Microsoft KB Archive/244540

= Update Available for "Active Setup Control" Vulnerability =

PSS ID Number: 244540

Article Last Modified on 12/5/2003

-

The information in this article applies to:


 * Microsoft Internet Explorer 5.0 for Windows NT 4.0
 * Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 2
 * Microsoft Internet Explorer 5.0 for Windows 98
 * Microsoft Internet Explorer 4.01 for Windows 98 SP 2
 * Microsoft Internet Explorer 5.0 for Windows 95
 * Microsoft Internet Explorer 4.01 for Windows 95 SP 2
 * the operating system: Microsoft Windows 98 Second Edition

-



This article was previously published under Q244540



SUMMARY
Microsoft has released an update that eliminates a vulnerability that could permit a malicious user to embed an unsafe executable (.exe) file within an e-mail message and disguise it as a safe type of attachment. Through a complicated series of steps, the unsafe executable could be made to execute under certain conditions, if the user opens the attachment.

Additional information about this issue is available from the following Microsoft Web sites:

http://www.microsoft.com/security/bulletins/MS99-048.asp

http://www.microsoft.com/security/bulletins/ms99-048faq.asp

Updates are available for the following products:
 * Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 95
 * Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 98
 * Microsoft Internet Explorer 4.01 Service Pack 2 for Windows NT 4.0 (Alphas and X86)
 * Microsoft Internet Explorer 5 for Windows 95
 * Microsoft Internet Explorer 5 for Windows 98
 * Microsoft Internet Explorer 5 for Windows NT 4.0 (Alpha and x86)
 * Microsoft Windows 98 Second Edition

Microsoft Internet Explorer 4.x and 5 for Windows 3.1, Windows NT 3.51, UNIX on Sun Solaris, and Internet Explorer 4.x for Macintosh are not affected by this problem. Internet Explorer version 3.x for Windows 95 and Windows NT 4.0 are also not affected.



MORE INFORMATION
The Inseng.dll Active Setup Install Engine permits cabinet files to be launched and executed. A HyperText Markup Language (HTML) e-mail message could use this capability to launch a malicious cabinet file renamed as a normal file. If a user attempted to open this file, the operation would not work as a user would expect, but it could copy a file to an expected location without any notice to the user. The ActiveX control could then be used by a script embedded in the e-mail to start the copied file, causing the malicious code to be run.

The vulnerability could only be exploited in cases where an e-mail program is used that permits scripts in HTML e-mail and stores temporary copies of previously run programs in known locations (for example, Microsoft Outlook or Outlook Express).

This patch restricts the ability of the control to start unsigned cabinet files that have been downloaded from the local computer.

After installing this update, "Q244540" is added to the "Update versions" line when you click About Internet Explorer on the Help menu.

This patch is available from the following Microsoft Web site:

http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm

Internet Explorer 5

File name  Size       Date        Version         Platform ---  Inseng.dll     76,048  10/26/1999  5.00.2722.2600  x86 Inseng.dll   144,144  10/26/1999  5.00.2722.2600  Alpha

Internet Explorer 4.01 SP2

File name  Size       Date        Version         Platform ---  Inseng.dll     59,568  10/26/1999  4.72.3710.2600  x86 Inseng.dll   110,864  10/26/1999  4.72.3710.2600  Alpha NOTE: Microsoft Internet Explorer 4.0, 4.01, 4.01 Service Pack 1 for Windows 95 and Windows NT 4.0, and Microsoft Windows 98 are also vulnerable to this problem, but running the patch on a version of Internet Explorer prior to 4.01 SP2 will result in the same message that results from running the patch on an unaffected system (for example, Internet Explorer 3.02 for Windows 95 or Windows NT 4.0):

This update does not need to be installed on this system.

Patches are only available for Internet Explorer 4.01 SP2 and later. Microsoft recommends that users update to Internet Explorer 4.01 SP2 or 5 and then install this patch.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

164539 Determining Which Version of Internet Explorer You Are Using

NOTE: To work around this vulnerability if you cannot install this patch, disable Active Scripting in your e-mail program. To do this in Microsoft Outlook or Outlook Express, please see the appropriate Microsoft Knowledge Base article:

192846 How to Disable Active Scripting in Outlook Express

215774 OL2000: Scripts Embedded in HTML Messages Run without Warning

Additional query words: asctrls.ocx

Keywords: kbenv kbinfo kbQFE KB244540

Technology: kbIE401Win95 kbIE401Win98 kbIE401Win98SP2 kbIE401WinNT400 kbIE401WinNT400SP2 kbIE500Search kbIE500Win95 kbIE500Win98 kbIE500WinNT400 kbIE95Search kbIE98Search kbIENT400Search kbIEsearch kbOSWin98SE kbOSWinSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.