that encapsulate specific functionality or behavior on a page. The download behavior feature allows Web page authors to download files for use in client-side scripts. By design, a Web site should be able to download only files that reside in its domain; this prevents client-side code from exposing files on the your computer or local intranet to the Web site. However, a server-side redirect can be used to bypass this restriction. This vulnerability could allow a malicious Web site operator to potentially read (but not modify or erase) files on your computer or on other computers on your local intranet.

This vulnerability does not affect Internet Explorer 5 for Microsoft Windows 3.1 and Windows NT 3.51 or Internet Explorer 5 for Macintosh. Internet Explorer 5 for UNIX is affected, and an update will be available soon (see the workaround described below). Internet Explorer 4.x (for all platforms) does not support the download DHTML behavior and is not affected by this vulnerability.

To obtain the update for the download behavior vulnerability, download and install the appropriate Q242542.exe file for your computer from the following Microsoft Web site:

http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm

NOTE: If you are running Internet Explorer 5 for Windows 95, Windows 98, or Windows NT 4.0 (Intel), or you are running Windows 98 Second Edition, download the Update for "Download Behavior" Vulnerability (x86). If you are running Internet Explorer 5 for Windows NT 4.0 (Alpha), download the Update for "Download Behavior" Vulnerability (Compaq DIGITAL Alpha).   Updated file name   Size                Date      Version Mshtml.dll         2,359,296 (x86)     9-29-99   5.00.2721.2900 Mshtml.dll         4,984,832 (Alpha)   9-29-99   5.00.2721.2900 After you install the update, "Q242542" is added to the Update Versions line when you click About Internet Explorer on the Help menu in Internet Explorer.

Microsoft highly recommends that Internet Explorer 5 users evaluate the degree of risk that this vulnerability poses to their computers and determine whether to download and install the patch. Users who are concerned about this vulnerability but cannot install the patch can prevent the download behavior feature from operating by disabling Active Scripting in Internet Explorer 5. To do so:
 * 1) In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
 * 2) Click the Internet zone, and then click Custom Level.
 * 3) In the Settings box, under Scripting, locate and click the Active Scripting item, and then click Disable.
 * 4) Click OK, and then click OK.

NOTE: If you visit Web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting to use a site that you trust, you may want to consider adding the site to the Trusted Sites zone:
 * 1) In Internet Explorer 5, click Internet Options on the Tools menu, and then click the Security tab.
 * 2) Click the Trusted Sites, zone, and then click Sites.
 * 3) Type the Web address (URL) of the site, and then click Add.
 * 4) Click OK, and then click OK.

For additional security-related information about Microsoft products, please see the following Microsoft Web site:

http://www.microsoft.com/security/

For additional information about the download behavior, please see the following Microsoft Web site:

http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/download.asp

Note that this problem does not occur in Internet Explorer 5.01.

Keywords: kbprb KB242542

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.