Microsoft KB Archive/280768

= INFO: Update Available for &quot;Cross-Domain File Reading Vulnerability&quot; Issue =

Article ID: 280768

Article Last Modified on 9/27/2004

-

APPLIES TO

 Microsoft Internet Explorer 4.0 128-Bit Edition, when used with:  Microsoft Windows 2000 Standard Edition

 Microsoft Windows NT 4.0

 Microsoft Windows Millennium Edition

 Microsoft Windows 98 Standard Edition</li></ul>

 Microsoft Windows 98 Second Edition</li></ul> </li> Microsoft Internet Explorer 4.01 Service Pack 2, when used with:  Microsoft Windows 2000 Standard Edition</li></ul>

 Microsoft Windows NT 4.0</li></ul>

 Microsoft Windows Millennium Edition</li></ul>

 Microsoft Windows 98 Standard Edition</li></ul>

 Microsoft Windows 98 Second Edition</li></ul> </li> Microsoft Internet Explorer 4.01 Service Pack 1, when used with:  Microsoft Windows 2000 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT 4.0</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li> <li>Microsoft Internet Explorer 4.01 Service Pack 2, when used with: <ul> <li>Microsoft Windows 2000 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT 4.0</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li> <li>Microsoft Internet Explorer 5.0, when used with: <ul> <li>Microsoft Windows 2000 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT 4.0</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li> <li>Microsoft Internet Explorer 5.01, when used with: <ul> <li>Microsoft Windows 2000 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT 4.0</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li> <li>Microsoft Internet Explorer (Programming) 5.01 SP1, when used with: <ul> <li>Microsoft Windows 2000 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT 4.0</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li> <li>Microsoft Internet Explorer 5.5, when used with: <ul> <li>Microsoft Windows 2000 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT 4.0</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q280768

<div class="summary_section">

SUMMARY
Microsoft has released an update to Internet Explorer that addresses a potential security issue in which a malicious Web site operator could use the GetObject function to read the files on your hard disk and upload them to the Web site.

On March 6, 2001 Microsoft released information regarding a new variant of this vulnerability. For information on the variant and where to download the patch, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-015.mspx

<div class="moreinformation_section">

MORE INFORMATION
When a script tries to use GetObject to initiate an ActiveX object, it should:
 * 1) Determine whether the object is safe to create, based solely on its type.
 * 2) Determine whether the object is safe to run after it is created.
 * 3) Determine whether it is safe to load potentially untrusted content into the object after the object is run.
 * 4) Determine whether the data path to that content is legally accessible from the current page (in other words, it is not breaking cross-domain security) after it loads untrusted content.

However, Internet Explorer fails to check if the data is breaking cross-domain security.

If you are using Internet Explorer 5.01 and have a Jscript.dll version earlier than 5.1.0.5907, or if you are using Internet Explorer 5.5 and have a Jscript.dll earlier than version 5.5.0.5824, you must apply this patch.

For more information about this issue and to download the patch, see the following Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/MS01-015.mspx

<div class="references_section">